BOGUS Ebay email scam warning

email | self

[supercat]

I just received the following email. Pay particular attention to the part in red. I do not doubt that the text and visible formatting are copied precisely from a legitimate ebay message, but the highlighted link is almost certainly bogus--probably a data-capturing middleman.

I know this sort of scam is hardly new, but it is circulating again. Beware of it.

[supercat]

Received: from SMTP32-FWD by mail.[deleted].com
  (SMTP32) id A0948CE50; Wed, 20 Aug 2003 20:52:04 -0400
Received: from 168.144.21.148 [213.212.201.140] by mail.[deleted].com
  (SMTPD32-8.01) id A7AE1DB0164; Wed, 20 Aug 2003 20:51:58 -0400
Received: from [145.181.24.230] by 168.144.21.148 SMTP id K7m0l26N05Ju9X; Thu, 21 Aug 2003 07:50:54 +0300
Message-ID: <4--b9-5546x--$m-8@smu5vrb.i.h2v>
From: "service@ebay.com" <service@ebay.com>
Reply-To: "service@ebay.com" <service@ebay.com>
To: <ebay@casperkitty.com>
Subject: Update Account Information
Date: Thu, 21 Aug 03 07:50:54 GMT
X-Mailer: Microsoft Outlook, Build 10.0.2616
MIME-Version: 1.0
Content-Type: multipart/alternative;
	boundary="..3E187B50_"
X-Priority: 3
X-MSMail-Priority: Normal
Status: R
X-UIDL: 358547561

--..3E187B50_
Content-Type: text/html;
Content-Transfer-Encoding: quoted-printable

<img src=3D"http://pics.ebay.com/aw/pics/homepage/v2/logo_171x102.gif">

<P>Recently we attempted to authorize payment from your credit 
card we have on file for you, but it was declined.
<p>For security purposes, our system automatically removes credit card inf=
ormation         from an account when there is a problem or the card expir=
es.
<br>Please resubmit the credit card, and provide us with new and complete =
        information. To resubmit credit card information via our secure se=
rver,         click the following link:      
<a href=3D"http://cgi3.ebay.com:aw-cgieBayISAPI.dllSignInRegisterEnterInfo=
&siteid=3D0co_partnerid=3D2@207.150.192.12/temp/zebaysec/SignIn.php">http:=
//cgi3.ebay.com/aw-cgi/eBayISAPI.dll?SignIn</a>
<P>This is the quickest and easiest method of getting credit card informat=
ion       to us. Using the secure server will ensure that the credit card =
will be       placed on account within 24 hours.
<P><I>Copyright 1995-2003 Ebay Inc.       
 All Rights Reserved. Designated trademarks and brands         are the pro=
perty of their respective      =20

--..3E187B50_--

[50sDad]

Got a very similar scam from "paypal" and reported it. Got hit last night for a "citibank checking account" that I don't have.

[George from New England]

Paypal is ebay. Ebay bought them over a year ago.

I got this one to fro paypal, I had cancelled my paypal account months ago.

[proxy_user]

In a URL like that, anything before the '@' is ignored. You're going straight to

"207.150.192.12/temp/zebaysec/SignIn.php"

And, as we all know, eBay uses J2EE, not PHP.

[dalebert]

If you click on the senders of these spams you can bring up the sender and find out very fast that the mail is not from ebay. I also got same spam concerning bidpay and paypal. Please file a report with ebay,paypal or whoever the email concerns so they can attempt to catch the people doing this. Also check your accounts often. A buddy of mine fell for this and got a bill from Bank One credit card for $5800. He does not have a Bank One credit card.Could this be terrorist? or Al Gore scam.

[tdadams]

You're exactly right. This link does not go to Ebay. If you look closely at the part you highlighted in red, you'll see this:

@207.150.192.12

Most people don't know this, but your web browser will ignore anything in a URL address that comes before the @ symbol. This means the whole string in front of the @ symbol in this address link (http://cgi3.ebay.com:aw-cgieBayISAPI.dllSignInRegisterEnterInfo= &siteid=3D0co_partnerid=3D2) is being ignored. It's there to appear as if the link goes to ebay.com.

In actuality, it's going to the IP address 207.150.192.12, which could be just about any sleazy thief who's set up a server and is trying to steal your credit card number or Ebay login.

Thanks for being vigilant and warning others. The best way to combat this kind of fraud is for people to be instintively skeptical about emails like this.

[Brian S]

Got the same and so did my sister.

BTW...My ZoneAlarm is going crazy tonight with a ping about every 8 seconds, all from random sources. Anybody else noticing this? (maybe I need to lay off the "patriot act" threads... ) ;)

[tdadams]

Please forward this to fraud@ebay.com so they can investigate.

[rs79bm]

I did a back-trace on this address and it is registered to the following:

Address: 207.150.192.12
OrgName: Affinity Internet, Inc
OrgID: AFFI
Address: 101 Continental 4th Floor
City: El Segundo
StateProv: CA
PostalCode: 90245
Country: US


I would suggest sending this to Ebay and have them investigate this company. They should be able to pinpoint who is using this IP address.

[Ex-Dem]

Do you know if ZoneAlarm gives a kind of loud beep if it detects an intrusion attempt? I'm running three firewalls, so I can never tell which one is giving off an alert.

As for tonight, no haven't noticed anything unusual other than a false alarm when I was using FTP.

[browardchad]

My ZoneAlarm is going crazy tonight

Same here in Florida, but after three years on DSL, it's become fairly routine -- it looks like quite a few of the computers hooked to my ISP are infected with a worm. I ordered a replacement DSL modem last week, and my UPS delivery man told me he's been delivering about a 20 a day in my area alone. I wonder how many of those new subscribers are without a firewall, and don't even realize they're infected?

[Brian S]

I know of no audible alert on the free version of zone alarm I'm running. There is a popup window alert you can activate everytime it blocks an intrusion though. It gets annoying however.

I keep hearing my hard drive write to disk every few seconds (I do keep the ZA logfile active) which is the reason I noticed all the pings.

[Severa]

Running Zone Alarm Pro and Norton Antivirus on an XP machine. So far so good, no viruses *knock on wood* but getting pinged pretty close to the rate you stated.

[Bullish]

There's been a rash of these types of bogus e-mails trying to get people to submit all of their info, everything they need to drain their checking accounts.

I always forward these types of E-mails to my ISP, everyone should do that so maybe they could locate them and help to get them prosecuted.


I wish they'd find these scammers and hang them.

[Severa]

I just got Zone Alarm about two weeks ago, I've got a cable modem connection, here in VA Beach Navy housing. Talk about timing huh? :)

[Severa]

I just got Zone Alarm about two weeks ago, I've got a cable modem connection, here in VA Beach Navy housing. Talk about timing huh? :)

[Severa]

I just got Zone Alarm about two weeks ago, I've got a cable modem connection, here in VA Beach Navy housing. Talk about timing huh? :)

[fatima]

I get them all the time and also from paypal,just go to your account and it will show the truth.

[Severa]

I'm in VA Beach. Navy base housing. Installed Zone Alarm just a few weeks ago. Talk about timing huh? :)