[ISN] Holy Cow! Bowie Among Innocents Used In Ebay Scam

From: InfoSec News (isnat_private)
Date: Mon Jan 28 2002 - 00:38:46 PST

  • Next message: InfoSec News: "[ISN] NIST prepping security guides"

    By Brian McWilliams, Newsbytes
    25 Jan 2002, 12:01 PM CST
    A new identity-theft scam has corralled several high-profile Web sites
    as unwitting co-conspirators, including sites associated with
    exclamatory sports broadcaster Harry Caray and rock chameleon David
    The scam, designed to steal credit card information, Social Security
    numbers and other personal data from unwary Internet users, is built
    upon Internet resources owned by Bowie and Harry Caray Restaurant
    Group, a holding company named after the late Chicago-area baseball
    broadcaster renowned for bellowing "Holy Cow" after great plays. Also
    embroiled in the scam is America Online's personal home page service.
    The fraud masquerades as an order confirmation from online auctioneer
    Ebay. A bogus e-mail message sent Jan. 11 to potentially thousands of
    Internet users informs recipients that they will be charged $460.50
    for ordering a Microsoft Xbox video game system.
    To cancel the order, recipients of the message, which appears to come
    from eBayServicesSUPPORTat_private, are instructed to click a hyperlink
    to visit a Web site and "fill out all the needed information."
    The link, http://cancelorder.n2v.net , re-directed users to a site
    hosted by AOL Hometown that contained a cleverly designed mock-up of
    an Ebay form, entitled "Ebay Services - Cancel Order."
    If users were gullible enough to input their credit card number,
    Social Security number, bank name, address, phone and other requested
    information, the data, as well as the user's Internet protocol
    address, was submitted to an e-mail account at Epimp.com, a free,
    Web-based e-mail service.
    The bogus transaction was completed when victims were redirected to a
    page at http://www.hcrestaurantgroup.com , which simply bore the
    message "Your order has been canceled."
    To capture the stolen data, the scam site relied on an improperly
    secured FormMail program at BowieNet, an Internet service launched by
    the English musician at http://www.davidbowie.co.uk . The script
    currently enables unauthorized users to send e-mail through servers
    operated by Global Internet, the British ISP that hosts Bowie's site.
    FormMail is a free program used by many legitimate sites to glean data
    submitted via online forms. Last year, a vulnerability was discovered
    in the FormMail.pl gateway that allows external users to run the
    program. As a result, unsecured FormMail installations have become
    favored targets with junk e-mailers.
    Officials at Global and BowieNet did not respond to reports of the
    vulnerable FormMail script, nor has America Online moved to shut down
    the fraudulent site. However, the scam appears to have been at least
    partially debilitated.
    The N2V address-redirection service has disabled the link used by the
    scam due to a violation of its acceptable use policy. In addition, HC
    Restaurant Group removed the page at its site borrowed by the
    fraudsters within hours of learning about it Jan. 11, according to
    Beth Goldberg, director of marketing for the company.
    Recipients of the scam e-mail who notified EBay received a response
    from the company's SafeHarbor Investigations Team noting that
    "several" Internet users had complained about the fraudulent message,
    which Ebay confirmed did not originate from the company.
    "Please remember that Ebay will never ask you for your private
    information, including credit card information, in an e-mail. Also,
    Ebay will never send you any request or solicitation from a non-Ebay
    e-mail account, or provide a link outside of Ebay for entering credit
    card or other private information," said the message from the online
    auction firm.
    Joe Balazs, Webmaster for the HCrestaurantgroup.com site, said it was
    not clear how many people had fallen for the scam. Nor was he able to
    explain why the fraud re-directed victims to the site after they
    submitted their personal information.
    "It's pretty strange. It seems rather silly to send them to a
    restaurant's site. I would think it would give away that the whole
    thing was a scam," said Balazs.
    A copycat version of the fraud, also using the insecure script at
    BowieNet, was sent to numerous Internet users on Jan. 19. That version
    of the scam attempted to re-direct recipients to a different page at
    http://members.aol.com , the source code of which is encrypted.
    While the address-redirection service, OnTheWeb.nu, has disabled the
    link, the AOL-hosted scam site was still functional today.
    According to Chris Wysopal, director of research and development for
    AtStake, a security consulting firm, the incident demonstrates that
    security on the Internet must be a community effort.
    In cyberspace, as in the physical world, "if one person fails to keep
    their property secure it can become threat to all nearby," said
    Wysopal. The same goes for sites on the Internet, "except that on the
    Internet, everyone is your next door neighbor."
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
    of the mail.

    This archive was generated by hypermail 2b30 : Mon Jan 28 2002 - 04:07:53 PST