Identity theft scam against eBay users

• Previous message: James C Slora Jr: "RE: Increased Kuang2 activity"
• Next in thread: Jordan K Wiens: "Re: Identity theft scam against eBay users"
• Reply: Jordan K Wiens: "Re: Identity theft scam against eBay users"
• Reply: Matthew Breitenstine: "Re: Identity theft scam against eBay users"
• Reply: Thomas Giudice: "Re: Identity theft scam against eBay users"
• Reply: Patrick Bryant: "Re: Identity theft scam against eBay users"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

The scam is a social engineering hack to obtain personal information
presumably for the purpose of identity theft.

E-mails are being sent from an address claiming to be 'serviceat_private'
requesting personal information including the recipient/victim's bank
account number and routing number, checking account account name /
number and routing number, eBay user ID / password, PayPal password,
credit card number and associated ATM PIN number, social security
number, driver's license number and state of issue, and mother's maiden
name.

Hopefully, half-savvy users will recognize this for what it is or at
least object to the disclosure, but it takes some attention to detail to
identify that it is a bogus request originating from outside eBay.

Here are the technical details:

  - The claimed origin address is: serviceat_private
  - The message ID is in sendmail format (YYMMDDHHMMSSprocessID@server)
and ends with the string '@www.websiteseasy.com'.
  - The message TEXT directs the user to the URL:
http://www.ebay.com/acounts/memb/avncenter/?dll87443%2213. That text
displayed in the URL masquerades the actual URL to which the
user-supplied data is posted.
  - The ACTUAL URL in the http directs the browser to:
'http://bayers.crossfade.la/' which then does a 'refresh' redirect to
'http://bayers.netfirms.com/'.

My team contacted the administrators of netfirms.com (in Canada), and
they pulled the site down, but many people may have been victimized by
the scam prior to the site being taken off line.

I have an archive of the original http page (HTML source and a .pdf
image) before it was taken down, if anyone wants to see it.

--

Patrick D. Bryant
BRYANT NETWORK SECURITY
Certified Information Systems Security Professional
State of California Licensed Investigator # PI23268

415 N. Mary Ave. #112-346
Sunnyvale, CA 94085
(408) 245-5451 Office
(408) 761-1362 Cell
(408) 715-2559 Fax
piat_private

Member:
 American Society for Industrial Security
 California Association of Licensed Investigators
 High Technology Crime Investigation Association
 National Association of Investigative Specialists
 Santa Clara County Bar Association
 Society of Motion Picture and Televison Engineer


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

• Next message: Kurt Seifried: "Re: Increased Kuang2 activity"
• Previous message: James C Slora Jr: "RE: Increased Kuang2 activity"
• Next in thread: Jordan K Wiens: "Re: Identity theft scam against eBay users"
• Reply: Jordan K Wiens: "Re: Identity theft scam against eBay users"
• Reply: Matthew Breitenstine: "Re: Identity theft scam against eBay users"
• Reply: Thomas Giudice: "Re: Identity theft scam against eBay users"
• Reply: Patrick Bryant: "Re: Identity theft scam against eBay users"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Feb 10 2003 - 15:59:23 PST