A user on our network just reported a very similar situation, however the details differed slightly. From address: updateat_private Mail was not sendmail Obfuscated link was: http://%65%62%61%79%2e%69%6e%74%65%72%70%6f%6f%6c%2e%75%73/index.htm?sss=%66%77%6f%66%48%5a%70%55%76%46%4a%6c%69%47[OBFUSCATED TO PROTECT THE USER]6%68%4b%51%4b%6b%46%6f%65%42%58%75 Real link: http://ebay.interpool.us/index.htm?sss=fwofHZpUvFiGg[OBFUSCATED TO PROTECT THE USER]hKQKkFoeBXu As of right now the page appears to still be up, can you see if it is similar to the page you were seeing before? I've archived it if it goes down. Snippet of text from the email: --------------snip------------- Dear valued ebay member XXXXXX : It has come to our attention that your [link to obfuscated url]ebay[/link] Billing information's records are out of date. thats require update your billing information's If you could please take 5-10 minutes out of your online experience and [link again]update[/link] Your billing records you will not run into any future problems with the problems with the online service. However, failure to update your records will result in account termination. Please update your records by tomorrow. --------------snip------------- -- Jordan Wiens UF Network Incident Response Team (352)392-2061 On Mon, 10 Feb 2003, Patrick Bryant wrote: > The scam is a social engineering hack to obtain personal information > presumably for the purpose of identity theft. > > E-mails are being sent from an address claiming to be 'serviceat_private' > requesting personal information including the recipient/victim's bank > account number and routing number, checking account account name / > number and routing number, eBay user ID / password, PayPal password, > credit card number and associated ATM PIN number, social security > number, driver's license number and state of issue, and mother's maiden > name. > > Hopefully, half-savvy users will recognize this for what it is or at > least object to the disclosure, but it takes some attention to detail to > identify that it is a bogus request originating from outside eBay. > > Here are the technical details: > > - The claimed origin address is: serviceat_private > - The message ID is in sendmail format (YYMMDDHHMMSSprocessID@server) > and ends with the string '@www.websiteseasy.com'. > - The message TEXT directs the user to the URL: > http://www.ebay.com/acounts/memb/avncenter/?dll87443%2213. That text > displayed in the URL masquerades the actual URL to which the > user-supplied data is posted. > - The ACTUAL URL in the http directs the browser to: > 'http://bayers.crossfade.la/' which then does a 'refresh' redirect to > 'http://bayers.netfirms.com/'. ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Mon Feb 10 2003 - 19:52:46 PST