| Summary |
| Email title: |
"Question for seller -- Item #..." |
| Scam target: |
eBay users |
| Email format: |
A text email |
| Sender: |
variety of senders using mailboxes on free, web-based
mail servers (like yahoo.com)
|
| Sender spoofed? |
No |
| Scam call to action: |
"To view the item, go to ... " |
| Scam goal: |
Installing malicious software on victim's
computer, getting victim's eBay account username and
password |
| Call to action format: |
URL link |
| Visible link: |
http://cgi.ebay.com/ws/eBayISAPI.dll?ViewItem&item=... |
| Called link : |
http://68.99.108.238:6688/
|
| Resolved site: |
http://68.99.108.238:6688/ |
|
| |
| E-mail |
This e-mail looks quite innocent. It looks like a message
about some small-time e-bay auction, that many people are
likely to participate in. It looks quite plain, with just
a single eBay logo on it. Yet, a lot of variations of these
messages are spread, and that makes the attack potentially
more harmfull.
The link on the message also looks legitimate .
|
_email.jpg) |
| |
| Web Site |
| Visible link: |
http://cgi.ebay.com/ws/eBayISAPI.dll?ViewItem&item=... |
| Called link : |
http://68.99.108.238:6688/
|
| Resolved site: |
http://68.99.108.238:6688/ |
|
What makes this case an interesting one is that it uses
a combined phish/spyware approach.
When the link is clicked, the website tries to use an
Internet Explorer exploit (MHTMLRedir.Exploit)
against you. Essentially, what the exploit does is to
execute code on your PC without your permission. In this
case, it is used to install a keylogger on your machine.
The keylogger is then supposed to fetch your usernames/passwords.
This exploit is detectable by online protection anti-virus
software - make sure yours is running and updated frequently.
|
|
| |
| WHOIS Data (easy to fake): |
Cox Communications Inc. COX-ATLANTA-2
|
|
