| |
Home
Phishing
Archive
Report
Phishing Events
APWG
News
Resources
Membership
APWG
Member Site
Contact
Us 
APWG
Sponsors:
|
 |
eBay - "NOTICE
eBay Obligatory Verifying - Invalid User Information"
09-Mar-2004
| Summary |
| Email
title: |
"NOTICE
eBay Obligatory Verifying - Invalid User Information" |
| Scam
target: |
eBay
customers |
| Email
format: |
HTML
e-mail |
| Sender: |
S-Harbor@eBay.com
|
| Sender
spoofed? |
Yes |
| Scam
call to action: |
"...
We regret to inform you that your home phone number had an error
on Ebay Inc. databases...
... To provide us with your phone number, just click the link
below..." |
| Scam
goal: |
Getting
victim's credit card, phone/address, SSN and eBay account information |
| Call
to action format: |
URL
link to a HTML form |
| Visible
link: |
https://cgi1.ebay.com/aw-cgi/ebayISAPI.dll? |
| Called
link : |
http://cgi1.ebay.com.aw-cgiebayISAPI.dll%00@210.93.131.250/my/index.htm
|
| Website: |
http://210.93.131.250/my/index.htm
- still active as of 10-Mar-04 |
|
| |
| E-mail |
- The
messsage looks suspicious:
- It
uses impersonalized greeting (The "Dear User" type)
- There
are no eBay logos, branding or other identification features.
- The
message is not from an identifiable person in eBay
|
| |
| Web
Site |
| Visible
link: |
https://cgi1.ebay.com/aw-cgi/ebayISAPI.dll? |
| Called
link : |
http://cgi1.ebay.com.aw-cgiebayISAPI.dll%00@210.93.131.250/my/index.htm
|
| Resolved
URL: |
210.93.131.250/my/index.htm
|
| Reverse
DNS : |
IP
Address 210.93.131.250 resolves to: (unable to resolve 210.93.131.250)
|
| WHOIS
info: |
IP Address : 210.93.128.0-210.93.191.255
Network Name : LOTTE
Connect ISP Name : ISP-1
Name : Hyungju Bae
Org Name : Lotte Data Communication Company
State : SEOUL
Address : 98-6 Kalwol-Dong Yongsan-Ku
|
| Web
form: |
FORM
action=http://210.93.131.250/cgi-bin/thanks.cgi method=post
|
|
- When
the user clicks on the link, an HTML form opens up.
- The
form asks for the kind of information that should make recipients
suspicious, e.g.:
- User
ID and password
- Date
of birth
- SSN
- Credit
card number
- ATM
bank PIN
- Phone
number
- The
URL of the web site showing in the browser is a numeric IP address,
not ebay.co
- The
web form sends captured data to a cgi script on the same server
|
 |
| |
| |
| |
|