Re: Identity theft scam against eBay users

["Thomas Giudice" <tlgenterprises () hotmail com>]

The last time one of my clients had this happen, when I was finally able to 
contact eBay, they advised me to contact local or Federal law enforcement 
about these types of scams.

Thomas Giudice
TLG Enterprises
Computer Emergency Response Team






> From: Patrick Bryant <pi () pbryant com>
> To: Jordan K Wiens <jwiens () nersp nerdc ufl edu>
> CC: incidents () securityfocus com
> Subject: Re: Identity theft scam against eBay users
> Date: Mon, 10 Feb 2003 17:29:43 -0800
>
> The text in the "hook" email in my incident is slightly different. I'm 
> including it below. Note subtle grammical errors in the text.
>
> I've been trying to advise eBay all day, since it's their name that's being 
> exploited, but all of my calls and emails have fallen into a blackhole.
>
> It now appears that the attackers are playing a shell game with the 
> redirector site. Even though the site that receives the victim's post 
> (bayers.netfirms.com) has been shut down, now the attackers are redirecting
> to at least one different site for receiving the posts.
>
> Here's the text that initiated my team's involvement:
>
> ------------
> Dear eBay User,
> During our regular update and verification of the accounts, we couldn't 
> verify your current information. Either your
> information has changed or it is incomplete.
> Please update and verify your information by signing in your account below 
> :
> If the account information is not updated to current information within 5 
> days then, your access to bid or buy on
> eBay will be restricted.
> go to this link below:
> ------------
>
> Jordan K Wiens wrote:
>
> > A user on our network just reported a very similar situation, however 
> the
> > details differed slightly.
> >
> >         From address: update () ebay com
> >         Mail was not sendmail
> >         Obfuscated link was: 
> http://%65%62%61%79%2e%69%6e%74%65%72%70%6f%6f%6c%2e%75%73/index.htm?sss=%66%77%6f%66%48%5a%70%55%76%46%4a%6c%69%47[OBFUSCATED 
> TO PROTECT THE USER]6%68%4b%51%4b%6b%46%6f%65%42%58%75
> >         Real link: 
> http://ebay.interpool.us/index.htm?sss=fwofHZpUvFiGg[OBFUSCATED TO PROTECT 
> THE USER]hKQKkFoeBXu
> >
> > As of right now the page appears to still be up, can you see if it is
> > similar to the page you were seeing before?  I've archived it if it goes
> > down.
> >
> > Snippet of text from the email:
> > --------------snip-------------
> > Dear valued ebay member XXXXXX :
> > It has come to our attention that your
> > [link to obfuscated url]ebay[/link]
> > Billing information's records are out of date. thats require update your
> > billing information's
> >
> > If you could please take 5-10 minutes out of your online experience and
> > [link again]update[/link]
> > Your billing records you will not run into any future problems with the
> > problems with the online service. However, failure to update your 
> records
> > will result in account termination. Please update your records by 
> tomorrow.
> > --------------snip-------------
> >
> > --
> > Jordan Wiens
> > UF Network Incident Response Team
> > (352)392-2061
> >
> > On Mon, 10 Feb 2003, Patrick Bryant wrote:
> >
> > > The scam is a social engineering hack to obtain personal information
> > > presumably for the purpose of identity theft.
> > >
> > > E-mails are being sent from an address claiming to be 
> 'service () ebay com'
> > > requesting personal information including the recipient/victim's bank
> > > account number and routing number, checking account account name /
> > > number and routing number, eBay user ID / password, PayPal password,
> > > credit card number and associated ATM PIN number, social security
> > > number, driver's license number and state of issue, and mother's 
> maiden
> > > name.
> > >
> > > Hopefully, half-savvy users will recognize this for what it is or at
> > > least object to the disclosure, but it takes some attention to detail 
> to
> > > identify that it is a bogus request originating from outside eBay.
> > >
> > > Here are the technical details:
> > >
> > >   - The claimed origin address is: service () ebay com.
> > >   - The message ID is in sendmail format 
> (YYMMDDHHMMSSprocessID@server)
> > > and ends with the string '@www.websiteseasy.com'.
> > >   - The message TEXT directs the user to the URL:
> > > http://www.ebay.com/acounts/memb/avncenter/?dll87443%2213. That text
> > > displayed in the URL masquerades the actual URL to which the
> > > user-supplied data is posted.
> > >   - The ACTUAL URL in the http directs the browser to:
> > > 'http://bayers.crossfade.la/&apos; which then does a 'refresh' redirect to
> > > 'http://bayers.netfirms.com/&apos;.
>
>
> ----------------------------------------------------------------------------
> This list is provided by the SecurityFocus ARIS analyzer service.
> For more information on this free incident handling, management
> and tracking system please see: http://aris.securityfocus.com


_________________________________________________________________
The new MSN 8: smart spam protection and 2 months FREE*  
http://join.msn.com/?page=features/junkmail


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com