register
-- Home
-- Phishing Archive
-- Report Phishing
-- Events
-- APWG News
-- Resources
-- Membership
-- APWG Member Site
-- Contact Us
-- JOIN THE APWG
 
LATEST NEWS IN THE FIGHT AGAINST PHISHING:		  
 
 
     
     
     
     
 

eBay - 'Update Your Billing Informations'
27-Jul-2004

Summary
Email subject: 'Update Your Billing Informations'
Scam target: eBay customers
Distribution medium: a HTML email (click here for the HTML code of the message itself)
Sender:

aw-confirm@ebay.com
Sender spoofed? Yes
Scam call to action: 'During our regularly scheduled account maintenance and verification procedures, we have detected a slight error in your billing information. ... Please update and verify your information by clicking the link below...'
Scam goal: Getting victim's ebay and paypal usernames/passwords, credit/debit card information, bank account information, SSN, contact (name, address, phone, etc.) information
Call to action format: URL link
Visible link:

https://scgi.ebay.com/saw-cgi/eBayISAPI.dll?RegisterEnterInfo
Called link: http://feedback-required-ebay.us/ebayHelpBilling/pages-ebay/aw-cgi/eBayISAPIdll/
Phish site on : www.feedback-required-ebay.us
 
E-mail
 
Another 'social engineering' phish attempt, targeting eBay customers. The message has an eBay header and footer, a convincing sender and nice (at a first glance) URL. They are all spoofed:
 
 
The message looks pretty innocent, too. This could trick quite a lot of people.
 
Web Site
Visible link:

https://scgi.ebay.com/saw-cgi/eBayISAPI.dll?RegisterEnterInfo
Called link: http://feedback-required-ebay.us/ebayHelpBilling/pages-ebay/aw-cgi/eBayISAPIdll/
Phish site on : www.feedback-required-ebay.us
 

When the phish site opens, the 'social engineering' approach comes to play. The phishers have created a site that, although not an actual ebay, uses the same colors, fonts and graphics:
 
 
And the URL in the address bar is:
 
 
Now, this is NOT the ebay URL, but it does LOOK like it. Such a trick would fool the users at the lower end of knowledge about the internet - which is a wide segment of potential victims.
However, the site demands a great lot of information, which is quite suspicious. And it does not check the information entered (the usernames/passwords, for example) for validity - the phish will accept even all enpty fields. Then, a confirmation screen shows up:
 
 
And the 'proceed...' link leads to the legitimate eBay login page.
 
Unlike most of the phish sites, that are hosted somewhere in Asia, this one resides on a Yahoo server:
 
WHOIS data:

Domain Name: FEEDBACK-REQUIRED-EBAY.US
Domain ID: D6361451-US
Sponsoring Registrar: MELBOURNE IT D/B/A INTERNET NAMES WORLD WIDE
Domain Status: ok
Registrant ID: A108887329237143
Registrant Name: Mrs Mary A Sager
Registrant Organization: Mrs Mary A Sager
Registrant Address1: 8962 LaRue-Green Camp Rd.
Registrant City: LaRue
Registrant State/Province: OH
Registrant Postal Code: 43332
Registrant Country: United States
Registrant Country Code: US

Technical Contact Name: YahooDomains TechContact
Technical Contact Organization: Yahoo! Inc

Name Server: YNS1.YAHOO.COM
Name Server: YNS2.YAHOO.COM