FC: Replies to scam stealing credit card numbers from eBay members

From: Declan McCullagh (declanat_private)
Date: Thu May 02 2002 - 21:51:52 PDT

  • Next message: Declan McCullagh: "FC: Dick Armey's aide replies to Politech on photo radar, speeding"

    Previous Politech message:
    
    "Scam extracts credit card numbers, bank info from eBay members"
    http://www.politechbot.com/p-03476.html
    
    ---
    
    Date: Thu, 02 May 2002 08:25:45 -0500
    To: declanat_private
    From: "Randal J. King" <rjkingat_private>
    Subject: Re: FC: Scam extracts credit card numbers, bank info from eBay
       members
    
    Declan -
    
    Quick action on someone's part - the domain is down.  I had a similar thing 
    last week for PayPal.  The tip off often is, as it is in your case, poor 
    grammar and overall sentence/paragraph construction.  These scum spend a 
    lot of time duplicating the look of a legitimate site to trap people.
    
    -- Randy
    
    ---
    
    From: "D McOwen" <dmcowenat_private>
    To: <declanat_private>
    Subject: RE: Scam extracts credit card numbers, bank info from eBay members
    Date: Thu, 2 May 2002 09:39:40 -0400
    
    Declan,
    
    I've been getting the same sort of E-mails in the last two weeks with
    various big name headers such as Yahoo, Amazon, MSN, AOL, Earthlink etc all
    trying to do the same thing. If you put your info in their website including
    credit card numbers, you give them the store.
    
    Scammers and spammers have been really cranking it up a notch lately. I
    suspect out of work programmers from the dot com crash have been recruited
    for illegal purposes unfortunately.
    
    Dave McOwen
    
    ---
    
    From: "Anthony Healy" <thealyat_private>
    To: <declanat_private>
    Subject: RE: Scam extracts credit card numbers, bank info from eBay members
    Date: Fri, 3 May 2002 01:04:11 +1000
    
    And reason 6: Clumsy phraseology and innaccurate grammar. ( How come
    scammers are never good with grammer?)
    
     > To avoid any inconvenience concerning an
     > interruption of your service membership, in future.
     > ...Remember to "doublecheck" all the fields for
    
    Regards, Tony Healy
    
    ---
    
    Date: Thu, 2 May 2002 19:34:01 -0700
    To: declanat_private
    From: Stanton McCandlish <mechat_private>
    Subject: Re: FC: Scam extracts credit card numbers, bank info from
      eBay members
    
    At 9:57 AM -0400 on 5/2/02, Declan McCullagh wrote:
    
     > Obvious reasons this is a scam:
     > 1. Headers show it originated from sdn-ar-001nynyorp256.dialsprint.net
     > 2. The destination URL is http://64.177.3.234/, which receives connectivity
     >    from qwest.net, not ebay.com.
     > 3. There's no reason for eBay to send this message to me
     > 4. The site is not using a secure connection (https://) URLs for
     >    to protect sensitive information, which eBay almost certainly would.
     > 5. Replies are directed to to a yahoo.com address
    
    6. A load of addresses in the To header, instead of Bcc'd or sent
    individually, yet there are not nearly ENOUGH of them for this to
    really be an eBay message. There are millions of eBay users, so even
    between debiejeanat_private and debjamesat_private would be many,
    many other addresses.
    7. Really bad grammar, e.g.: "incorrect and/or (fraudulent)" and "To
    avoid any inconvenience concerning an interruption of your service
    membership, in future. Please take..."
    
    -- 
    Stanton McCandlish      mechat_private       http://www.eff.org/~mech
    Technical Director/Webmaster         Electronic Frontier Foundation
    voice: +1 415 436 9333 x105                    fax: +1 415 436 9993
    EFF, 454 Shotwell St.                    San Francisco CA 94110 USA
    
    ---
    
    From: "Allen Smith" <easmithat_private>
    Message-Id: <10205020900.ZM30484at_private>
    Date: Thu, 2 May 2002 09:00:20 -0400
    To: Declan McCullagh <declanat_private>
    Subject: Re: FC: Scam extracts credit card numbers, bank info from eBay members
    Mime-Version: 1.0
    
    On May 2,  8:40am, Declan McCullagh wrote:
     > Obvious reasons this is a scam:
     > 1. Headers show it originated from sdn-ar-001nynyorp256.dialsprint.net
     > 2. The destination URL is http://64.177.3.234/, which receives connectivity
     >    from qwest.net, not ebay.com.
     > 3. There's no reason for eBay to send this message to me
     > 4. The site is not using a secure connection (https://) URLs for
     >    to protect sensitive information, which eBay almost certainly would.
     > 5. Replies are directed to to a yahoo.com address
    
    While I believe you're correct on most of this:
    	A. eBay is not that great on security:
    				http://news.com.com/2100-1017-870959.html
    		http://spoor12.edup.tudelft.nl/SkyLined/docs/cross_site_scripting.archive.html
    	   so it would not be _that_ surprising to see them not using proper
    	   encryption.
    	B. There's one thing you aren't mentioning, namely that email from
    	   ebay is unlikely to be coming from an email address they're
    	   shutting down in favor of a web form, namely
    	   "SafeHarborat_private".
    
    	-Allen
    
    P.S. See http://news.com.com/2100-1017-857177.html for one past report on
    this scam.
    
