Paul R. Potts
I’ve been receiving mail allegedly from eBay containing HTML and a form requesting my user ID and password, with the following text:
Dear eBay User,
During our regular update and verification of the accounts, we could not verify your current information. Either your information has changed or it is incomplete. As a result, your access to bid or buy on eBay has been restricted. According to our site policy you will have to confirm that you are the real owner of the eBay account by log in and complete the form that will pop up or else your account will be suspended without the right to register again with eBay.
I’ve been using the Internet since before it was the Internet, and so this immediately said “a cheesy fraudulent attempt to harvest passwords.” I reported it to spoof@ebay.com along with full headers. This is just a reminder to my loyal reader that reputable companies will never attempt to harvest information in this way.
The headers are suspicious, to begin with:
Received: from smtp016.mail.yahoo.com
(smtp016.mail.yahoo.com [216.136.174.113])
by ludo.dreamhost.com (Postfix) with SMTP id 710D928062
for <paul@thepottshouse.org>; Wed, 13 Aug 2003 05:43:24 -0700 (PDT)
Received: from unknown (HELO 211.60.92.186) (unrinocer@211.60.92.186 with login)
by smtp.mail.vip.sc5.yahoo.com with SMTP; 13 Aug 2003 12:43:18 -0000
From: "aw-confirm@ebay.com" <aw-confirm@ebay.com>
To: "Paul" <paul@thepottshouse.org>
Subject: eBay Verification Request
Note the “received from unknown” with a raw IP address rather than a verifiable hostname. It looks like it may be going through an open mail relay at Yahoo, which is very strange and suspicious, so I have also reported this to abuse@yahoo.com.
The page contains a lot of JavaScript, and pulls graphics directly from eBay’s site, but look here:
action=3Dhttp://scgi.ebay.com.sawcgi.eBayISAPI.dll.
RegisterEnterInfo.RegisterConfirmInformation.dll.
eBayISAPI.dll@64.70.156.84/
eBayISAPidlldasSKJEDFKJSdsalkepoamncjfdsjKKdsjdxcmnzkjsjeLKKLKdsjnxs/
ksjdeISJJSjjISSdlldkDKJlLXcdcawerfDEurERRudsksalfkmcxXXlkdmfldll/
LKJDjedssjheflkcgieBaysadkKJEDjdfklluseridLKSKdskdmxskjdeEEdkjas7837sdkjd/
a.php
Note the super-long URL, with a bunch of fake “.dll” script names given, and then a bunch of crap designed to fill up the address line in your browser, so that the end of it is hidden. It looks like this is actually running a PHP script (a.php) on a server with a given IP address (64.70.156.84); the garbage is just to “decorate” the URL sufficiently so that it looks like an eBay URL, and so that you’ll be unlikely to notice that the address isn’t a real eBay address. If you hit this address with the “decorated” URL, it redirects you to eBay after processing. The raw IP address seems to belong to “ValueWeb: An Affinity Company” which seems to be an ISP, but who knows who it really is. Let’s be careful out there.