Re: EBay Fraud Attempt

> > Hello All,
>> About 24 Hours ago I received an e-mail from "EBay Billing" with

Interesting. This one hit us this weekend. It was notable in part because it looked like a text message, which makes the link in it less suspicious. Unfortunately for them, the site they hosted on set a cookie, so if you had cookie alerts turned on the IP address looked suspicious, and of course the URL in the header was bad. The page itself was a copy of the ebay login page, and submitting your info would redirect you to the real ebay login page after grabbing the password information.

I informed the hosting provider and they shut it down, but it was up for more than 24 hours. I also sent mail to abuse@paypal.com. I *hope* they have a way of mapping the referrer fields to the logins and can thus easily notify anyone who came into their site through the fake one, but I haven't heard back.

>Return-Path: <service@paypal.com>
>Received: from [202.134.170.3] (HELO paypal.com)
> by somewhere.com (CommuniGate Pro SMTP 3.5.7)
> with SMTP id 1849304 for nazgul@somewhere.com; Sun, 08 Dec 2002
>03:21:05 -0500
>From: "PayPal Admin" <service@paypal.com>
>To: <nazgul@somewhere.com>
>Subject: 5 days for account suspension
>Sender: "PayPal Admin" <service@paypal.com>
>Mime-Version: 1.0
>Content-Type: multipart/alternative;
> boundary="= Multipart Boundary 1208021348"
>Date: Sun, 8 Dec 2002 13:48:55 +0530
>Message-ID: <auto-000001849304@somewhere.com>
>
><x-html><!x-stuff-for-pete base="" src="" id="0" charset=""><HTML>
><HEAD>
><META NAME="GENERATOR" Content="Microsoft DHTML Editing Control">
><TITLE></TITLE>
></HEAD>
><BODY>
><DIV>Dear PayPal Member<BR><BR>According to the paypal
>policy, you have 5 days left before your account will be suspended due to
>prolonged inactivity.<BR><BR>To avoid this you must login to your account
>atleast once in 2 months.<BR><BR>To avoid suspension of your account please
>click the link below<BR><BR><A
>href="http://207.150.221.95/eaacl-co/paypal/index.asp?user=&amp;id=&amp;cmd_
>login=F000000001&amp;a=ad8258ed60d767d50ef1e822ceff3db5addeaff28ad8998asdc60
>d767d50ef1e822ceff3db5addeaff28ad8998asdc">https://www.paypal.com/cgi-bin/we
>bscr?cmd=_login-run</A>
><BR><BR>If you have checked your paypal in the last 2 months and are still
>recieving this mail, please inform us at
>paypal_info@paypal.com<BR><BR><BR><BR>
><HR>
>Copyright © 2002 PayPal. All rights reserved.</DIV>
></BODY>
></HTML>
>
></x-html>

-- 

Kee Hinckley - Somewhere.Com, LLC
http://consulting.somewhere.com/

I'm not sure which upsets me more: that people are so unwilling to accept
responsibility for their own actions, or that they are so eager to regulate
everyone else's.

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com