Welcome to the MacNN Forums.

MacMan4000 · Apr 15, 2005, 11:26 PM

I got an email today that supposedly came from eBay billing department. That alone is suspicious to me. The "sign in" page it links to is not hosted by eBay... dead give away...

Heres the email:

*
[eBay logo]

Dear eBay customer,

During our regularly scheduled account maintenance and verification procedures, we have detected a slight error in your billing information.

This might be due to either of the following reasons:

1. A recent change in your personal information ( i.e.change of address).
2. Submiting invalid information during the initial sign up process.
3. An inability to accurately verify your selected option of payment due to an internal error within our processors.

Please update and verify your info rmation by clicking the link below:

https://signin.ebay.com/ws/eBayISAPI.dll?SignIn

If your account information is not updated within 48 hours then your ability to sell or bid on eBay will become restricted.

Thank you,

The eBay Billing Deptartment .

[trust-e logo]

(and all that white space is from the original email... I didn't add any of that.)

If you put the fake sign-in in one tab, and the real one in another, and swap back and forth, you ill see that they are very similar. Damn near identical. But the scary thing is that it wont take a fake sign in... Pretty realistic. It even has the little lock icon in the top corner of Safari. I'm afraid to use my real username, so I don't know what it shows on the next page..

The email came from 81.196.162.153 which, according to a quick whois query, is registered to "RIPE Network Coordination Centre" in Amsterdam. but farther down the search is mentions "Romania Data Systems"...

the fake sign-in is hosted on 203.73.53.120, which is in taipei, taiwan.

Pretty shady if you ask me. Romania? Amsterdam? Tiawan? illegal activity... oh yeah.

Just for reference, eBay's IP is 66.135.208.90... and is registered to, get this, EBAY, in San Jose, California! Not Romania.

Just thought I'd warn all you gullible dudes (and dudettes) out there.

starman · Apr 15, 2005, 11:28 PM

Fake

Angus_D · Apr 16, 2005, 05:51 AM

Uh, there have been phishing scams with eBay and PayPal for years now...

Athens · Apr 16, 2005, 06:02 AM

When you sign in with crap it tries to install a virus

https://203.73.53.120/ also takes you to a chinese web site

mitchell_pgh · Apr 16, 2005, 07:13 AM

A good rule of thumb is to never trust email.

If something looks legit, open up a blank web browser (do not click the link in the email), go to the site in question, and try to open your account.

It's always been a good rule for me.

Athens · Apr 16, 2005, 07:51 AM

Originally Posted by mitchell_pgh

A good rule of thumb is to never trust email.

If something looks legit, open up a blank web browser (do not click the link in the email), go to the site in question, and try to open your account.

It's always been a good rule for me.

On PC's thats not always safe either, spyware and viruses can change your host file so that you end up going to the wrong site anyways even if you typed it in correct.

Best rule is to call the company when in question

bubblewrap · Apr 16, 2005, 08:25 AM

I just registered under a fake name and address via proxy server!

Youra Koksukker.

chris v · Apr 16, 2005, 08:56 AM

I got one of those the other day, forwarded it to ebay fraud, then went back and logged in as username: U R Busted, password: Hello FBI

The "text" that looked like a link, was actually a gif, so I did a "view source" on the email. you can look for the link and the <a href=> tag to see where it really points you, if you're curious.

chris v · Apr 16, 2005, 08:59 AM

Originally Posted by mitchell_pgh

A good rule of thumb is to never trust email.

If something looks legit, open up a blank web browser (do not click the link in the email), go to the site in question, and try to open your account.

It's always been a good rule for me.

I wouldn't do that. The one I got presented me with an exact replica of the ebay login window, only the hostname was all wrong. After I entered a fake name and password, it then forwarded me to ebay, after nabbing the info. Had I not been looking at the URL, I would never have known. (that, and the fact that a lot of the buttons on the fake login page didn't work at all)

zerostar · Apr 16, 2005, 09:01 AM

I think he is saying *don't click the link* type in a new browser ebay.com or whatever and login to your account to see if anything is up...

TailsToo · Apr 16, 2005, 10:06 AM

I get these all the time... send them to spoof@ebay.com and they'll shut the site down.

Person Man · Apr 16, 2005, 10:12 AM

Originally Posted by zerostar

I think he is saying *don't click the link* type in a new browser ebay.com or whatever and login to your account to see if anything is up...

And hope and pray that the DNS cache hasn't been poisoned so that www.ebay.com doesn't point to the real eBay.

By the way: "Submiting invalid information?" How do you submite something?

And: "Please update and verify your info rmation."

You'd think that these people would learn to spell properly since most non-gullible people know that those types of spelling errors virtually scream "I'm a phishing scam!!!"

Cadaver · Apr 16, 2005, 10:15 AM

I get this kind of crap all the time on one of my email accounts. Phishing schemes for eBay, PayPal and services I don't even have, too.
I just simply ignore them.

Angus_D · Apr 16, 2005, 12:19 PM

Originally Posted by Cadaver

I get this kind of crap all the time on one of my email accounts. Phishing schemes for eBay, PayPal and services I don't even have, too.
I just simply ignore them.

Oh yes, they're always nice. All these banks I supposedly have accounts with.

CIA · Apr 16, 2005, 01:00 PM

Did I tell you guys I could save you all a fortune on your mortgage payments? I got this mail the other day.....

itistoday · 02:26 PM

If anyone wants to give this guy a taste of his own medicine, here are some things that you can fsck with:

Code:
21 (File Transfer [Control]) open.
22 (SSH Remote Login Protocol) open.
23 (Telnet) open.
80 (World Wide Web HTTP) open.
106 (3COM-TSMUX) open.
110 (Post Office Protocol - Version 3) open.
111 (SUN Remote Procedure Call) open.
143 (Internet Message Access Protocol) open.
199 (SMUX) open.
443 (HTTP protocol over TLS/SSL) open.
631 (IPP (Internet Printing Protocol)) open.
6000 (X-Windows) open.

It seems he's running some flavor of linux.
Heh... we could even arrange a coordinated DOS attack against him

DeathToWindows · Apr 16, 2005, 04:58 PM

I always check with the company in question first... then eBay or PayPal fraud gets an email

SSharon · Apr 16, 2005, 08:45 PM

Originally Posted by itistoday

...snip...
Heh... we could even arrange a coordinated DOS attack against him

I'm up for it.

stevesnj · Apr 16, 2005, 10:28 PM

I always tell my customers that e-bay or your bank would never ask you for your personal info through an e-mal....they already have this info. Unless you change your credit card number and never told them they don't need any further info from you.

meelk · Apr 17, 2005, 02:39 AM

Pretty damn sad that someone thinks this is noteworthy. I must get 30 to 50 emails a week from various phishing scams.

His Dudeness · Apr 17, 2005, 05:43 AM

I get these too. I sent a reply to one of these guys saying that if I got another phish email, I would fly to where he lived, kill his wife and kids, his pets, his grandparents, burn his house down, and rip off his head and **** down his neck. I then typed about fifty **** YOU's after that. I have never heard from this person again.