FC: Replies to scam stealing credit card numbers from eBay members

From: Declan McCullagh (declanat_private)
Date: Thu May 02 2002 - 21:51:52 PDT

  • Next message: Declan McCullagh: "FC: Dick Armey's aide replies to Politech on photo radar, speeding" 

    Previous Politech message:

"Scam extracts credit card numbers, bank info from eBay members"
http://www.politechbot.com/p-03476.html

---

Date: Thu, 02 May 2002 08:25:45 -0500
To: declanat_private
From: "Randal J. King" <rjkingat_private>
Subject: Re: FC: Scam extracts credit card numbers, bank info from eBay
   members

Declan -

Quick action on someone's part - the domain is down.  I had a similar thing 
last week for PayPal.  The tip off often is, as it is in your case, poor 
grammar and overall sentence/paragraph construction.  These scum spend a 
lot of time duplicating the look of a legitimate site to trap people.

-- Randy

---

From: "D McOwen" <dmcowenat_private>
To: <declanat_private>
Subject: RE: Scam extracts credit card numbers, bank info from eBay members
Date: Thu, 2 May 2002 09:39:40 -0400

Declan,

I've been getting the same sort of E-mails in the last two weeks with
various big name headers such as Yahoo, Amazon, MSN, AOL, Earthlink etc all
trying to do the same thing. If you put your info in their website including
credit card numbers, you give them the store.

Scammers and spammers have been really cranking it up a notch lately. I
suspect out of work programmers from the dot com crash have been recruited
for illegal purposes unfortunately.

Dave McOwen

---

From: "Anthony Healy" <thealyat_private>
To: <declanat_private>
Subject: RE: Scam extracts credit card numbers, bank info from eBay members
Date: Fri, 3 May 2002 01:04:11 +1000

And reason 6: Clumsy phraseology and innaccurate grammar. ( How come
scammers are never good with grammer?)

 > To avoid any inconvenience concerning an
 > interruption of your service membership, in future.
 > ...Remember to "doublecheck" all the fields for

Regards, Tony Healy

---

Date: Thu, 2 May 2002 19:34:01 -0700
To: declanat_private
From: Stanton McCandlish <mechat_private>
Subject: Re: FC: Scam extracts credit card numbers, bank info from
  eBay members

At 9:57 AM -0400 on 5/2/02, Declan McCullagh wrote:

 > Obvious reasons this is a scam:
 > 1. Headers show it originated from sdn-ar-001nynyorp256.dialsprint.net
 > 2. The destination URL is http://64.177.3.234/, which receives connectivity
 >    from qwest.net, not ebay.com.
 > 3. There's no reason for eBay to send this message to me
 > 4. The site is not using a secure connection (https://) URLs for
 >    to protect sensitive information, which eBay almost certainly would.
 > 5. Replies are directed to to a yahoo.com address

6. A load of addresses in the To header, instead of Bcc'd or sent
individually, yet there are not nearly ENOUGH of them for this to
really be an eBay message. There are millions of eBay users, so even
between debiejeanat_private and debjamesat_private would be many,
many other addresses.
7. Really bad grammar, e.g.: "incorrect and/or (fraudulent)" and "To
avoid any inconvenience concerning an interruption of your service
membership, in future. Please take..."

-- 
Stanton McCandlish      mechat_private       http://www.eff.org/~mech
Technical Director/Webmaster         Electronic Frontier Foundation
voice: +1 415 436 9333 x105                    fax: +1 415 436 9993
EFF, 454 Shotwell St.                    San Francisco CA 94110 USA

---

From: "Allen Smith" <easmithat_private>
Message-Id: <10205020900.ZM30484at_private>
Date: Thu, 2 May 2002 09:00:20 -0400
To: Declan McCullagh <declanat_private>
Subject: Re: FC: Scam extracts credit card numbers, bank info from eBay members
Mime-Version: 1.0

On May 2,  8:40am, Declan McCullagh wrote:
 > Obvious reasons this is a scam:
 > 1. Headers show it originated from sdn-ar-001nynyorp256.dialsprint.net
 > 2. The destination URL is http://64.177.3.234/, which receives connectivity
 >    from qwest.net, not ebay.com.
 > 3. There's no reason for eBay to send this message to me
 > 4. The site is not using a secure connection (https://) URLs for
 >    to protect sensitive information, which eBay almost certainly would.
 > 5. Replies are directed to to a yahoo.com address

While I believe you're correct on most of this:
	A. eBay is not that great on security:
				http://news.com.com/2100-1017-870959.html
		http://spoor12.edup.tudelft.nl/SkyLined/docs/cross_site_scripting.archive.html
	   so it would not be _that_ surprising to see them not using proper
	   encryption.
	B. There's one thing you aren't mentioning, namely that email from
	   ebay is unlikely to be coming from an email address they're
	   shutting down in favor of a web form, namely
	   "SafeHarborat_private".

	-Allen

P.S. See http://news.com.com/2100-1017-857177.html for one past report on
this scam.

