The last time one of my clients had this happen, when I was finally able to contact eBay, they advised me to contact local or Federal law enforcement about these types of scams. Thomas Giudice TLG Enterprises Computer Emergency Response Team >From: Patrick Bryant <piat_private> >To: Jordan K Wiens <jwiensat_private> >CC: incidentsat_private >Subject: Re: Identity theft scam against eBay users >Date: Mon, 10 Feb 2003 17:29:43 -0800 > >The text in the "hook" email in my incident is slightly different. I'm >including it below. Note subtle grammical errors in the text. > >I've been trying to advise eBay all day, since it's their name that's being >exploited, but all of my calls and emails have fallen into a blackhole. > >It now appears that the attackers are playing a shell game with the >redirector site. Even though the site that receives the victim's post >(bayers.netfirms.com) has been shut down, now the attackers are redirecting >to at least one different site for receiving the posts. > >Here's the text that initiated my team's involvement: > >------------ >Dear eBay User, >During our regular update and verification of the accounts, we couldn't >verify your current information. Either your >information has changed or it is incomplete. >Please update and verify your information by signing in your account below >: >If the account information is not updated to current information within 5 >days then, your access to bid or buy on >eBay will be restricted. >go to this link below: >------------ > >Jordan K Wiens wrote: > > > A user on our network just reported a very similar situation, however >the > > details differed slightly. > > > > From address: updateat_private > > Mail was not sendmail > > Obfuscated link was: >http://%65%62%61%79%2e%69%6e%74%65%72%70%6f%6f%6c%2e%75%73/index.htm?sss=%66%77%6f%66%48%5a%70%55%76%46%4a%6c%69%47[OBFUSCATED >TO PROTECT THE USER]6%68%4b%51%4b%6b%46%6f%65%42%58%75 > > Real link: >http://ebay.interpool.us/index.htm?sss=fwofHZpUvFiGg[OBFUSCATED TO PROTECT >THE USER]hKQKkFoeBXu > > > > As of right now the page appears to still be up, can you see if it is > > similar to the page you were seeing before? I've archived it if it goes > > down. > > > > Snippet of text from the email: > > --------------snip------------- > > Dear valued ebay member XXXXXX : > > It has come to our attention that your > > [link to obfuscated url]ebay[/link] > > Billing information's records are out of date. thats require update your > > billing information's > > > > If you could please take 5-10 minutes out of your online experience and > > [link again]update[/link] > > Your billing records you will not run into any future problems with the > > problems with the online service. However, failure to update your >records > > will result in account termination. Please update your records by >tomorrow. > > --------------snip------------- > > > > -- > > Jordan Wiens > > UF Network Incident Response Team > > (352)392-2061 > > > > On Mon, 10 Feb 2003, Patrick Bryant wrote: > > > > > The scam is a social engineering hack to obtain personal information > > > presumably for the purpose of identity theft. > > > > > > E-mails are being sent from an address claiming to be >'serviceat_private' > > > requesting personal information including the recipient/victim's bank > > > account number and routing number, checking account account name / > > > number and routing number, eBay user ID / password, PayPal password, > > > credit card number and associated ATM PIN number, social security > > > number, driver's license number and state of issue, and mother's >maiden > > > name. > > > > > > Hopefully, half-savvy users will recognize this for what it is or at > > > least object to the disclosure, but it takes some attention to detail >to > > > identify that it is a bogus request originating from outside eBay. > > > > > > Here are the technical details: > > > > > > - The claimed origin address is: serviceat_private > > > - The message ID is in sendmail format >(YYMMDDHHMMSSprocessID@server) > > > and ends with the string '@www.websiteseasy.com'. > > > - The message TEXT directs the user to the URL: > > > http://www.ebay.com/acounts/memb/avncenter/?dll87443%2213. That text > > > displayed in the URL masquerades the actual URL to which the > > > user-supplied data is posted. > > > - The ACTUAL URL in the http directs the browser to: > > > 'http://bayers.crossfade.la/' which then does a 'refresh' redirect to > > > 'http://bayers.netfirms.com/'. > > >---------------------------------------------------------------------------- >This list is provided by the SecurityFocus ARIS analyzer service. >For more information on this free incident handling, management >and tracking system please see: http://aris.securityfocus.com _________________________________________________________________ The new MSN 8: smart spam protection and 2 months FREE* http://join.msn.com/?page=features/junkmail ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Tue Feb 11 2003 - 07:21:35 PST