BOGUS Ebay email scam warning

email | self

[supercat]

I just received the following email. Pay particular attention to the part in red. I do not doubt that the text and visible formatting are copied precisely from a legitimate ebay message, but the highlighted link is almost certainly bogus--probably a data-capturing middleman.

I know this sort of scam is hardly new, but it is circulating again. Beware of it.

[supercat]

Received: from SMTP32-FWD by mail.[deleted].com
  (SMTP32) id A0948CE50; Wed, 20 Aug 2003 20:52:04 -0400
Received: from 168.144.21.148 [213.212.201.140] by mail.[deleted].com
  (SMTPD32-8.01) id A7AE1DB0164; Wed, 20 Aug 2003 20:51:58 -0400
Received: from [145.181.24.230] by 168.144.21.148 SMTP id K7m0l26N05Ju9X; Thu, 21 Aug 2003 07:50:54 +0300
Message-ID: <4--b9-5546x--$m-8@smu5vrb.i.h2v>
From: "service@ebay.com" <service@ebay.com>
Reply-To: "service@ebay.com" <service@ebay.com>
To: <ebay@casperkitty.com>
Subject: Update Account Information
Date: Thu, 21 Aug 03 07:50:54 GMT
X-Mailer: Microsoft Outlook, Build 10.0.2616
MIME-Version: 1.0
Content-Type: multipart/alternative;
	boundary="..3E187B50_"
X-Priority: 3
X-MSMail-Priority: Normal
Status: R
X-UIDL: 358547561

--..3E187B50_
Content-Type: text/html;
Content-Transfer-Encoding: quoted-printable

<img src=3D"http://pics.ebay.com/aw/pics/homepage/v2/logo_171x102.gif">

<P>Recently we attempted to authorize payment from your credit 
card we have on file for you, but it was declined.
<p>For security purposes, our system automatically removes credit card inf=
ormation         from an account when there is a problem or the card expir=
es.
<br>Please resubmit the credit card, and provide us with new and complete =
        information. To resubmit credit card information via our secure se=
rver,         click the following link:      
<a href=3D"http://cgi3.ebay.com:aw-cgieBayISAPI.dllSignInRegisterEnterInfo=
&siteid=3D0co_partnerid=3D2@207.150.192.12/temp/zebaysec/SignIn.php">http:=
//cgi3.ebay.com/aw-cgi/eBayISAPI.dll?SignIn</a>
<P>This is the quickest and easiest method of getting credit card informat=
ion       to us. Using the secure server will ensure that the credit card =
will be       placed on account within 24 hours.
<P><I>Copyright 1995-2003 Ebay Inc.       
 All Rights Reserved. Designated trademarks and brands         are the pro=
perty of their respective      =20

--..3E187B50_--

[50sDad]

Got a very similar scam from "paypal" and reported it. Got hit last night for a "citibank checking account" that I don't have.

[George from New England]

Paypal is ebay. Ebay bought them over a year ago.

I got this one to fro paypal, I had cancelled my paypal account months ago.

[proxy_user]

In a URL like that, anything before the '@' is ignored. You're going straight to

"207.150.192.12/temp/zebaysec/SignIn.php"

And, as we all know, eBay uses J2EE, not PHP.

[dalebert]

If you click on the senders of these spams you can bring up the sender and find out very fast that the mail is not from ebay. I also got same spam concerning bidpay and paypal. Please file a report with ebay,paypal or whoever the email concerns so they can attempt to catch the people doing this. Also check your accounts often. A buddy of mine fell for this and got a bill from Bank One credit card for $5800. He does not have a Bank One credit card.Could this be terrorist? or Al Gore scam.

[tdadams]

You're exactly right. This link does not go to Ebay. If you look closely at the part you highlighted in red, you'll see this:

@207.150.192.12

Most people don't know this, but your web browser will ignore anything in a URL address that comes before the @ symbol. This means the whole string in front of the @ symbol in this address link (http://cgi3.ebay.com:aw-cgieBayISAPI.dllSignInRegisterEnterInfo= &siteid=3D0co_partnerid=3D2) is being ignored. It's there to appear as if the link goes to ebay.com.

In actuality, it's going to the IP address 207.150.192.12, which could be just about any sleazy thief who's set up a server and is trying to steal your credit card number or Ebay login.

Thanks for being vigilant and warning others. The best way to combat this kind of fraud is for people to be instintively skeptical about emails like this.

[Brian S]

Got the same and so did my sister.

BTW...My ZoneAlarm is going crazy tonight with a ping about every 8 seconds, all from random sources. Anybody else noticing this? (maybe I need to lay off the "patriot act" threads... ) ;)

[tdadams]

Please forward this to fraud@ebay.com so they can investigate.

