Scam it eBay

Around midnight tonight I received an e-mail in my MSU account that was suspicious. I’m a member of eBay, but I don’t have my mail account set to send to my MSU email, I have it set for another address.

So immediately upon receiving an email from eBay I was skeptical. The next indication: spelling. – the subject line of the email says “eBay Member Billing Information Uptaded”

eBay simply would not allow a typo in an e-mail, and eBay does not have my campus e-mail address.

This is a very well done scam.

Body of the e-mail (Screenshot):
Screencap of email body

This is very well done, it looks like official correspondence from eBay. Even the message’s headers have eBay’s e-mail addresses. If you look closely, you’ll notice another typo (probably intentional – thanks to belcher for pointing this one out):

Return-Path: and Reply-To: memberservive@ebay.com

memberservive. Nice.

Of course, the key in all of this is the “Received From: ” mail header.

“Received From: unknown (HELO mailserv) 211.104.114.174”

But we’ll take a look at that IP Address in a moment.

The e-mail message (screenshot 1, screenshot 2) is very well composed, and has links to a site that phishes for information. Highlight of the message? “If you think you have received this email as an error, please visit our website and fill out the necessary information. That way we can make sure that everything is update to date!”

Clicking the link to “update your information” takes you to a form (screenshot, screenshot 2) on a server located in Korea. The form asks for your ATM PIN, Credit Card Number, and all sorts of information for identity and monetary theft. After filling out the form, the site redirects you to eBay’s official site.

Another note about the link, it uses a common url spoofing technique that involves placing the sign in a url. If you see a site with an sign in the url that isn’t used for FTP, and is NOT an e-mail address don’t click it.

Oh and about that IP address… it’s on a Korean server.
screenshot of traceroute
(IP to Lat/Long Screenshot)

One final thought, sending this message to 20,000 people which is not difficult after running a verification message out (Ever wonder why you get random spam with just poetry? it’s to see if your address exists) – if they get a 2% return on this scam they have 400 lives to totally ruin. 400 credit card numbers, 400 bank accounts, and most importantly 400 identities to steal.

Related Links (variations on this scam): Tech TV article, MSNBC (the MSNBC article is the most informative)

A quick note, the site MSNBC reports about is ebay-verification.net (InterNIC says it was registered by register.com, register.com says it doesn’t exist, NSI says it doesn’t exist) while the site I’m dealing with is a new variation on it that just goes to an IP Address rather than a domain name.

Advertisements

About andyhillky
I'm cool.

5 Responses to Scam it eBay

  1. Sarah says:

    Those bastards. I hope they get caught and die!

  2. Dan says:

    Man, that’s pretty fucked up. I’ve gotten those emails before in my hotmail account but I never click on them because I know they’re a scam. Somehow, I still have my KWC email address, which is the email addy I use for my ebay account. I’ve never gotten any of those emails in there before but I’m sure it will happen. Its pretty fucked up what people can do on the internet. God damn Korean fucks.

  3. meghan says:

    wow. they messed with the wrong guy. ; )

  4. Lee Coursey says:

    FUCKING KOREANS! DIE!

  5. Big Dog says:

    There’s a similar scam going around for PayPal members, and it looks just as real. You get an e-mail asking you to “verify your account information” for “security purposes.” A safe bet for anyone who has an account with any type of online service that requires credit card or bank account information is that they will never ask for your information through e-mail; it’s too easy to fake a request and not secure enough. When in doubt, e-mail the service and ask them about it, but I virtually guarantee that any such e-mail is bogus.

%d bloggers like this: