register
-- Home
-- Phishing Archive
-- Report Phishing
-- Events
-- APWG News
-- Resources
-- Membership
-- APWG Member Site
-- Contact Us
-- JOIN THE APWG
 
LATEST NEWS IN THE FIGHT AGAINST PHISHING:		  
 
 
     
     
     
     
 

eBay - 'Final Notification of Fraudulent Account'
20-Oct-2004

Summary
Email title: 'Final Notification of Fraudulent Account'
Scam target: eBay customers
Email format: HTML email
Sender:

eBay <aw-confirm@ebay.com>
Sender spoofed? Yes
Scam call to action: 'we had to block your eBay and PayPal account because we had been notified that your account may have been compromised by outside parties... In order that you may access your account, verify your identity by clicking here...'
Scam goal: Getting victim's credit card information, bank account information, SSN, etc.
Call to action format: a 'click here' type link
Visible link: 'clicking here' link
Called link :

http://ssl-ebayonline.com/us/aw-cgi/eBayISAPIdll.htm?Fraud+Account+Update=SSL-Secure
Phish website hosted on : 209.240.135.60
 
E-mail
 

This is a typcial 'social engineering' approach phish. The scammers try to fool the potential victim using cunning deception (look-alike URLs, believable e-mails) rather then technical tricks.

The email carries an eBay logo, comes from a spoofed sender, does not list a suspicious URL explcitly, and is generally quite believable:

 
 
As you can see, the message is well crafted and can make a lot of people click the link. Which leads to the site:
 
Web Site
Visible link: 'clicking here' link
Called link :

http://ssl-ebayonline.com/us/aw-cgi/eBayISAPIdll.htm?Fraud+Account+Update=SSL-Secure
Phish website hosted on : 209.240.135.60
 
The phish site does look nice. It has all the attributes you can expect drom an eBay page - logos, links, fonts and images:
 
 

But the sheer amount of information requested should be disturbing.

The URL in the address bar is well chosen, so it can look as legitimate as possible:

 
 

But, nonetheless, this is not a page on the legitimate eBay server. Furthermore, the phish does check for validity of some of the data you enter - the credit card number, for example. This should not frighten you - credit card numbers are generated using strict rules. These rules are publicly available and can be used to check for the legitimacy of a CC number. They can NOT be used to get information for the credit card, its owner, etc.

The site displays the following page when it 'dislikes' what was entered:

 
 

This check would catch a random bogus data entered, and could persuade the potential victim in the legitimacy of the site.

Summarized - heightened awareness and vigilance are the keys to avoiding this scam. Specific attention should be paid to the URL in the address bar.

Finally, some information on the server wosting the phish site:

 
Phish server WHOIS information:
WHOIS data (for IP 209.240.135.60)

NetRange: 209.240.128.0 - 209.240.159.255
CIDR: 209.240.128.0/19
NetName: TIERRANET
NetHandle: NET-209-240-128-0-1
Parent: NET-209-0-0-0-0
NetType: Direct Allocation
NameServer: NS1.TIERRA.NET
NameServer: NS2.TIERRA.NET
RegDate: 1998-06-15
Updated: 2001-03-13

Administrative Contact, Technical Contact, Zone Contact:
eBay and PayPal
Bronwyn Kostka-Hoenshell
1726 E. Cougar Creek Dr
Meridian, ID 83642
US
208-846-8925
w4rr3nbrasi@aol.com