register
-- Home
-- Phishing Archive
-- Report Phishing
-- Events
-- APWG News
-- Resources
-- Membership
-- APWG Member Site
-- Contact Us
-- JOIN THE APWG
 
LATEST NEWS IN THE FIGHT AGAINST PHISHING:		  
 
 
     
     
     
     
 

eBay- 'Account Suspension Notice - Section 9'
19-Nov-2004

Summary
Email title: 'Account Suspension Notice - Section 9'
Scam target: eBay customers
Email format: HTML email
Sender:

eBay Customer Support <aw-confirm@ebay.com>
Sender spoofed? Yes
Scam call to action: 'your eBay account has been suspended due to the violation of our site policy... If you would like your account to be considered for reinstatement, please click on the link below, and provide us additional information...'
Scam goal: Getting victim's ebay username/password, email address
Call to action format: URL link
Visible link: http://signin.ebay.com//aw-cgi/eBayISAPI.dll?SignIn&ssPageName=h:h:sin:US
Actual URL link to: http://cgi3.ebay.com.wws2.us/.update/aw-cgi/eBayISAPI.dll/index.html
Phish website hosted on:

66.218.79.148
 
E-mail
 
This phish falls into the 'social engineering' category - i.e. it relies on con tactics, rather than technical means to scam the potential victim. In this type of phishing messages the email is usually well designed, and the URL of the phish site is not disguised. An URL which is similar to the legitimate one (or instills legitimacy) is chosen instead. The message sender is spoofed, and the URL link is 'masked' :
 
 
Web Site
Visible link: http://signin.ebay.com//aw-cgi/eBayISAPI.dll?SignIn&ssPageName=h:h:sin:US
Actual URL link to: http://cgi3.ebay.com.wws2.us/.update/aw-cgi/eBayISAPI.dll/index.html
Phish website hosted on:

66.218.79.148
 
Once the link is clicked, the phish site opens. The URL is plainly visible, and the 'social engineering' approach can be seen. Another suspicious thing is the indication of browser rendering error (unlikely in a legitimate web page). The sibe being an insecured one (http, instead of https) is also a very strange fact.
 
 
After some information has been entered, the following page is displayed:
 
 
Obviously, the phisher has just skipped the usual 'logout' screen.
 
WHOIS data (for IP 66.218.79.148) :

NetRange: 66.218.64.0 - 66.218.95.255
CIDR: 66.218.64.0/19
NetName: A-YAHOO-U23
NetHandle: NET-66-218-64-0-1
Parent: NET-66-0-0-0-0
NetType: Direct Allocation
NameServer: NS1.YAHOO.COM