Previous Politech message: "Scam extracts credit card numbers, bank info from eBay members" http://www.politechbot.com/p-03476.html --- Date: Thu, 02 May 2002 08:25:45 -0500 To: declanat_private From: "Randal J. King" <rjkingat_private> Subject: Re: FC: Scam extracts credit card numbers, bank info from eBay members Declan - Quick action on someone's part - the domain is down. I had a similar thing last week for PayPal. The tip off often is, as it is in your case, poor grammar and overall sentence/paragraph construction. These scum spend a lot of time duplicating the look of a legitimate site to trap people. -- Randy --- From: "D McOwen" <dmcowenat_private> To: <declanat_private> Subject: RE: Scam extracts credit card numbers, bank info from eBay members Date: Thu, 2 May 2002 09:39:40 -0400 Declan, I've been getting the same sort of E-mails in the last two weeks with various big name headers such as Yahoo, Amazon, MSN, AOL, Earthlink etc all trying to do the same thing. If you put your info in their website including credit card numbers, you give them the store. Scammers and spammers have been really cranking it up a notch lately. I suspect out of work programmers from the dot com crash have been recruited for illegal purposes unfortunately. Dave McOwen --- From: "Anthony Healy" <thealyat_private> To: <declanat_private> Subject: RE: Scam extracts credit card numbers, bank info from eBay members Date: Fri, 3 May 2002 01:04:11 +1000 And reason 6: Clumsy phraseology and innaccurate grammar. ( How come scammers are never good with grammer?) > To avoid any inconvenience concerning an > interruption of your service membership, in future. > ...Remember to "doublecheck" all the fields for Regards, Tony Healy --- Date: Thu, 2 May 2002 19:34:01 -0700 To: declanat_private From: Stanton McCandlish <mechat_private> Subject: Re: FC: Scam extracts credit card numbers, bank info from eBay members At 9:57 AM -0400 on 5/2/02, Declan McCullagh wrote: > Obvious reasons this is a scam: > 1. Headers show it originated from sdn-ar-001nynyorp256.dialsprint.net > 2. The destination URL is http://64.177.3.234/, which receives connectivity > from qwest.net, not ebay.com. > 3. There's no reason for eBay to send this message to me > 4. The site is not using a secure connection (https://) URLs for > to protect sensitive information, which eBay almost certainly would. > 5. Replies are directed to to a yahoo.com address 6. A load of addresses in the To header, instead of Bcc'd or sent individually, yet there are not nearly ENOUGH of them for this to really be an eBay message. There are millions of eBay users, so even between debiejeanat_private and debjamesat_private would be many, many other addresses. 7. Really bad grammar, e.g.: "incorrect and/or (fraudulent)" and "To avoid any inconvenience concerning an interruption of your service membership, in future. Please take..." -- Stanton McCandlish mechat_private http://www.eff.org/~mech Technical Director/Webmaster Electronic Frontier Foundation voice: +1 415 436 9333 x105 fax: +1 415 436 9993 EFF, 454 Shotwell St. San Francisco CA 94110 USA --- From: "Allen Smith" <easmithat_private> Message-Id: <10205020900.ZM30484at_private> Date: Thu, 2 May 2002 09:00:20 -0400 To: Declan McCullagh <declanat_private> Subject: Re: FC: Scam extracts credit card numbers, bank info from eBay members Mime-Version: 1.0 On May 2, 8:40am, Declan McCullagh wrote: > Obvious reasons this is a scam: > 1. Headers show it originated from sdn-ar-001nynyorp256.dialsprint.net > 2. The destination URL is http://64.177.3.234/, which receives connectivity > from qwest.net, not ebay.com. > 3. There's no reason for eBay to send this message to me > 4. The site is not using a secure connection (https://) URLs for > to protect sensitive information, which eBay almost certainly would. > 5. Replies are directed to to a yahoo.com address While I believe you're correct on most of this: A. eBay is not that great on security: http://news.com.com/2100-1017-870959.html http://spoor12.edup.tudelft.nl/SkyLined/docs/cross_site_scripting.archive.html so it would not be _that_ surprising to see them not using proper encryption. B. There's one thing you aren't mentioning, namely that email from ebay is unlikely to be coming from an email address they're shutting down in favor of a web form, namely "SafeHarborat_private". -Allen P.S. See