http://www.newsbytes.com/news/02/173962.html By Brian McWilliams, Newsbytes CHICAGO, ILLINOIS, U.S.A., 25 Jan 2002, 12:01 PM CST A new identity-theft scam has corralled several high-profile Web sites as unwitting co-conspirators, including sites associated with exclamatory sports broadcaster Harry Caray and rock chameleon David Bowie. The scam, designed to steal credit card information, Social Security numbers and other personal data from unwary Internet users, is built upon Internet resources owned by Bowie and Harry Caray Restaurant Group, a holding company named after the late Chicago-area baseball broadcaster renowned for bellowing "Holy Cow" after great plays. Also embroiled in the scam is America Online's personal home page service. The fraud masquerades as an order confirmation from online auctioneer Ebay. A bogus e-mail message sent Jan. 11 to potentially thousands of Internet users informs recipients that they will be charged $460.50 for ordering a Microsoft Xbox video game system. To cancel the order, recipients of the message, which appears to come from eBayServicesSUPPORTat_private, are instructed to click a hyperlink to visit a Web site and "fill out all the needed information." The link, http://cancelorder.n2v.net , re-directed users to a site hosted by AOL Hometown that contained a cleverly designed mock-up of an Ebay form, entitled "Ebay Services - Cancel Order." If users were gullible enough to input their credit card number, Social Security number, bank name, address, phone and other requested information, the data, as well as the user's Internet protocol address, was submitted to an e-mail account at Epimp.com, a free, Web-based e-mail service. The bogus transaction was completed when victims were redirected to a page at http://www.hcrestaurantgroup.com , which simply bore the message "Your order has been canceled." To capture the stolen data, the scam site relied on an improperly secured FormMail program at BowieNet, an Internet service launched by the English musician at http://www.davidbowie.co.uk . The script currently enables unauthorized users to send e-mail through servers operated by Global Internet, the British ISP that hosts Bowie's site. FormMail is a free program used by many legitimate sites to glean data submitted via online forms. Last year, a vulnerability was discovered in the FormMail.pl gateway that allows external users to run the program. As a result, unsecured FormMail installations have become favored targets with junk e-mailers. Officials at Global and BowieNet did not respond to reports of the vulnerable FormMail script, nor has America Online moved to shut down the fraudulent site. However, the scam appears to have been at least partially debilitated. The N2V address-redirection service has disabled the link used by the scam due to a violation of its acceptable use policy. In addition, HC Restaurant Group removed the page at its site borrowed by the fraudsters within hours of learning about it Jan. 11, according to Beth Goldberg, director of marketing for the company. Recipients of the scam e-mail who notified EBay received a response from the company's SafeHarbor Investigations Team noting that "several" Internet users had complained about the fraudulent message, which Ebay confirmed did not originate from the company. "Please remember that Ebay will never ask you for your private information, including credit card information, in an e-mail. Also, Ebay will never send you any request or solicitation from a non-Ebay e-mail account, or provide a link outside of Ebay for entering credit card or other private information," said the message from the online auction firm. Joe Balazs, Webmaster for the HCrestaurantgroup.com site, said it was not clear how many people had fallen for the scam. Nor was he able to explain why the fraud re-directed victims to the site after they submitted their personal information. "It's pretty strange. It seems rather silly to send them to a restaurant's site. I would think it would give away that the whole thing was a scam," said Balazs. A copycat version of the fraud, also using the insecure script at BowieNet, was sent to numerous Internet users on Jan. 19. That version of the scam attempted to re-direct recipients to a different page at http://members.aol.com , the source code of which is encrypted. While the address-redirection service, OnTheWeb.nu, has disabled the link, the AOL-hosted scam site was still functional today. According to Chris Wysopal, director of research and development for AtStake, a security consulting firm, the incident demonstrates that security on the Internet must be a community effort. In cyberspace, as in the physical world, "if one person fails to keep their property secure it can become threat to all nearby," said Wysopal. The same goes for sites on the Internet, "except that on the Internet, everyone is your next door neighbor." - ISN is currently hosted by Attrition.org To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Mon Jan 28 2002 - 04:07:53 PST