Our website would like to use cookies to store information on your computer. You may delete and block all cookies from this site, but parts of the site will not work as a result. Find out more about how we use cookies.

Login or Register

Powered by
Powered by Novacaster
 
eBay Email Scam
by Simon at 10:40 12/12/03 (Forum::Technical Advice::General)
Here's a new take on the 'fool you into giving out your account details' scam. This one's related to eBay.

--
Dear eBay member #4785072!

As part of our continuing commitment to
protect your account and to reduce the instance
of fraud on our website, we are undertaking a
period review of our member accounts. You are
requested to visit our site by following the link
given below. This is required for us to continue
to offer you a safe and risk free environment to
send and receive money online, and maintain the
eBay Experience. Thank you.

https://cgi.ebay.com/saw-cgi/eBayISAPI.dll?UpdateInformation

Visit our Privacy Policy and User Agreement if you have any questions.

Copyright © 2003 eBay Inc. All Rights Reserved.
Designated trademarks and brands are the property of their respective owners.
eBay and the eBay logo are trademarks of eBay Inc.
--

Note: if you've got an email client that interprets HTML for you then it'll just look like an email from eBay to you - which is another good reason for disabling 'Show HTML email' in your mail client, or junking Outlook entirely and switching to something else

This is what's actually in the email:

--
Received: from mta04.mx.xxx.xx.xx (localhost [127.0.0.1])
by mta04.mx.xxx.xx.xx (8.11.3/8.11.2_BM26) with ESMTP id hBC02v120079
for <xx@xxxxx.xxxxx.xxx>; Fri, 12 Dec 2003 00:02:57 GMT
Received: from earthling.net (ool-44c62d0d.dyn.optonline.net [68.198.45.13])
by mta04.mx.xxx.xx.xx (8.11.3/8.11.3) with SMTP id hBC02ut20070
for <xx@xxxxx.xxxxx.xxx>; Fri, 12 Dec 2003 00:02:56 GMT
Date: Fri, 12 Dec 2003 00:02:56 GMT
X-Envelope-From: support@ebay.com
Message-Id: <200312120002.hBC02ut20070@mta04.mx.xxx.xx.xx>
To: "xx@xxxxx.xxxxx.xxx" <xx@xxxxx.xxxxx.xxx>
From: eBay <support@ebay.com>
X-Mailer: Microsoft Outlook Express 6
Subject: eBay Account Verification
MIME-Version: 1.0
Content-type: text/html
Content-Transfer-Encoding: 8bit
X-Envelope-To: xx@xxxxx.xxxxx.xxx
X-UIDL: _J6E.zWQ2_.mta04.mx

<x-html><!x-stuff-for-pete base="" src="" id="0" charset=""><html>
<head></head>
<body>
<p align="left">
Dear eBay member #4785072!<br><br>
As part of our continuing commitment to<br>
protect your account and to reduce the instance<br>
of fraud on our website, we are undertaking a<br>
period review of our member accounts. You are<br>
requested to visit our site by following the link<br>
given below. This is required for us to continue<br>
to offer you a safe and risk free environment to<br>
send and receive money online, and maintain the<br>
eBay Experience. Thank you.<br>
<a href="http://ebay.com%69%6E%64%65%78%6C%6F%67
%69%6E%68%74%6D%6C%61%64%73%66%61%73%64%68%6A
%6B%71%77%65%6B%6A%68%61%73%64%61%6C%73%64%61
%6A%6B%73%64%6B%6A%71%70%77%6F%64%61%73%6B%6A
%73%64%68%61%73%64%6B%6A%61%73%64%61%6F%73%64
@%32%30%30%2E%31%36%31%2E%31%35%31%2E%35%34:%38%30">
https://cgi.ebay.com/saw-cgi/eBayISAPI.dll?UpdateInformation</a><br><br>
Visit our <a href="http://pages.ebay.com/help/community/png-priv.html">Privacy Policy</a> and <a href="http://pages.ebay.com/help/community/png-user.html">User Agreement</a> if you have any questions.<br>
Copyright © 2003 eBay Inc. All Rights Reserved.<br>
Designated trademarks and brands are the property of their respective owners.<br>
eBay and the eBay logo are trademarks of eBay Inc.<br>
</p>
</body>
</html>

</x-html>
--

All this stuff:

http://ebay.com%69%6E%64%65%78%6C%6F%67
%69%6E%68%74%6D%6C%61%64%73%66%61%73%64%68%6A
%6B%71%77%65%6B%6A%68%61%73%64%61%6C%73%64%61
%6A%6B%73%64%6B%6A%71%70%77%6F%64%61%73%6B%6A
%73%64%68%61%73%64%6B%6A%61%73%64%61%6F%73%64
@%32%30%30%2E%31%36%31%2E%31%35%31%2E%35%34:%38%30

is a way to hide the fact that - if you click the link that appears to be to:
https://cgi.ebay.com/saw-cgi/eBayISAPI.dll?UpdateInformation

then in fact you're connecting to:

http://ebay.comindexloginhtmladsfasdhjkqwekjhasdalsdajksdkjqpwodaskjsdhasdkjasdaosd@200.161.151.54:80

Remembering, from previous decodings of URLs like this, that the only thing that counts is the bit after the '@' sign, then you'd be headed off to the webserver on the IP address 200.161.151.54

This IP address is part of a block managed by the LacNic in South America:

OrgName: Latin American and Caribbean IP address Regional Registry
OrgID: LACNIC
Address: Potosi 1517
City: Montevideo
StateProv:
PostalCode: 11500
Country: UY

and the machine associated with this particular IP address is on the end of an ADSL line in Brazil:

200-161-151-54.dsl.telesp.net.br

--
simon

<< Nationwide / CitiBank / Halifa... Barclays iBank scam email >>
Printer Version