[supercat]

Received: from SMTP32-FWD by mail.[deleted].com
  (SMTP32) id A0948CE50; Wed, 20 Aug 2003 20:52:04 -0400
Received: from 168.144.21.148 [213.212.201.140] by mail.[deleted].com
  (SMTPD32-8.01) id A7AE1DB0164; Wed, 20 Aug 2003 20:51:58 -0400
Received: from [145.181.24.230] by 168.144.21.148 SMTP id K7m0l26N05Ju9X; Thu, 21 Aug 2003 07:50:54 +0300
Message-ID: <4--b9-5546x--$m-8@smu5vrb.i.h2v>
From: "service@ebay.com" <service@ebay.com>
Reply-To: "service@ebay.com" <service@ebay.com>
To: <ebay@casperkitty.com>
Subject: Update Account Information
Date: Thu, 21 Aug 03 07:50:54 GMT
X-Mailer: Microsoft Outlook, Build 10.0.2616
MIME-Version: 1.0
Content-Type: multipart/alternative;
	boundary="..3E187B50_"
X-Priority: 3
X-MSMail-Priority: Normal
Status: R
X-UIDL: 358547561

--..3E187B50_
Content-Type: text/html;
Content-Transfer-Encoding: quoted-printable

<img src=3D"http://pics.ebay.com/aw/pics/homepage/v2/logo_171x102.gif">

<P>Recently we attempted to authorize payment from your credit 
card we have on file for you, but it was declined.
<p>For security purposes, our system automatically removes credit card inf=
ormation         from an account when there is a problem or the card expir=
es.
<br>Please resubmit the credit card, and provide us with new and complete =
        information. To resubmit credit card information via our secure se=
rver,         click the following link:      
<a href=3D"http://cgi3.ebay.com:aw-cgieBayISAPI.dllSignInRegisterEnterInfo=
&siteid=3D0co_partnerid=3D2@207.150.192.12/temp/zebaysec/SignIn.php">http:=
//cgi3.ebay.com/aw-cgi/eBayISAPI.dll?SignIn</a>
<P>This is the quickest and easiest method of getting credit card informat=
ion       to us. Using the secure server will ensure that the credit card =
will be       placed on account within 24 hours.
<P><I>Copyright 1995-2003 Ebay Inc.       
 All Rights Reserved. Designated trademarks and brands         are the pro=
perty of their respective      =20

--..3E187B50_--

[50sDad]

Got a very similar scam from "paypal" and reported it. Got hit last night for a "citibank checking account" that I don't have.

[proxy_user]

In a URL like that, anything before the '@' is ignored. You're going straight to

"207.150.192.12/temp/zebaysec/SignIn.php"

And, as we all know, eBay uses J2EE, not PHP.

[dalebert]

If you click on the senders of these spams you can bring up the sender and find out very fast that the mail is not from ebay. I also got same spam concerning bidpay and paypal. Please file a report with ebay,paypal or whoever the email concerns so they can attempt to catch the people doing this. Also check your accounts often. A buddy of mine fell for this and got a bill from Bank One credit card for $5800. He does not have a Bank One credit card.Could this be terrorist? or Al Gore scam.

[tdadams]

You're exactly right. This link does not go to Ebay. If you look closely at the part you highlighted in red, you'll see this:

@207.150.192.12

Most people don't know this, but your web browser will ignore anything in a URL address that comes before the @ symbol. This means the whole string in front of the @ symbol in this address link (http://cgi3.ebay.com:aw-cgieBayISAPI.dllSignInRegisterEnterInfo= &siteid=3D0co_partnerid=3D2) is being ignored. It's there to appear as if the link goes to ebay.com.

In actuality, it's going to the IP address 207.150.192.12, which could be just about any sleazy thief who's set up a server and is trying to steal your credit card number or Ebay login.

Thanks for being vigilant and warning others. The best way to combat this kind of fraud is for people to be instintively skeptical about emails like this.

[tdadams]

Please forward this to fraud@ebay.com so they can investigate.

[fatima]

I get them all the time and also from paypal,just go to your account and it will show the truth.

[massadvj]

I'm an eBay dealer woth over 4 thousand feedbacks. I get about two of these per week. You should FORWARD (not send) it to:

spoof@ebay.com

They will investigate it and try to shut the bast***s down.

