The 'http://bayers.netfirms.com/' site is down but the 'http://bayers.crossfade.la/' address now redirects to: 'http://newupdate.myiris.com/onlino2/ebay/' ----- Original Message ----- From: "Patrick Bryant" <piat_private> To: <incidentsat_private> Sent: Monday, February 10, 2003 4:50 PM Subject: Identity theft scam against eBay users > The scam is a social engineering hack to obtain personal information > presumably for the purpose of identity theft. > > E-mails are being sent from an address claiming to be 'serviceat_private' > requesting personal information including the recipient/victim's bank > account number and routing number, checking account account name / > number and routing number, eBay user ID / password, PayPal password, > credit card number and associated ATM PIN number, social security > number, driver's license number and state of issue, and mother's maiden > name. > > Hopefully, half-savvy users will recognize this for what it is or at > least object to the disclosure, but it takes some attention to detail to > identify that it is a bogus request originating from outside eBay. > > Here are the technical details: > > - The claimed origin address is: serviceat_private > - The message ID is in sendmail format (YYMMDDHHMMSSprocessID@server) > and ends with the string '@www.websiteseasy.com'. > - The message TEXT directs the user to the URL: > http://www.ebay.com/acounts/memb/avncenter/?dll87443%2213. That text > displayed in the URL masquerades the actual URL to which the > user-supplied data is posted. > - The ACTUAL URL in the http directs the browser to: > 'http://bayers.crossfade.la/' which then does a 'refresh' redirect to > 'http://bayers.netfirms.com/'. > > My team contacted the administrators of netfirms.com (in Canada), and > they pulled the site down, but many people may have been victimized by > the scam prior to the site being taken off line. > > I have an archive of the original http page (HTML source and a .pdf > image) before it was taken down, if anyone wants to see it. > > -- > > Patrick D. Bryant > BRYANT NETWORK SECURITY > Certified Information Systems Security Professional > State of California Licensed Investigator # PI23268 > > 415 N. Mary Ave. #112-346 > Sunnyvale, CA 94085 > (408) 245-5451 Office > (408) 761-1362 Cell > (408) 715-2559 Fax > piat_private > > Member: > American Society for Industrial Security > California Association of Licensed Investigators > High Technology Crime Investigation Association > National Association of Investigative Specialists > Santa Clara County Bar Association > Society of Motion Picture and Televison Engineer > > > -------------------------------------------------------------------------- -- > This list is provided by the SecurityFocus ARIS analyzer service. > For more information on this free incident handling, management > and tracking system please see: http://aris.securityfocus.com > > ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Mon Feb 10 2003 - 19:55:19 PST