[rs79bm]

I did a back-trace on this address and it is registered to the following:

Address: 207.150.192.12
OrgName: Affinity Internet, Inc
OrgID: AFFI
Address: 101 Continental 4th Floor
City: El Segundo
StateProv: CA
PostalCode: 90245
Country: US


I would suggest sending this to Ebay and have them investigate this company. They should be able to pinpoint who is using this IP address.

[Ex-Dem]

Do you know if ZoneAlarm gives a kind of loud beep if it detects an intrusion attempt? I'm running three firewalls, so I can never tell which one is giving off an alert.

As for tonight, no haven't noticed anything unusual other than a false alarm when I was using FTP.

[browardchad]

My ZoneAlarm is going crazy tonight

Same here in Florida, but after three years on DSL, it's become fairly routine -- it looks like quite a few of the computers hooked to my ISP are infected with a worm. I ordered a replacement DSL modem last week, and my UPS delivery man told me he's been delivering about a 20 a day in my area alone. I wonder how many of those new subscribers are without a firewall, and don't even realize they're infected?

[Brian S]

I know of no audible alert on the free version of zone alarm I'm running. There is a popup window alert you can activate everytime it blocks an intrusion though. It gets annoying however.

I keep hearing my hard drive write to disk every few seconds (I do keep the ZA logfile active) which is the reason I noticed all the pings.

[Severa]

Running Zone Alarm Pro and Norton Antivirus on an XP machine. So far so good, no viruses *knock on wood* but getting pinged pretty close to the rate you stated.

[Bullish]

There's been a rash of these types of bogus e-mails trying to get people to submit all of their info, everything they need to drain their checking accounts.

I always forward these types of E-mails to my ISP, everyone should do that so maybe they could locate them and help to get them prosecuted.


I wish they'd find these scammers and hang them.

[Severa]

I just got Zone Alarm about two weeks ago, I've got a cable modem connection, here in VA Beach Navy housing. Talk about timing huh? :)

[Severa]

I just got Zone Alarm about two weeks ago, I've got a cable modem connection, here in VA Beach Navy housing. Talk about timing huh? :)

[Severa]

I just got Zone Alarm about two weeks ago, I've got a cable modem connection, here in VA Beach Navy housing. Talk about timing huh? :)

[fatima]

I get them all the time and also from paypal,just go to your account and it will show the truth.

[Severa]

I'm in VA Beach. Navy base housing. Installed Zone Alarm just a few weeks ago. Talk about timing huh? :)

[Severa]

Ok FR hiccuped on me *L* Sorry

[massadvj]

I'm an eBay dealer woth over 4 thousand feedbacks. I get about two of these per week. You should FORWARD (not send) it to:

spoof@ebay.com

They will investigate it and try to shut the bast***s down.

[browardchad]

Uh, oh, you're repeating.:)

I just checked ZA, and there's been over 500 alerts in the last two hours. My connection was really sluggish today; we had some bad storms here, but I tend to think the worm traffic might be contributing to the slowdown as well.

[ktw]

Yea, this is what my ZoneAlarm is saying.
Rating = Medium, date/time = 2003/08/20 22:26:00, -5:00 GMT, Type = Firewall, Protocol = ICMP (type:8/subtyp:0), Program = Blank, Source IP = All over the place, Destination IP = xxx.xxx.xxx.xxx, Direction = Incoming, Action Taken = Blocked, Count = 1, Source DNS = Blank or something there, Destination DNS = My Computer.
This is a ICMP Echo Request (Ping).

[fightu4it]

ping

[ICE-FLYER]

If I read that link in red correctly it is NOT a secure server at all to begin with.

[ladyinred]

Wow, there are so many virus's, worms, and scams going on right now. We got one on our office computer after opening an email that claimed to be from Office Depot about an order that didn't go through because of an untrusted online orderer. Turns out it was a bug!

[GOPJ]

bump

[vaudine]

Last month I got an email from ebay telling me my credit card # was close to expiration, which it was. So I WENT to Ebay and clicked on the place to enter credit card info.

A couple of nights ago, I received an email from Ebay stating it needed to verify all my info--called it a security check.
They had the Ebay heading in color, said it was a secure server. They wanted my credit card info.,ebay sign in, personal info-name, add. mother's name, etc. AND they wanted my bank account info., which I have never given even to my Paypal account, so I have remained "Unverified."

I zapped it back and said I had recently updated, and did not feel comfortable with sending it in again--that they should have had all this stuff. I just couldn't see the reason for it, and was afraid it was a scam, even though it looked authentic.