http://news.com.com/2100-1017-857177.html for one past report on this scam. -- Allen Smith http://cesario.rutgers.edu/easmith/ September 11, 2001 A Day That Shall Live In Infamy II "They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety." - Benjamin Franklin --- Date: Thu, 02 May 2002 09:09:05 -0400 To: declanat_private From: Brian McWilliams <brian@pc-radio.com> Subject: Re: FC: Scam extracts credit card numbers, bank info from eBay members Declan, That IP resolves to NOREAGAX02.COM . Was just registered yesterday and is using an EarthLink drop-box ( bkclan666at_private ) according to the HTML. Responsible parties have been notified. This type of scam is getting old: http://www.newsbytes.com/news/02/173962.html Brian +++ Olive Johnson 3650 CARLTON ST BARNUM, Minnesota 55707 US Domain Name: NOREAGAX02.COM Administrative Contact: Olive Johnson noreaga01at_private Olive Johnson 3650 CARLTON ST BARNUM, Minnesota 55707 US Phone: 2183890280 Fax: 555-555-5555 Technical Contact: Apollo Hosting registrationat_private Apollo Hosting, Inc 11712 Jefferson Ave. Suite 423 Newport News, Virginia 23606 US Phone: 7578988666 Fax: 8008610986 Record updated on 2002-05-01 10:50:08. Record created on 2002-05-01. Record expires on 2003-05-01. Database last updated on 2002-05-02 08:58:17 EST. Domain servers in listed order: NS.APOLLOHOSTING.COM 216.147.43.193 NS2.APOLLOHOSTING.COM 216.147.1.144 --- Subject: Re: FC: Scam extracts credit card numbers, bank info from eBay members From: Steve Withers <swithersat_private> To: declanat_private Date: 03 May 2002 01:15:28 +1200 This looks like the guilty party: input type="HIDDEN" name="redirect" action="refresh" delay =" 0.3" value="http://64.177.3.234/redirect.html" input type=HIDDEN name="recipient" value="bkclan666at_private" Steve --- From: "FourMat Technologies, Inc" <matt@fourmat-engineering.com> To: <declanat_private> References: <20020502095719.A29274at_private> Subject: Re: Scam extracts credit card numbers, bank info from eBay members Date: Thu, 2 May 2002 09:15:28 -0400 Organization: FourMat Technologies, Inc Another confirmation that it's a scam is the script that it uses to collect information inside the code of the page, formmail.pl. This is classically just an information collecting script that emails the form fields to the recipient, using the sendmail protocol. Very simple and a total security concern. The recipient of the mail is bkclan666at_private if that says anything. Hmm, interesting, go to the page and try to right click. It moves the browser window around and beeps at you a lot. Annoying. I wonder if eBay uses these tactics on their pages. I would bet not. This would probably be of interest to the guys over at slashdot. Matt Hartman FourMat Technologies, Inc matt@fourmat-engineering.com --- Date: Thu, 02 May 2002 09:41:12 -0400 To: declanat_private From: [someone who seemed to want to remain anonymous] Subject: Re: FC: Scam extracts credit card numbers, bank info from eBay members 64.177.3.234 is a web server owned/operated by "noreagax02.com" running Apache 1.3.20 unix Apache JServ/1.1.2 PHP/4.1.2 FrontPage5.0.2.2510 Rewrit 1.1a on the Alabanza netblock. Here are the details of Alabanza: Alabanza, Inc. (NETBLK-ALABANZA-BALT-4) 8309 Tinsley Rd. Baltimore, MD 21244 US Netname: ALABANZA-BALT-4 Netblock: 64.176.0.0 - 64.177.255.255 Maintainer: ALAB Coordinator: Cunningham, Thomas (TC12-ARIN) ipadminat_private 410-779-1400 Domain System inverse mapping provided by: NS.ALABANZA.COM 209.239.47.252 NS2.ALABANZA.COM 209.239.47.201 ADDRESSES WITHIN THIS BLOCK ARE NON-PORTABLE Record last updated on 06-Oct-2000. Database last updated on 1-May-2002 19:59:42 EDT. On the side....netsol cannot resolve noreagax02.com...?! Hope this gets you on track :) regards ------------------------------------------------------------------------- POLITECH -- Declan McCullagh's politics and technology mailing list You may redistribute this message freely if you include this notice. To subscribe to Politech: http://www.politechbot.com/info/subscribe.html This message is archived at http://www.politechbot.com/ Declan McCullagh's photographs are at http://www.mccullagh.org/ ------------------------------------------------------------------------- Sign this pro-therapeutic cloning petition: http://www.franklinsociety.org -------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Fri May 03 2002 - 02:36:29 PDT