Received: from SMTP32-FWD by mail.[deleted].com (SMTP32) id A0948CE50; Wed, 20 Aug 2003 20:52:04 -0400 Received: from 168.144.21.148 [213.212.201.140] by mail.[deleted].com (SMTPD32-8.01) id A7AE1DB0164; Wed, 20 Aug 2003 20:51:58 -0400 Received: from [145.181.24.230] by 168.144.21.148 SMTP id K7m0l26N05Ju9X; Thu, 21 Aug 2003 07:50:54 +0300 Message-ID: <4--b9-5546x--$m-8@smu5vrb.i.h2v> From: "service@ebay.com" <service@ebay.com> Reply-To: "service@ebay.com" <service@ebay.com> To: <ebay@casperkitty.com> Subject: Update Account Information Date: Thu, 21 Aug 03 07:50:54 GMT X-Mailer: Microsoft Outlook, Build 10.0.2616 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="..3E187B50_" X-Priority: 3 X-MSMail-Priority: Normal Status: R X-UIDL: 358547561
--..3E187B50_ Content-Type: text/html; Content-Transfer-Encoding: quoted-printable
<img src=3D"http://pics.ebay.com/aw/pics/homepage/v2/logo_171x102.gif">
<P>Recently we attempted to authorize payment from your credit card we have on file for you, but it was declined. <p>For security purposes, our system automatically removes credit card inf= ormation from an account when there is a problem or the card expir= es. <br>Please resubmit the credit card, and provide us with new and complete = information. To resubmit credit card information via our secure se= rver, click the following link: <a href=3D"http://cgi3.ebay.com:aw-cgieBayISAPI.dllSignInRegisterEnterInfo= &siteid=3D0co_partnerid=3D2@207.150.192.12/temp/zebaysec/SignIn.php">http:= //cgi3.ebay.com/aw-cgi/eBayISAPI.dll?SignIn</a> <P>This is the quickest and easiest method of getting credit card informat= ion to us. Using the secure server will ensure that the credit card = will be placed on account within 24 hours. <P><I>Copyright 1995-2003 Ebay Inc. All Rights Reserved. Designated trademarks and brands are the pro= perty of their respective =20
--..3E187B50_--
@207.150.192.12Most people don't know this, but your web browser will ignore anything in a URL address that comes before the @ symbol. This means the whole string in front of the @ symbol in this address link (http://cgi3.ebay.com:aw-cgieBayISAPI.dllSignInRegisterEnterInfo= &siteid=3D0co_partnerid=3D2) is being ignored. It's there to appear as if the link goes to ebay.com.
In actuality, it's going to the IP address 207.150.192.12, which could be just about any sleazy thief who's set up a server and is trying to steal your credit card number or Ebay login.
Thanks for being vigilant and warning others. The best way to combat this kind of fraud is for people to be instintively skeptical about emails like this.
spoof@ebay.com
They will investigate it and try to shut the bast***s down.
Registrant: Pirker, Raphael (CRDNSHZMWD) Gsoererweg 28 St. Anton am Arlberg, Tirol 6580 AT Domain Name: WHIZ-MAIL.CC Administrative Contact, Technical Contact: Pirker, Raphael (KBFKRCRBXI) raphaelp@nr1webresource.com Gsoererweg 28 St. Anton am Arlberg, Tirol 6580 AT +43-5446-3807 Record expires on 12-Feb-2006. Record created on 12-Feb-2003. Database last updated on 21-Aug-2003 00:48:20 EDT. Domain servers in listed order: NS.HOSTING4U.NET 209.15.2.3 NS2.HOSTING4U.NET 209.15.2.4
I pass this along FWIW.
If you're shopping for notebook computers, high-end digital cameras, stereo equipment, or plasma TVs, be on your guard for deals that look too good to be true.
Typically, the auction will contain three big red flags: 1) It will be a 'Buy it Now' auction, 2) the price will be way too low, probably one half or less than retail, 3) the auction will always be designated for "pre-approved buyers".
The reason for limiting it to pre-approved buyers is so that you have to contact the seller for approval. That then allows them to contact you outside the Ebay system. Invariably, they'll want to conclude the deal outside of Ebay if you'll send them the money by wire transfer. This is your next red flag. They'll want you to send it somewhere overseas, typically in Europe. They'll give you some reason why they're in Europe and not where they're registered on Ebay (we're on vacation, business, etc.).
You feel skeptical, but they had hundreds of feedbacks and all were positive, so you think it must check out OK.
So what's the real story? This is a scammer. They've hijacked the account of a user with a good feedback history. How did they do that? By tricking someone with a spoofed email.
Believe me, they don't have the merchandise and won't be sending it if you send them the money. But you'll be out several hundreds (if not thousands) of dollars that are unable to be traced.
If you want to have fun with this and see if you can find one of these, do a search for a very expensive digital camera, say the Canon 1Ds, which retails for $7999.00. When you see one with a Buy it Now price of $2000 or less, you know you've found a scammer. Go ahead and contact them... then watch the scenario I described above play out.
If you really want to have fun with them, tell them you'll meet them in person to pick it up (anywhere in the world, "I'm a commercial pilot"). Then see what excuse they come up with why they won't be able to deliver it in person. It can be fun.