register
-- Home
-- Phishing Archive
-- Report Phishing
-- Events
-- APWG News
-- Resources
-- Membership
-- APWG Member Site
-- Contact Us
-- JOIN THE APWG
 
LATEST NEWS IN THE FIGHT AGAINST PHISHING:		  
 
 
     
     
     
     
 

eBay - 'Account Verification'
11-Jan-2005

Summary
Email title: 'Account Verification'
Scam target: eBay users
Sender:

aw-confirm@ebay.com
Sender spoofed/hidden? Spoofed
Phish 'punch line' : 'Five password bruteforcing attems were performed on your eBay account. You must register and ID Verify certificate in order to remain in the eBay Community.'
Scam goal: Getting victim's eBay username/password, credit card information
Phish link method a 'Click here' type link
Link 'masked'? Yes
Actual link to http://www.lemondedegaetane.com/aw-cgi/ws2/SignIn.html
Phish website IP:

212.85.153.6
 
E-mail
 

This is a fresh phish case, which uses a 'hijacked' domain - i.e. the phishers have obtained remote access to a legitimate site and placed the phish site there. This way they can use the whitelist entries for the legitimate domain, and get through a URL blacklist filter.

The email looks quite persuasive:

 
 
The tone is quite harsh and there is no eBay logo or legit header/footer. Otherwise it is well made - the sender is spoofed and the actual URL of the link is hidden.
 
Web Site
Link 'masked'? Yes
Actual link to http://www.lemondedegaetane.com/aw-cgi/ws2/SignIn.html
Phish website IP:

212.85.153.6
 

The phish site opens up with a page that is an exact replica of the eBay login page, with only a couple of differences:

  • The URL in the address bar is different (i.e. not an ebay.com derivate);
  • The page is a 'http' one (unsecured). The legitimate page is on a 'https' secured site.
 
 
After the initial 'login' page, a second one is displayed, demanding more information. The weaknesses mentioned earlier remain visible.
 
 

The site will check whether the fields are filled, and will check the credit card number using the Luhn formula. It is a simple mathematical formula, typically used for a first stage CC verification (i.e. - before connectiong to a CC server). The function of this check is to reject a random bogus number, thus to imply legitimacy of the site. It will, of course, accept a bogus number conforming to the Luhn formula rule.

After accepting the information, a standard looking logout page is displayed:
 
 
The hijacked legitimate server is located in France:
 
WHOIS information (for IP 212.85.153.6):

IP Location: France

domain: LEMONDEDEGAETANE.COM
owner-address: Eric Ariaudo
owner-address: Les Plantes
owner-address: 24380
owner-address: Creyssensac
owner-address: France
owner-phone: +33.199999999
admin-c: GL736-GANDI
tech-c: LO138-GANDI
bill-c: GL736-GANDI
nserver: ns1.lost-oasis.net 212.85.153.9
nserver: ns2.lost-oasis.net 80.67.160.54
reg_created: 2003-06-30 05:02:05
expires: 2005-06-30 05:02:05
created: 2003-06-30 11:02:06
changed: 2004-07-05 12:00:44