> > Hello All, >> About 24 Hours ago I received an e-mail from "EBay Billing" with >> the subject of "EBay Billing Error". However, I have not conducted any > > transactions in months, so I became suspicious. The text of the e-mail Interesting. This one hit us this weekend. It was notable in part because it looked like a text message, which makes the link in it less suspicious. Unfortunately for them, the site they hosted on set a cookie, so if you had cookie alerts turned on the IP address looked suspicious, and of course the URL in the header was bad. The page itself was a copy of the ebay login page, and submitting your info would redirect you to the real ebay login page after grabbing the password information. I informed the hosting provider and they shut it down, but it was up for more than 24 hours. I also sent mail to abuseat_private I *hope* they have a way of mapping the referrer fields to the logins and can thus easily notify anyone who came into their site through the fake one, but I haven't heard back. >Return-Path: <serviceat_private> >Received: from [202.134.170.3] (HELO paypal.com) > by somewhere.com (CommuniGate Pro SMTP 3.5.7) > with SMTP id 1849304 for nazgulat_private; Sun, 08 Dec 2002 >03:21:05 -0500 >From: "PayPal Admin" <serviceat_private> >To: <nazgulat_private> >Subject: 5 days for account suspension >Sender: "PayPal Admin" <serviceat_private> >Mime-Version: 1.0 >Content-Type: multipart/alternative; > boundary="= Multipart Boundary 1208021348" >Date: Sun, 8 Dec 2002 13:48:55 +0530 >Message-ID: <auto-000001849304at_private> > ><x-html><!x-stuff-for-pete base="" src="" id="0" charset=""><HTML> ><HEAD> ><META NAME="GENERATOR" Content="Microsoft DHTML Editing Control"> ><TITLE></TITLE> ></HEAD> ><BODY> ><DIV>Dear PayPal Member<BR><BR>According to the paypal >policy, you have 5 days left before your account will be suspended due to >prolonged inactivity.<BR><BR>To avoid this you must login to your account >atleast once in 2 months.<BR><BR>To avoid suspension of your account please >click the link below<BR><BR><A >href="http://207.150.221.95/eaacl-co/paypal/index.asp?user=&id=&cmd_ >login=F000000001&a=ad8258ed60d767d50ef1e822ceff3db5addeaff28ad8998asdc60 >d767d50ef1e822ceff3db5addeaff28ad8998asdc">https://www.paypal.com/cgi-bin/we >bscr?cmd=_login-run</A> ><BR><BR>If you have checked your paypal in the last 2 months and are still >recieving this mail, please inform us at >paypal_infoat_private<BR><BR><BR><BR> ><HR> >Copyright © 2002 PayPal. All rights reserved.</DIV> ></BODY> ></HTML> > ></x-html> -- Kee Hinckley - Somewhere.Com, LLC http://consulting.somewhere.com/ I'm not sure which upsets me more: that people are so unwilling to accept responsibility for their own actions, or that they are so eager to regulate everyone else's. ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Wed Dec 11 2002 - 09:46:32 PST