| |
Home
Phishing
Archive
Report
Phishing Events
APWG
News
Resources
Membership
APWG
Member Site
Contact
Us 
APWG
Sponsors:
|
 |
eBay "eBay
info "
01-Mar-2004
| Summary |
| Email
title: |
"eBay
info" |
| Scam
target: |
eBay
users |
| Email
format: |
HTML
e-mail |
| Sender: |
user-billing5@eBay.com
|
| Sender
spoofed? |
Yes |
| Scam
call to action: |
"...your
access to bid or buy on eBay has been restricted.
To start using eBay account fully, please update and verify
your information by cIicking below:" |
| Scam
goal: |
Capture
account username and password, credit card, ATM, and identity
information |
| Call
to action format: |
URL
link to a web page |
| Visible
link: |
https://scgi.ebay.com/saw-cgi/eBaylSAPl.dII?Verifylnformation |
| Called
link : |
http://scgi.ebay.com%6Csaw-cgi%6C%6C%6C@%36%34%2E%32%33%31%2E%37%38%2E%39%36:%34%39%30%33/%64%6C/%69%6E%64%65%78%2E%68%74%6D
|
| Website: |
Site
still active as of 03-Mar-04 |
|
| |
| E-mail |
- This
phish tries to get the recipient to click on a seemingly valid
link in an e-mail message.
- The
message itself looks a bit suspicious - it includes a number of
clues that it is not valid:
- The
email is not personalized - that is, it does not address the
recipient by name
- The
spacing/layout of the email is strange - the text does not
wrap to the next line
- There
are no eBay logos, branding or other identification features.
- The
message is not from an identifiable person in eBay
 |
| |
| Web
Site |
| Visible
link: |
https://scgi.ebay.com/saw-cgi/eBaylSAPl.dII?Verifylnformation |
| Called
link : |
http://scgi.ebay.com%6Csaw-cgi%6C%6C%6C@%36%34%2E%32%33%31%2E%37%38%2E%39%36:%34%39%30%33/%64%6C/%69%6E%64%65%78%2E%68%74%6D
|
| Resolved
URL: |
http://64.231.78.96/dl/index.htm
|
| Reverse
DNS Lookup: |
IP
Address 64.231.78.96 resolves to:
HSE-Toronto-ppp306878.sympatico.ca
(sympatico.ca appears to be a trademark managed by Bell Canada)
|
| WHOIS
results for 64.231.78.96 |
Bell
Canada BELLCANADA-5 (NET-64-228-0-0-1)
64.228.0.0 - 64.231.255.255
Bell
Nexxia (HSE) NEXXIAJ10-CA (NET-64-231-0-0-1)
64.231.0.0 - 64.231.95.255
|
|
- When
eventually the user clicks on the link, an HTML page is called
that redirects the browser to the eBay home page and pops up a
"Security Update" window
- the
eBay window is real/valide
- the
Security Update window is a scam (note that the Address bar
is suppressed)
- The
Security Update window asks for the kind of information that should
make recipients suspicious, e.g.:
- User
ID and password
- Date
of birth
- SSN
- Credit
card number
- ATM
bank PIN
- The
URL appears to be an IP address in Bell Canada's network, possibly
a hacked website
|
 |
| |
 |
| |
|