register
-- Home
-- Phishing Archive
-- Report Phishing
-- Events
-- APWG News
-- Resources
-- Membership
-- APWG Member Site
-- Contact Us
-- JOIN THE APWG
 
LATEST NEWS IN THE FIGHT AGAINST PHISHING:		  
 
 
     
     
     
     
 

eBay - 'TKO NOTICE: eBay Registration Suspension - FIELDS LEFT BLANK'
04-Oct-2004

Summary
Email title: 'TKO NOTICE: eBay Registration Suspension - FIELDS LEFT BLANK'
Scam target: eBay customers
Email format: HTML e-mail
Sender:

aw-verify@eBay.com
Sender spoofed? Yes
Scam call to action: 'Our records indicate that you haven't submited the correct information to update your account. Please re-update your account'
Scam goal: Getting victim's ebay.com username/password, credit/debit card information, contact (name, phone, address)
Call to action format: URL link
Visible link: http://pages.ebay.com/update/eBayDLLupdate.dll
Called link :

http://signin.ebay.com.zaga-zaga.us/a/aw-cgi/SignIn.html
Phish website hosted on : zaga-zaga.us
 
E-mail
 
This eBay phish does come with a simple, yet it could be convincing to many - it has a reminder-like feel:
 
 
The URL link and the sender are spoofed, of course - which adds to the effect.
 
Web Site
Visible link: http://pages.ebay.com/update/eBayDLLupdate.dll
Called link :

http://signin.ebay.com.zaga-zaga.us/a/aw-cgi/SignIn.html
Phish website hosted on : zaga-zaga.us
 
The phish site opens up with a replica of the legitimate eBay login screen. The only difference between it and the real thing is the contents of the address bar:
 
 
As you see, the URL does look like eBay, but it is not. You should be very carefull with the URLs of such financially related sites - scammers often create URLs that look like the legitimate one. The best way to avoid being scammed like this is to open a new browser and type the URL manually (or open a bookmark you are sure leads to the legitimate site).
 
The next phish page is where the personal information is being phished:
 
 
You can see some spelling errors on it - definitely a sign of something wrong happening. The URL in the address bar looks much like the previous one.
 
After the information is sent (the site won't check it for validity - anything will do), a sign out page appears:
 
 
As mentioned earlier, the major clue you can have is the URL in the address bar. If you are not certain you can 'decipher' it, open a new window and type the legitimate URL manually.
 
Phish server DNS/WHOIS information:
WHOIS data (for IP 209.35.123.41):

Domain Name: ZAGA-ZAGA.US
Domain ID: D6631890-US
Sponsoring Registrar: MELBOURNE IT D/B/A INTERNET NAMES WORLD WIDE
Domain Status: ok
Registrant ID: A109397938662111
Registrant Name: Sandra Cook
Registrant Organization: Sandra Cook
Registrant Address1: 4525 NE Blue Jay Drive
Registrant City: Lees Summit
Registrant State/Province: MO
Registrant Postal Code: 64064
Registrant Country: United States
Registrant Country Code: US