eBay phishing - phishers are getting better

From: John Gateley (gateley_at_jriver.com)
Date: 07/21/05

  • Next message: Tiago Halm: "RE: Peter Gutmann data deletion theaory?"
    Date: Thu, 21 Jul 2005 15:33:22 -0500
    To: bugtraq@securityfocus.com
    
    
    

    I just got another phishing scam (targeting eBay).

    The twist is that the subject line included my eBay username,
    and it was sent to my eBay e-mail address. The Phishers have
    figured out how to get one from the other, I don't know how.

    I sent it on to eBay but just got a standard form letter
    back.

    Is this happening to anyone else? Anyone know how they
    were able to figure out my e-mail from user name (or
    vice versa)?

    j

    text, with relevant portions removed:

    Return-Path: <apache@www.nec.com.hk>
    Delivered-To: xxxx@xxxx.xxxx.org
    Received: (qmail 15267 invoked by alias); 21 Jul 2005 17:05:07 -0000
    Delivered-To: xxxx@xxxx.org
    Received: (qmail 15264 invoked from network); 21 Jul 2005 17:05:07 -0000
    Received: from unknown (HELO localhost.localdomain) (203.194.209.141)
      by xxxx.xxxx.com with SMTP; 21 Jul 2005 17:05:07 -0000
    Received: from www.nec.com.hk (www.nec.com.hk [127.0.0.1] (may be forged))
            by localhost.localdomain (8.13.1/8.13.1) with ESMTP id j6LIL8VB001107
            for <xxxx@xxxx.org>; Fri, 22 Jul 2005 02:21:08 +0800
    Received: (from apache@localhost)
            by www.nec.com.hk (8.13.1/8.13.1/Submit) id j6LIL7MX001106;
            Fri, 22 Jul 2005 02:21:07 +0800
    Date: Fri, 22 Jul 2005 02:21:07 +0800
    Message-Id: <200507211821.j6LIL7MX001106@www.nec.com.hk>
    From: "eBay" <aw-confirm@ebay.com>
    Reply-to: 6884-lbpl-4t94@noreplay.ebay.com
    Subject: Notification of Limited Account Access for xxxx
    To: xxxx@xxxx.org
    Content-type: text/html

    <html>
    <style type="text/css">
    <!--
    .style3 {color: #FFFFFF}
    -->
    </style>

    <body>
    <table border="0" width="100%">
    <tr>
    <td width="15%" align="left">To:</td>
    <td>xxxx</td>
    </tr>
    <tr>
    <td width="15%" align="left">From:</td>
    <td>eBay<span class="style3">( codeID=2574-h04b-ug97)</span></td>
    </tr>
    <tr>
    <td width="15%" align="left">Subject:</td>
    <td>Notification of Limited Account Access for xxxx<span class="style3"> x route </span></td>
    </tr>
    <tr>
    <td colspan="2">------------------------------------------------------------</td>
    </tr>
    <tr>
    <td colspan="2"><table cellpadding="2" cellspacing="0" border="0" style="border: #e0e0e0 1px solid;" width="100%">
    <tr>
    <td><p class="V1Gray"><img alt="The World's Online Marketplace" src="http://battellemedia.com/images/ebayLogo-tm.jpg" border=0></p>
      <p class="V1Gray">eBay sent this message to xxxx  (xxxx@xxxx.org
    ).<br>
                            </p></td>
    </tr>
    </table>
    <table cellSpacing="0" cellPadding="0" width="100%" align="center" border="0">
    <tbody>
    <tr>
    <td bgColor="#9999cc" width="1"><img height="1" src="http://pics.ebaystatic.com/aw/pics/s.gif"></td>
    <td>
    <table cellSpacing="0" cellPadding="0" width="100%" align="center" border="0">
    <tbody>
    <tr bgColor="#9999cc" height="26">
    <td>  <span class="A3B" style="color:white;">Welcome to My Messages</span></td>
    </tr>
    <tr>
    <td>
    <table cellSpacing="0" cellPadding="5" width="100%" bgColor="white" border="0">
    <tbody>
    <tr>
    <td colSpan="6" bgcolor="#FFFFFF"><img src="http://pics.ebaystatic.com/aw/pics/myMessages/note_570x30.gif" alt=" " border="0">
      <p>
                            Dear <span class="V1Gray"> xxxx&nbsp;(xxxx@xxxx.org
    ),</span></p>
    <p>
                            This e-mail is the notification of recent innovations taken by eBay to detect inactive customers and

     non-functioning billing process.<br>
                            The inactive customers are subject to restriction and removal in the next 3 days. <br>
                            You must click the link to complete the process.</p>
    <p><a href="http://signin.ebay.com.aw-cgi2.com/eBayISAPI.dll?VerifyID&PlaceInfo&LogUID=xxxx;UserRoute=2574-h04b-ug97">http://signin.ebay.com/eBayISAPI.dll?Signln&amp;UserIDmail=xxxx@xxxx.org
    </a> <span class="style3"> =

     
        type=state&amp;param=xxxx-2574-h04b-ug97</span></p>
    <p align="left">(To complete the verification process you must fill in all the required fields)</p>
    <p> Notice: Refusal to cooperate in an investigation or provide confirmation of identity when requested are subject to restriction and removal in the next 3 days </p>
    <p>Regards,<br>
      Customer Support (Trust and Safety Department), <span class="style3"> </span></p></td>
    </tr>
    <tr>
    <td height="10"></td>
    </tr>
    </tbody>
    </table>
    </td>
    </tr>
    <tr>
    <td width="100%" bgColor="#9999cc"><img height="1" src="http://pics.ebaystatic.com/aw/pics/s.gif" width="1"></td>
    </tr>
    </tbody>
    </table>
    </td>
    <td bgColor="#9999cc" width="1"><img height="1" src="http://pics.ebaystatic.com/aw/pics/s.gif" width="1"></td>
    </tr>
    </tbody>
    </table>
    <hr size="1"></td>
    </tr>
    </table>
    </body>
    </html>

    -- 
    Public key at http://www.jriver.com/~gateley
    
    



  • Next message: Tiago Halm: "RE: Peter Gutmann data deletion theaory?"

    Relevant Pages

    • Re: someone must be on holiday
      ... >> The Mullen invades eBay'. ... >> it pretty easy to deduce what his eBay username was. ... > ASL continued posting after the Mulltard buggered off. ...
      (uk.media.tv.misc)
    • Re: someone must be on holiday
      ... > The Mullen invades eBay'. ... > it pretty easy to deduce what his eBay username was. ... ASL continued posting after the Mulltard buggered off. ...
      (uk.media.tv.misc)
    • Re: View Negative Feedback Only ??
      ... Displays all the Negative Feedback an eBay user has received via right-click or Tools menu. ... Highlight an Ebay username link with your mouse on any Ebay page, then "right click" and select Ebay Negs 3. ...
      (alt.marketing.online.ebay)
    • Re: someone must be on holiday
      ... > Mullen invades eBay'. ... > pretty easy to deduce what his eBay username was. ... oh bugger.. ...
      (uk.media.tv.misc)
    • Re: Odd Emails
      ... auctions that have ended early, due to "account suspension of the seller, ... Problem is, I have no idea what these auctions are nor did I bid on them, ... Does it have "ebay sent this message to REGISTERED FULLNAME(EBAY ... in this case, ebay username is your ebay username, and registered ...
      (uk.people.consumers.ebay)