register
-- Home
-- Phishing Archive
-- Report Phishing
-- Events
-- APWG News
-- Resources
-- Membership
-- APWG Member Site
-- Contact Us
-- JOIN THE APWG
 
LATEST NEWS IN THE FIGHT AGAINST PHISHING:		  
 
 
     
     
     
     
 

eBay - 'Update or verify your account informations'
07-Dec-2004

Summary
Email title: 'Update or verify your account informations'
Scam target: eBay users
Email format: HTML email
Sender:

eBay <update@ebay.com>
Sender spoofed? Yes
Phish 'punch line' : 'we have detected a slight error in your billing information... This might be due to either of the following reasons... Please update and verify your information by clicking the link below...'
Scam goal: Getting victim's eBay username&password, bank account information
Phish link method URL link
Visible link: http://cgi1.ebay.com/aw-cgi/ebayISAPI.dll?UPdate
Link 'masked'? Yes
Actual link to http://67.18.151.194/~haibace/cgi-bin/ebay-update-account-details-info-ebay-update-account-details-info-ebay-update-account-details-info-ebay-update-account-details-info-ebay-update-account-details-info-ebay-update-account-details-info/eBay/signin.html
Phish website:

67.18.151.194
 
E-mail
 

This phish relies on using a long string of seemingly legitimate words to lenghten the phish URL, so it could look legitimate.

The phish email is plain, but believable:

 
 
The link is 'masked' and the sender is spoofed, which adds to the persuasiveness.
 
Web Site
Visible link: http://cgi1.ebay.com/aw-cgi/ebayISAPI.dll?UPdate
Link 'masked'? Yes
Actual link to http://67.18.151.194/~haibace/cgi-bin/ebay-update-account-details-info-ebay-update-account-details-info-ebay-update-account-details-info-ebay-update-account-details-info-ebay-update-account-details-info-ebay-update-account-details-info/eBay/signin.html
Phish website:

67.18.151.194
 
The main feature of the phish site is the pile of legitimately looking words in the URL, as mentioned above:
 
 

The absence of a lock icon in the status bar indicates that the site has not initiated a secure session - which is very alarming.

Otherwise, the site looks perfectly ok.

After the initial 'login', the URL remains basically the same, and the main phish page opens:

 
 
The site will not check whether the enter information is valid in any manner - it will just redirect to the legitimate ebay login page:
 
 
Notice how the real page differs in having a legitimate URL, prefixed by a https:// (not just http://), and the padlock icon is on.
 
WHOIS information (for IP 67.18.151.194): OrgName: ThePlanet.com Internet Services, Inc.
OrgID: TPCM
Address: 1333 North Stemmons Freeway
Address: Suite 110
City: Dallas
StateProv: TX
PostalCode: 75207
Country: US

ReferralServer: rwhois://rwhois.theplanet.com:4321

NetRange: 67.18.0.0 - 67.19.255.255
CIDR: 67.18.0.0/15
NetName: NETBLK-THEPLANET-BLK-11
NetHandle: NET-67-18-0-0-1
Parent: NET-67-0-0-0-0
NetType: Direct Allocation
NameServer: NS1.THEPLANET.COM
NameServer: NS2.THEPLANET.COM
Comment:
RegDate: 2004-03-15
Updated: 2004-07-29