    -- 
    Allen Smith			http://cesario.rutgers.edu/easmith/
    September 11, 2001		A Day That Shall Live In Infamy II
    "They that can give up essential liberty to obtain a little temporary
    safety deserve neither liberty nor safety." - Benjamin Franklin
    
    ---
    
    Date: Thu, 02 May 2002 09:09:05 -0400
    To: declanat_private
    From: Brian McWilliams <brian@pc-radio.com>
    Subject: Re: FC: Scam extracts credit card numbers, bank info from eBay
       members
    
    Declan,
    
    That IP resolves to NOREAGAX02.COM . Was just registered yesterday and is 
    using an EarthLink drop-box ( bkclan666at_private ) according to the 
    HTML. Responsible parties have been notified.
    
    This type of scam is getting old:
    
    http://www.newsbytes.com/news/02/173962.html
    
    Brian
    
    +++
    
    Olive Johnson
        3650 CARLTON ST
        BARNUM, Minnesota 55707
        US
    
        Domain Name: NOREAGAX02.COM
    
        Administrative Contact:
              Olive Johnson    noreaga01at_private
             Olive Johnson
             3650 CARLTON ST
             BARNUM, Minnesota 55707
             US
             Phone: 2183890280
             Fax: 555-555-5555
        Technical Contact:
             Apollo Hosting  registrationat_private
             Apollo Hosting, Inc
             11712 Jefferson Ave. Suite 423
             Newport  News, Virginia 23606
             US
             Phone: 7578988666
             Fax: 8008610986
    
        Record updated on 2002-05-01 10:50:08.
        Record created on 2002-05-01.
        Record expires on 2003-05-01.
        Database last updated on 2002-05-02 08:58:17 EST.
    
        Domain servers in listed order:
    
        NS.APOLLOHOSTING.COM          216.147.43.193
        NS2.APOLLOHOSTING.COM         216.147.1.144
    
    ---
    
    Subject: Re: FC: Scam extracts credit card numbers, bank info from eBay
    	members
    From: Steve Withers <swithersat_private>
    To: declanat_private
    Date: 03 May 2002 01:15:28 +1200
    
    This looks like the guilty party:
    
    input type="HIDDEN" name="redirect" action="refresh" delay =" 0.3"
    value="http://64.177.3.234/redirect.html"
    
    input type=HIDDEN name="recipient" value="bkclan666at_private"
    
    Steve
    
    ---
    
    From: "FourMat Technologies, Inc" <matt@fourmat-engineering.com>
    To: <declanat_private>
    References: <20020502095719.A29274at_private>
    Subject: Re: Scam extracts credit card numbers, bank info from eBay members
    Date: Thu, 2 May 2002 09:15:28 -0400
    Organization: FourMat Technologies, Inc
    
    Another confirmation that it's a scam is the script that it uses to collect
    information inside the code of the page, formmail.pl.  This is classically
    just an information collecting script that emails the form fields to the
    recipient, using the sendmail protocol.  Very simple and a total security
    concern.  The recipient of the mail is bkclan666at_private  if that says
    anything.
    
    Hmm, interesting, go to the page and try to right click. It moves the
    browser window around and beeps at you a lot.  Annoying.  I wonder if eBay
    uses these tactics on their pages.   I would bet not.
    
    This would probably be of interest to the guys over at slashdot.
    
    Matt Hartman
    FourMat Technologies, Inc
    matt@fourmat-engineering.com
    
    ---
    
    Date: Thu, 02 May 2002 09:41:12 -0400
    To: declanat_private
    From: [someone who seemed to want to remain anonymous]
    Subject: Re: FC: Scam extracts credit card numbers, bank info from eBay
       members
    
    64.177.3.234 is a web server owned/operated by "noreagax02.com" running 
    Apache 1.3.20 unix Apache JServ/1.1.2 PHP/4.1.2 FrontPage5.0.2.2510 Rewrit 
    1.1a on the Alabanza netblock.
    Here are the details of Alabanza:
    Alabanza, Inc. (NETBLK-ALABANZA-BALT-4)
        8309 Tinsley Rd.
        Baltimore, MD 21244
        US
    
        Netname: ALABANZA-BALT-4
        Netblock: 64.176.0.0 - 64.177.255.255
        Maintainer: ALAB
    
        Coordinator:
           Cunningham, Thomas  (TC12-ARIN)  ipadminat_private
           410-779-1400
    
        Domain System inverse mapping provided by:
    
        NS.ALABANZA.COM		209.239.47.252
        NS2.ALABANZA.COM		209.239.47.201
    
        ADDRESSES WITHIN THIS BLOCK ARE NON-PORTABLE
    
        Record last updated on 06-Oct-2000.
        Database last updated on  1-May-2002 19:59:42 EDT.
    
    
    On the side....netsol cannot resolve noreagax02.com...?!
    
    Hope this gets you on track :)
    
    regards
    
    
    
    
    -------------------------------------------------------------------------
    POLITECH -- Declan McCullagh's politics and technology mailing list
    You may redistribute this message freely if you include this notice.
    To subscribe to Politech: http://www.politechbot.com/info/subscribe.html
    This message is archived at http://www.politechbot.com/
    Declan McCullagh's photographs are at http://www.mccullagh.org/
    -------------------------------------------------------------------------
    Sign this pro-therapeutic cloning petition: http://www.franklinsociety.org
    -------------------------------------------------------------------------
    



    This archive was generated by hypermail 2b30 : Fri May 03 2002 - 02:36:29 PDT