-- 
Allen Smith			http://cesario.rutgers.edu/easmith/
September 11, 2001		A Day That Shall Live In Infamy II
"They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety." - Benjamin Franklin

---

Date: Thu, 02 May 2002 09:09:05 -0400
To: declanat_private
From: Brian McWilliams <brian@pc-radio.com>
Subject: Re: FC: Scam extracts credit card numbers, bank info from eBay
   members

Declan,

That IP resolves to NOREAGAX02.COM . Was just registered yesterday and is 
using an EarthLink drop-box ( bkclan666at_private ) according to the 
HTML. Responsible parties have been notified.

This type of scam is getting old:

http://www.newsbytes.com/news/02/173962.html

Brian

+++

Olive Johnson
    3650 CARLTON ST
    BARNUM, Minnesota 55707
    US

    Domain Name: NOREAGAX02.COM

    Administrative Contact:
          Olive Johnson    noreaga01at_private
         Olive Johnson
         3650 CARLTON ST
         BARNUM, Minnesota 55707
         US
         Phone: 2183890280
         Fax: 555-555-5555
    Technical Contact:
         Apollo Hosting  registrationat_private
         Apollo Hosting, Inc
         11712 Jefferson Ave. Suite 423
         Newport  News, Virginia 23606
         US
         Phone: 7578988666
         Fax: 8008610986

    Record updated on 2002-05-01 10:50:08.
    Record created on 2002-05-01.
    Record expires on 2003-05-01.
    Database last updated on 2002-05-02 08:58:17 EST.

    Domain servers in listed order:

    NS.APOLLOHOSTING.COM          216.147.43.193
    NS2.APOLLOHOSTING.COM         216.147.1.144

---

Subject: Re: FC: Scam extracts credit card numbers, bank info from eBay
	members
From: Steve Withers <swithersat_private>
To: declanat_private
Date: 03 May 2002 01:15:28 +1200

This looks like the guilty party:

input type="HIDDEN" name="redirect" action="refresh" delay =" 0.3"
value="http://64.177.3.234/redirect.html"

input type=HIDDEN name="recipient" value="bkclan666at_private"

Steve

---

From: "FourMat Technologies, Inc" <matt@fourmat-engineering.com>
To: <declanat_private>
References: <20020502095719.A29274at_private>
Subject: Re: Scam extracts credit card numbers, bank info from eBay members
Date: Thu, 2 May 2002 09:15:28 -0400
Organization: FourMat Technologies, Inc

Another confirmation that it's a scam is the script that it uses to collect
information inside the code of the page, formmail.pl.  This is classically
just an information collecting script that emails the form fields to the
recipient, using the sendmail protocol.  Very simple and a total security
concern.  The recipient of the mail is bkclan666at_private  if that says
anything.

Hmm, interesting, go to the page and try to right click. It moves the
browser window around and beeps at you a lot.  Annoying.  I wonder if eBay
uses these tactics on their pages.   I would bet not.

This would probably be of interest to the guys over at slashdot.

Matt Hartman
FourMat Technologies, Inc
matt@fourmat-engineering.com

---

Date: Thu, 02 May 2002 09:41:12 -0400
To: declanat_private
From: [someone who seemed to want to remain anonymous]
Subject: Re: FC: Scam extracts credit card numbers, bank info from eBay
   members

64.177.3.234 is a web server owned/operated by "noreagax02.com" running 
Apache 1.3.20 unix Apache JServ/1.1.2 PHP/4.1.2 FrontPage5.0.2.2510 Rewrit 
1.1a on the Alabanza netblock.
Here are the details of Alabanza:
Alabanza, Inc. (NETBLK-ALABANZA-BALT-4)
    8309 Tinsley Rd.
    Baltimore, MD 21244
    US

    Netname: ALABANZA-BALT-4
    Netblock: 64.176.0.0 - 64.177.255.255
    Maintainer: ALAB

    Coordinator:
       Cunningham, Thomas  (TC12-ARIN)  ipadminat_private
       410-779-1400

    Domain System inverse mapping provided by:

    NS.ALABANZA.COM		209.239.47.252
    NS2.ALABANZA.COM		209.239.47.201

    ADDRESSES WITHIN THIS BLOCK ARE NON-PORTABLE

    Record last updated on 06-Oct-2000.
    Database last updated on  1-May-2002 19:59:42 EDT.


On the side....netsol cannot resolve noreagax02.com...?!

Hope this gets you on track :)

regards




-------------------------------------------------------------------------
POLITECH -- Declan McCullagh's politics and technology mailing list
You may redistribute this message freely if you include this notice.
To subscribe to Politech: http://www.politechbot.com/info/subscribe.html
This message is archived at http://www.politechbot.com/
Declan McCullagh's photographs are at http://www.mccullagh.org/
-------------------------------------------------------------------------
Sign this pro-therapeutic cloning petition: http://www.franklinsociety.org
-------------------------------------------------------------------------

    This archive was generated by hypermail 2b30 : Fri May 03 2002 - 02:36:29 PDT