register
-- Home
-- Phishing Archive
-- Report Phishing
-- Events
-- APWG News
-- Resources
-- Membership
-- APWG Member Site
-- Contact Us
-- JOIN THE APWG
 
LATEST NEWS IN THE FIGHT AGAINST PHISHING:		  
 
 
     
     
     
     
 

eBay- 'eBay Verify Accounts'
18-Apr-2005

Summary
Email title: 'eBay Verify Accounts'
Scam target: eBay users
Sender:

eBay Security <security@ebay.com>
Sender spoofed/hidden? Yes
Scam goal: Getting victim's eBay and Paypal username/password, credit card information, bank account information, etc.
Phish link method URL link
Link 'masked'? Yes
Visible link: http://www.ebay.com/aw-cgi/eBayISAPI.dll?VerifyRegistrationShow
Actual link to: http://www.security-validation-your-account.com/signin.ebay/signin.ebay.com/acounts/memb/avncenter/dll87443/BayISAPI.dll/sign_in.htm
Phish site IP :

62.141.48.5
 
Analysis contributed by: Tumbleweed Communications - Message Protection Lab
 
Overview
 
Convincingly designed scam. Uses deceptive domain name, but demands too much information.
 
E-mail
 
The email is well designed and convincing:
 
 
Both the visible sender and URL link are spoofed, so the real ones are hidden. This makes the appeal even greater.
 
Web Site
Visible link: http://www.ebay.com/aw-cgi/eBayISAPI.dll?VerifyRegistrationShow
Actual link to: http://www.security-validation-your-account.com/signin.ebay/signin.ebay.com/acounts/memb/avncenter/dll87443/BayISAPI.dll/sign_in.htm
Phish site IP :

62.141.48.5
 
The phish site does not use a tech trick to hide its address. Instead, the domain name is constructed decievingly. Yet, the lack of a HTTPS session protection is a clue for a scam.
 
 
As usual, the second page demands more personal information. In this case, the list is very long, and could spark suspicion:
 
 
None of the information will be checked outside of whether it is present. The next page is a 'logout' screen:
 
 
After a few seconds in the logout page, the browser is redirected to the legitimate eBay homepage.
 
WHOIS data (for IP 62.141.48.5) :

IP Location: - Keyweb Ag Ip Network
Record Type: Domain Name
Name Server: NS.KEYMACHINE.DE
ICANN Registrar: ENOM, INC.
Created: 2005-03-30
Expires: 2006-03-30
Status: REGISTRAR-LOCK
Registration Service Provided By: Keyweb AG

Domain name: security-validation-your-account.com

Registrant Contact:
Darrell Eyre
Darrell Eyre ()
49 174 5203256
Fax: 49 174 5203256
Brentaonosstr. 6
Frankfurt am Main, 60325, DE

Billing Contact:
Keyma GmbH Internet Services
of the Day Hostmaster ()
49 361653194-60
Fax: 49 361 653194-61
Schloesserstrasse 34
Erfurt, Thueringen 99084, DE

Name Servers:
ns.keymachine.de
ns2.keymachine.de

Creation date: 30 Mar 2005 10:20:05
Expiration date: 30 Mar 2006 10:20:05