register
-- Home
-- Phishing Archive
-- Report Phishing
-- Events
-- APWG News
-- Resources
-- Membership
-- APWG Member Site
-- Contact Us
-- JOIN THE APWG
 
LATEST NEWS IN THE FIGHT AGAINST PHISHING:		  
 
 
     
     
     
     
 

eBay - 'Your account at ebay has been suspended'
21-Jul-2004

Summary
Email subject: 'Your account at ebay has been suspended'
Scam target: eBay cuastomers
Distribution medium: a HTML email (click here for the HTML code of the message itself)
Sender:

services@ebay.com
Sender spoofed? Yes
Scam call to action: '...we had to block your eBay account...To start using your eBay account fully,Please uptake and verify your information by clicking below...'
Scam goal: Getting victim's ebay.com username/password, credit/debit card information, bank account information, contact (name, address, phone, etc.) information
Call to action format: URL link
Visible link:

http://signin.ebay.com/aw-cgi/eBayISAPI.dll?Verify
Called link: http://signin_ebay_com_account.rndsystems.co.kr:7308/ebay.htm
Phish site on : signin_ebay_com_account.rndsystems.co.kr
 
E-mail
 
This is a somewhat classic phish. The message is nicely designed - an average user would never guess its unlegitimate (the sender looks eBay legitimate, the URL too. they are both spoofed):
 
 
Web Site
Visible link:

http://signin.ebay.com/aw-cgi/eBayISAPI.dll?Verify
Called link: http://signin_ebay_com_account.rndsystems.co.kr:7308/ebay.htm
Phish site on : signin_ebay_com_account.rndsystems.co.kr
 
The phish site itself looks very much like ebay, too:
 
 
The phishers have taken the so-called 'social engineering' approach with the URL of the phish site :
 
 
In other words : no technical trick is used to hide the phish URL from the victim. Instead, the phish site is created with a tricky URL (similar to the legitimate one), that can fool enough users to fil the scammer's net.
A weakness in the phish is that it does not check the legitimacy of the data entered. In the 'login' screen, for example, any username/pass you enter will be accepted:
 
 
Another weakness of the phish is that it does demand a solid amount of information, which is likely to arise suspicion.

At the end, a nicley looking logout page appears:
 
 
The site itself is hosted on the domain of a seemingly legitimate corean corporation:
 
WHOIS data:

Domain Name : rndsystems.co.kr

Registrant : R&D SYSTEMS
Registrant Address : Pusan Venture Bldg.#305 651-1 Eomgung-dong, Sasang-gu, Busan,
Republic of Korea
Registrant Zip Code : 617831
Administrative Contact(AC): Kang Young Gyun
AC E-Mail : rndsys@chollian.net
AC Phone Number : 0513261777
Registered Date : 2002. 05. 17.
Last updated Date : 2003. 04. 24.
Expiration Date : 2005. 05. 17.

Primary Name Server
Host Name : www.rndsystems.co.kr
IP Address : 211.33.221.36