register
-- Home
-- Phishing Archive
-- Report Phishing
-- Events
-- APWG News
-- Resources
-- Membership
-- APWG Member Site
-- Contact Us
-- JOIN THE APWG
 
LATEST NEWS IN THE FIGHT AGAINST PHISHING:		  
 
 
     
     
     
     
 

eBay- 'UpdateYour Account'
03-May-2005

Summary
Email title: 'Update Your Account'
Scam target: eBay users
Sender:

suspension@ebay-bilIing.com
Sender spoofed/hidden? No
Scam goal: Getting victim's eBay login information (username/password)
Phish link method: a 'Click Here' type link
Link 'masked'? Yes
Visible link: 'Click here to update your account'
Actual link to: http://verify-cgi2.reset.at/?eBayISAPI.dll&VerifyRegistrationShow&accounts&signin=eBayDLLpsy&12453574=&1012&=&=57734
Phish site IP:

64.235.234.138
 
Analysis contributed by: Tumbleweed Communications - Message Protection Lab
 
Overview
 
A 'man-in-the-middle' phishing scam.
 
E-mail
 
The email is rather simple:
 
 
The sender is not spoofed, but from another domain - 'ebay-bilIing.com'. This should also be suspicious.
 
Web Site
Visible link: 'Click here to update your account'
Actual link to: http://verify-cgi2.reset.at/?eBayISAPI.dll&VerifyRegistrationShow&accounts&signin=eBayDLLpsy&12453574=&1012&=&=57734&=
Phish site IP:

64.235.234.138
 
When the site opens, it looks like this:
 
 

As you see from the screenshot, the page is a replica of the eBay login screen. However, the URL is not on the ebay.com domain. The status bar indication is spoofed.

The site acts as a 'man-in-the-middle' between the potential victim and the real ebay.com. It would pass the entered information to the legitimate site and will attempt a login. If the login fails, ebay.com it will return an error, and the phish site will display an error message. If the login succeeds, the phish site will save the login information and will redirect the browser window to the ebay.com account opened. To the outside user, this procedure creates an immitation of an ebay.com login, but the username and password are intercepted by the scammers - that's why it's dangerous.

Here is the WHOIS data of the phish site itself:

 
WHOIS data (for IP 64.235.234.138) :

domain: reset.at
registrant: MA1104182-NICAT
admin-c: SH1433948-NICAT
tech-c: SH1433948-NICAT
zone-c: SH1433948-NICAT
nserver: ns1.dynamicname.com
nserver: ns2.dynamicname.com
changed: 20020521 18:29:18
source: AT-DOM

personname: Maximiliam Andersen
street address: Fagelvagen 14a. 2 TR.,
postal code: SE-26140
city: Landskrona
country: Schweden
nic-hdl: MA1104182-NICAT
changed: 20020521 18:29:18
source: AT-DOM

personname: Speednames Hostmaster
street address: Speednames, Inc. Filial Danmark
street address: Store Soendervoldstraede 9
street address: DK-1419 Copenhagen K
nic-hdl: SH1433948-NICAT
changed: 20031129 04:32:19
source: AT-DOM