I guess e-bay had some problems? A few users got this message from them.
^^^^^^^
Looks like another scam
Simon
> I guess e-bay had some problems? A few users got this message from them.
>
> Dear eBay user!
>
> At 09.24.2003 our company has lost a number
> of accounts in the system during the database
> maintenance. If you have an active account, please
> click on the link below to update your credit card
> information. If you have problems with your account, please let us know
> at email support@ebay.com <mailto:support@ebay.com>
>
> https://cgi.ebay.com/saw-cgi/eBayISAPI.dll?UpdateInformation
> <https://e%31bay.com/saw-cgi/?UpdateInformation>
The fact that the url is e-bay.com and they don't have a valid certificate
is a good indication that this is a scam. There are lots of them that look
very similar.
K
I guess e-bay had some problems? A few users got this message from
them.
Dear eBay user!
At 09.24.2003 our company has lost a number
of accounts in the system during the database
maintenance. If you have an active account, please
click on the link below to update your credit card
information. If you have problems with your account, please let us know
at email support@ebay.com <mailto:support@ebay.com>https://cgi.ebay.com/saw-cgi/eBayISAPI.dll?UpdateInformation
<https://e%31bay.com/saw-cgi/?UpdateInformation>
This is a clever attempt to harvest ebay account information.
The message, with the subject "Official Notice for all eBay users"
consists of 2 parts:
1. An html section, which includes a link to (don't click on this)
http://scgi.ebay.com@%32%31%31%2E%32%31%37%2E%32%32%34%2E%31%=30%32:%34%39%30%31/%75%70%64%61%74%65/%69%6E%64%65%78%2E%68%74%6D,
and
a display of "pic.gif".
2. A base 64 attachment - pic.gif.
What you normally see when you open the message is just the gif file.
But the gif appears to be text, including a picture of the text asking
you to click on
"http://scgi.ebay.com/saw-cig/eBayISAPI.dll?VerifyInformation"
But the real link (as might be displayed at the bottom of your mail client
window if it gives you a preview of links) is the one shown in #1. And
that link doesn't go to ebay.com - it really goes to 211.217.224.102, port
4901. That is because everything in front of the "@" is treated by your
browser as data (a userid, in theory) to be passed to the target host, not
as the host name.
That target web server, when it was working, displayed a page that is
forged to look like an ebay page, asking you to reenter your ebay
userid and password. Don't do it!
Today, the host at 211.217.224.102 is no longer listening on port
4901.
Tony Rall
Its sad how many people get taken in by obvious and less obvious scams like this.... But I guess this is as old as the "knock knock: Wallet inspector."...
There was a similar paypal scam that had "click here to go to www.paypal.com" which looked and displayed nice and legit in the email, but the href really sent you to a site in Korea that looked exactly like the paypal login screen.... "Thank you for verifying your information".... Indeed!
---Mike
this is most definitely a combination credit card & ebay account scam..
this has happened numerous times over the last year and, in many cases the
offender has
also used the hijacked account information to offer items for sale &
setup phoney escrow companies to lull the purchaser into
putting up the funds..
the scale of this fraud is, frankly, huge, but many companies like ebay &
paypal downplay it
to avoid tainting the legitimacy of their respective businesses
ken stubbs
I went through the steps to report it to ebay and paypal via their web interface. I got an email requesting the original message, I bounced it to them the same day quoting the appropriate ticket #. A day or so later a human being had sent a template email saying yes, its a scam etc etc and that they were investigating and that was that. 2 days later, the IP is dead.
I really feel for them. The scam site is in Korea, the email was sent via an open proxy on a cable modem in the US somewhere. Big or small, I doubt its an easy job coordinating international law enforcement to 'whack a mole' essentially. In my case, the initial IP that was in the scam mail was gone 2 days after I reported it. I dont know if that was weeks after someone else or if they did get it shut down in 48hrs. But 3 days later, I got another email with the same scam, this time to a different provider in Korea.... Next.
---Mike
Korea has a very large number of reliably- and permanently-connected windows boxes in comparison to most other countries (the OECD numbers on broadband access in 2001 ranked Korea way up there at the top of the list, with Canada a distant second, or so I heard on the radio the other day). You can buy residential 20Mbit/s VDSL services there over the phone, as a regular service, and people do.
Given this, I'm guessing that if you choose a windows box with a stable connection on the net at random, chances are good that it's in Korea.
All the network operators I have in Korea are both efficient and technically proficient, and I certainly didn't get any impression that people were lax or in any way irresponsible with respect to running networks: the fact that the networks there are still functioning at all suggests they are well-practiced at dealing with infected windows boxes. It's seems to be much less common to find people who speak English in Korea than it is in other places in Asia, though, which might help explain apparent unresponsiveness to complaints which are not written in Korean.
So, here's my point (and I know I'm rambling, come on, it's a Friday): when every other back trace leads to Korea, it's not necessarily because Korea is irresponsible or incompetent; in terms of the global distribution of windows-based worm factories, they just account for a disproportionate amount of the Internet.
Given the numbers of clients they have to deal with it's eminently possible that they're doing a much better job, in relative and general terms, than operators in the US, Europe and Australasia.
Joe
Yes, I should have clarified this. I dont think the folks in Korea are any more or less competent than their NA counter parts-- be that end user or operator. In my case, the open relay was an Adelphia cable user on the US east coast somewhere. I think from a criminal's point of view its more desirable to locate offshore as it will be more difficult due to language, legal and even time differentials to track down the people controlling the victim host site.
---Mike
Yes, I should have clarified this. I dont think the folks in Korea
are any more or less competent than their NA counter parts-- be that
end user or operator.
Unfortunately, my experience is that system managers in Korea are
considerably less competent than their NA counterparts. The managers
are not stupid, but they are hopelessly underqualified. Korea made a
big push to wire the country for broadband without any consideration
of who would run the gazillion computers with their swell new
high-speed permanent connections. So they did things like setting up
every school in the country with servers with identical Windows
configs that are all subject to the same wide range of well known
Windows exploits. Many of the people who are by default in charge of
these systems wouldn't know what to do with Windows Update even if
they could read the English language instructions, because they have
no computer background.
That, along with an extremely ill-advised law that made spam legal if
you put the Korean version of ADV: in the subject line, is why I set
up the korea.services.net DNSBL which blocks all the networks in Korea
except for a handful of networks with responsive admins and low spam
counts. I'll be very happy to take out networks that solve their spam
problems, but so far none have done so.
Now and then someone writes and says "I fixed my open relay, please
unlist me" (no, it's not a list of individual open relays) or "your
list blocks mail that is very very important" (quite possibly, but
it's not as important to me as blocking the thousands of spams that
your ISP would otherwise have sent me and whoever it is that's using
the list to reject your mail.)
The Korean government knows that they've dug themeselves a hole, but
it'll be a while until they dig themselves out of it. In the
meantime, my DNSBL continues to block a heck of a lot of spam and I
can live without the two legit messages a year that I otherwise would
have gotten from Korea.
Regards,
John Levine, johnl@iecc.com, Primary Perpetrator of "The Internet for Dummies",
Information Superhighwayman wanna-be, John R. Levine, Sewer Commissioner
"A book is a sneeze." - E.B. White, on the writing of Charlotte's Web