I am not very computer literate, but took note of the info you are giving and wrote the #'s down for the the real Ebay url, so I can check next time.

Were any of you who received this query told they needed it for a security check?

vaudine

[supercat]

Last month I got an email from ebay telling me my credit card # was close to expiration, which it was. So I WENT to Ebay and clicked on the place to enter credit card info.

Do you still have that email? It's quite possible you've been scammed.

BTW, even if the site you're logged in seems to 'know' about you, it's possible that the site is using information you're supplying to log into the real ebay, and then sending you back the screens it comes back with.

[vaudine]

I think it was okay. I went back and checked the email. I notified me that my credit card ending in ----(last four numbers ) was about to expire. It gave me a link to Paypal, which had my user name, but I had to click to verify, and then they added my saved password******. It was a month ago, and I haven't seen or heard of any activity on that card. However, I will call the card co. tomorrow to double check--have ins. just in case.

I also rechecked the other "security check" and the info they asked for was unbelievable--Ebay and Paypal password, SS #, Bank Acct. #, etc. I'm pretty sure that one was a scam. It just hit a wrong chord with me even though it had the colored Ebay heading on it.

Thanks for the reply.

vaudine

[MatthewViti]

Big Brother is watching you...

[Reverend Bob]

The first one I got had a legitimate link to eBay, but also an email link asking for my screen name and password (which I avoided). A second wanted password, credit card info, and bank account info. I reported it all to eBay and, just to be safe, changed my password.

Personally, I think these scumbags should be killed in very brutal, non-PC ways and their bodies left to be eaten by rodents. Then again, I'm a traditionalist.

[upchuck]

I'm no guru, but tracing through this, it appears there are two web pages. On the first you enter your ebay user ID and password.
FWIW, since this is a bogus page it makes no difference what you enter. Then you go to the second page where your credit card info is collected.
The cc info you enter is sent to www.whiz-mail.cc. Geek tools^ says this URL belongs to:

Registrant: 
Pirker, Raphael (CRDNSHZMWD)
Gsoererweg 28
St. Anton am Arlberg, Tirol 6580
AT

Domain Name: WHIZ-MAIL.CC

Administrative Contact, Technical Contact:
Pirker, Raphael (KBFKRCRBXI) raphaelp@nr1webresource.com
Gsoererweg 28
St. Anton am Arlberg, Tirol 6580
AT
+43-5446-3807

Record expires on 12-Feb-2006.
Record created on 12-Feb-2003.
Database last updated on 21-Aug-2003 00:48:20 EDT.

Domain servers in listed order:

NS.HOSTING4U.NET 209.15.2.3
NS2.HOSTING4U.NET 209.15.2.4

I pass this along FWIW.

[tdadams]

Since we're on the topic of Ebay scams, there are a lot of bogus auctions lately, and they're tied in to the fraud emails we're talking about (keep reading).

If you're shopping for notebook computers, high-end digital cameras, stereo equipment, or plasma TVs, be on your guard for deals that look too good to be true.

Typically, the auction will contain three big red flags: 1) It will be a 'Buy it Now' auction, 2) the price will be way too low, probably one half or less than retail, 3) the auction will always be designated for "pre-approved buyers".

The reason for limiting it to pre-approved buyers is so that you have to contact the seller for approval. That then allows them to contact you outside the Ebay system. Invariably, they'll want to conclude the deal outside of Ebay if you'll send them the money by wire transfer. This is your next red flag. They'll want you to send it somewhere overseas, typically in Europe. They'll give you some reason why they're in Europe and not where they're registered on Ebay (we're on vacation, business, etc.).

You feel skeptical, but they had hundreds of feedbacks and all were positive, so you think it must check out OK.

So what's the real story? This is a scammer. They've hijacked the account of a user with a good feedback history. How did they do that? By tricking someone with a spoofed email.

Believe me, they don't have the merchandise and won't be sending it if you send them the money. But you'll be out several hundreds (if not thousands) of dollars that are unable to be traced.

If you want to have fun with this and see if you can find one of these, do a search for a very expensive digital camera, say the Canon 1Ds, which retails for $7999.00. When you see one with a Buy it Now price of $2000 or less, you know you've found a scammer. Go ahead and contact them... then watch the scenario I described above play out.

If you really want to have fun with them, tell them you'll meet them in person to pick it up (anywhere in the world, "I'm a commercial pilot"). Then see what excuse they come up with why they won't be able to deliver it in person. It can be fun.

[New Horizon]

This might explain the excessive pings you are seeing.

[GOPJ]

bump