[fightu4it]

ping

[ICE-FLYER]

If I read that link in red correctly it is NOT a secure server at all to begin with.

[ladyinred]

Wow, there are so many virus's, worms, and scams going on right now. We got one on our office computer after opening an email that claimed to be from Office Depot about an order that didn't go through because of an untrusted online orderer. Turns out it was a bug!

[GOPJ]

bump

[vaudine]

Last month I got an email from ebay telling me my credit card # was close to expiration, which it was. So I WENT to Ebay and clicked on the place to enter credit card info.

A couple of nights ago, I received an email from Ebay stating it needed to verify all my info--called it a security check.
They had the Ebay heading in color, said it was a secure server. They wanted my credit card info.,ebay sign in, personal info-name, add. mother's name, etc. AND they wanted my bank account info., which I have never given even to my Paypal account, so I have remained "Unverified."

I zapped it back and said I had recently updated, and did not feel comfortable with sending it in again--that they should have had all this stuff. I just couldn't see the reason for it, and was afraid it was a scam, even though it looked authentic.

I am not very computer literate, but took note of the info you are giving and wrote the #'s down for the the real Ebay url, so I can check next time.

Were any of you who received this query told they needed it for a security check?

vaudine

[upchuck]

I'm no guru, but tracing through this, it appears there are two web pages. On the first you enter your ebay user ID and password.
FWIW, since this is a bogus page it makes no difference what you enter. Then you go to the second page where your credit card info is collected.
The cc info you enter is sent to www.whiz-mail.cc. Geek tools^ says this URL belongs to:

Registrant: 
Pirker, Raphael (CRDNSHZMWD)
Gsoererweg 28
St. Anton am Arlberg, Tirol 6580
AT

Domain Name: WHIZ-MAIL.CC

Administrative Contact, Technical Contact:
Pirker, Raphael (KBFKRCRBXI) raphaelp@nr1webresource.com
Gsoererweg 28
St. Anton am Arlberg, Tirol 6580
AT
+43-5446-3807

Record expires on 12-Feb-2006.
Record created on 12-Feb-2003.
Database last updated on 21-Aug-2003 00:48:20 EDT.

Domain servers in listed order:

NS.HOSTING4U.NET 209.15.2.3
NS2.HOSTING4U.NET 209.15.2.4

I pass this along FWIW.

[tdadams]

Since we're on the topic of Ebay scams, there are a lot of bogus auctions lately, and they're tied in to the fraud emails we're talking about (keep reading).

If you're shopping for notebook computers, high-end digital cameras, stereo equipment, or plasma TVs, be on your guard for deals that look too good to be true.

Typically, the auction will contain three big red flags: 1) It will be a 'Buy it Now' auction, 2) the price will be way too low, probably one half or less than retail, 3) the auction will always be designated for "pre-approved buyers".

The reason for limiting it to pre-approved buyers is so that you have to contact the seller for approval. That then allows them to contact you outside the Ebay system. Invariably, they'll want to conclude the deal outside of Ebay if you'll send them the money by wire transfer. This is your next red flag. They'll want you to send it somewhere overseas, typically in Europe. They'll give you some reason why they're in Europe and not where they're registered on Ebay (we're on vacation, business, etc.).

You feel skeptical, but they had hundreds of feedbacks and all were positive, so you think it must check out OK.

So what's the real story? This is a scammer. They've hijacked the account of a user with a good feedback history. How did they do that? By tricking someone with a spoofed email.

Believe me, they don't have the merchandise and won't be sending it if you send them the money. But you'll be out several hundreds (if not thousands) of dollars that are unable to be traced.

If you want to have fun with this and see if you can find one of these, do a search for a very expensive digital camera, say the Canon 1Ds, which retails for $7999.00. When you see one with a Buy it Now price of $2000 or less, you know you've found a scammer. Go ahead and contact them... then watch the scenario I described above play out.

If you really want to have fun with them, tell them you'll meet them in person to pick it up (anywhere in the world, "I'm a commercial pilot"). Then see what excuse they come up with why they won't be able to deliver it in person. It can be fun.

[GOPJ]

bump