| |
Home
Phishing
Archive
Report
Phishing
Events
Resources
Membership
APWG
Worksite
Contact
Us
APWG Sponsors:
|
  |
eBay - 'TKO NOTICE: Pay your fees to eBay.com'
14-Jun-2004
| Summary |
| Email
title: |
TKO NOTICE: Pay your fees to eBay.com |
| Scam
target: |
eBay users |
| Email
format: |
HTML email |
| Sender: |
aw-verify@eBay.com |
| Sender
spoofed? |
Yes |
| Scam
call to action: |
'Due to our new services you have to pay your eBay fees. You can pay with your credit/debit card...You have 24 hours from the time you'll receive the e-mail to complete this eBay Request.'
|
| Scam
goal: |
Getting victim's eBay username/password; credit card and personal (phone/address) information |
| Call
to action format: |
URL link |
| Visible link |
http://signin.ebay.com/aw-cgi/eBayISAPI.dll?OneTimePayment&ssPageName=h:h:sin:US |
| Resolved URL: |
http://www.ebay-rulez.org/aw-cgi/SignIn.php?mail=paul@vegan4life.org.uk&eBayISAPI.dll?VerifyIdentity&ssPageName=US:&?VerifyIdentity&ssPageName= |
| Phish site: |
http://www.ebay-rulez.org |
|
| |
| E-mail |
This email carries no eBay logo, but is decently crafted, comes from a seemingly legitimate sender (spoofed), and the URL seems fine. Its contents however, is quite disturbing, and it urges you to the point of threatening. |
|
_email.jpg)
|
| Web
Site |
| Call to action format: |
URL link |
| Visible link |
http://signin.ebay.com/aw-cgi/eBayISAPI.dll?SignIn |
| Resolved URL: |
http://69.90.150.97/index.php?u=verification |
|
The phish site is hosted on a so called 'social engineering' domain (ebay-rulez.org), and opens with an exact replica of the eBay login sceen. The phishers count on decieving the potential victim with the domain name, and the URL is not hidden in any way.
|
_site.jpg) |
When eventually the 'sign in' button is pushed, the next phish page opens. This phish site does not run a check on the user account/pass you send, so it will accept inexisting information. This could be another way to reconize the scam.
|
_site2.jpg) |
This second phish page does look suspicious - at least because of the spelling error at the begining. But it is also requiring quite a lot of various information, without ever really explaining why it is needed.
The phish waits for the victim to fill the information and press 'continue'. Then, it redirects to the legitimate eBay login screen:
|
_site3.jpg)
|
WHOIS (hosting server) Data: |
Domain ID:D104511107-LROR
Domain Name:EBAY-RULEZ.ORG
Created On:09-Jun-2004 01:06:20 UTC
Expiration Date:09-Jun-2006 01:06:20 UTC
Sponsoring Registrar:R144-LROR
Status:TRANSFER PROHIBITED
Registrant ID:C4817541-LRMS
Registrant Name:Jose Manuel
Registrant Organization:NULL
Registrant Street1:casilla de correo 007
Registrant City:carcarana
Registrant State/Province:santa fe
Registrant Postal Code:2138
Registrant Country:AR
Registrant Phone:+0.5493416401912
Registrant Email:manejes@dearriba.com
|
|