('binary' encoding is not supported, stored as-is) In-Reply-To: <0HA400DDKNXSHXat_private> Hello Nick, Federal law enforcement was notified by my firm yesterday, and provided with all of the information I have on the incident. I presume eBay's position will be that they are victims as well, which is understandable, and that they have no obligation to do anything (which may be true in a strictly legal sense). My personal opinion however is that this problem was exacerbated by eBay's past practice of sending out similar looking e-mails requesting users to connect to their site to update personal information. In my opinion, that practice is naive, and sets eBay users up for a scam such as has just occurred. A better practice would have been to simply prompt registered users to update their information whenever they (manually) initiated a new connection to the eBay web site -- rather than send out preemptive emails that gradually make users complacent about the email's authenticity and that have the potential to be spoofed. While I'm not casting blame at eBay, hopefully they will reconsider their own practice of prompting users to update their account information via email. I concur with your recommeded steps to shut down the site. The site that really needs to be shut down is the redirector. >Whilst it might be "nice" of you to inform eBay (I'm sure they see >dozens of these a month and really don't care that much) you should >really be informing the upstream hosting company of the fraudsters, >possibly _their_ upstream as well (lots of "small-fry" hosting >companies don't give a ^*%$ what their clients are doing so long as >they pay their bills, whereas the bulk hosting companies they buy >from tend to be a tad more concerned and will kill boxes/IPs much >more quickly), _AND_ the DNS hosts (in such scams it is common to >find the DNS is hosted other than by the hosting company). Also, as >the complainant was apparently in the US, the local police and/or FBI >"high tech crimes" folk should be involved too. > >> It now appears that the attackers are playing a shell game with >> the redirector site. Even though the site that receives the >> victim's post (bayers.netfirms.com) has been shut down, now the >> attackers are redirecting to at least one different site for >> receiving the posts. > >Get their DNS provider(s) to realize that by hosting and changing >this scum's DNS entries they are aiding and abetting a fraud that the >FBI is investigating (OK -- so don't tell the DNS host that you >simply left a message on the after-hours message service) and see how >quickly the DNS providers act... > > >-- >Nick FitzGerald >Computer Virus Consulting Ltd. >Ph/FAX: +64 3 3529854 > >---------------------------------------------------------------------------- >This list is provided by the SecurityFocus ARIS analyzer service. >For more information on this free incident handling, management >and tracking system please see: http://aris.securityfocus.com > > ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Tue Feb 11 2003 - 11:28:08 PST