register
-- Home
-- Phishing Archive
-- Report Phishing
-- Events
-- APWG News
-- Resources
-- Membership
-- APWG Member Site
-- Contact Us
-- JOIN THE APWG
 
LATEST NEWS IN THE FIGHT AGAINST PHISHING:		  
 
 
     
     
     
     
 

eBay - 'New and improved account protection!'
11-Oct-2004

Summary
Email title: 'New and improved account protection!'
Scam target: eBay customers
Email format: HTML e-mail
Sender:

eBay@reply3.ebay.com
Sender spoofed? Yes
Scam call to action: 'eBay is introducing a new account verification method...To confirm your identity with us click here...'
Scam goal: Getting victim's eBay username/password
Call to action format: URL link
Visible link: https://signin.ebay.com/ws2/eBayISAPI.dll?SignIn&favoritenav=&sid=&ruproduct...
Called link :

http://67.154.85.178/.ws2/safeharbor.verify.ebay.com/login.php
Phish website hosted on : 67.154.85.178
 
E-mail
 
This phish uses a 'man in the middle' tactic to get your information. Here is how it's done: First, the e-mail :
 
 
It is lenghty and somewhat believable explanation. The sender is spoofed and the URL link looks nice on the surface, so this will be able to fool a lot of people into clicking the link.
 
Web Site
Visible link: https://signin.ebay.com/ws2/eBayISAPI.dll?SignIn&favoritenav=&sid=&ruproduct...
Called link :

http://67.154.85.178/.ws2/safeharbor.verify.ebay.com/login.php
Phish website hosted on : 67.154.85.178
 
The site itself is pretty smart, too. It uses an address bar 'overwriting' technique, which places a text window on top of the address bar in your browser. The site itself is an exact replica of the eBay login page. Here is the result:
 
 

This scam, of course, has weaknesses - the most notable is the absence of the lock icon - which is pretty suspicious, having in mind the 'https' in the begining of the URL. Also, if the properties screen of the page is invoked, it will show the real URL, and not the one in the faked address bar.

And now comes the tricky part - when the phish site gets the username and the password, it removes the address bar 'overwrite', opens a legitimate eBay login page and submits the phished data. If a legitimate username/password are entered, the whole process would seem (to a regular customer) as a problem-free login to eBay - and this is why it is so dangerous.

Here, we have entered some bogus information and you can see how the legitimate page as rejected it. Notice the defferences between the real and the phished pages:

 
 
Phish server DNS/WHOIS information:
WHOIS data (for IP 67.154.85.178):

OrgName: Internet Allegiance, Inc.
OrgID: IALG
Address: 1950 Stemmons Freeway
City: Dallas
StateProv: TX
PostalCode: 75207
Country: US

NetRange: 67.152.0.0 - 67.155.255.255
CIDR: 67.152.0.0/14
NetName: IALG-ALGX-10
NetHandle: NET-67-152-0-0-1
Parent: NET-67-0-0-0-0
NetType: Direct Allocation
NameServer: NS1.ALGX.NET
NameServer: NS2.ALGX.NET
RegDate: 2002-08-14
Updated: 2004-08-23