[63084] in North American Network Operators' Group
Re: FW: e-bay
daemon@ATHENA.MIT.EDU (Tony Rall)
Fri Sep 26 12:39:09 2003
In-Reply-To: <A1A3A11FE1405F4CA9442BAA07D29A420280FE@server.bradleycaldwell.com>
To: nanog@merit.edu
From: Tony Rall <trall@almaden.ibm.com>
Date: Fri, 26 Sep 2003 09:34:51 -0700
Errors-To: owner-nanog-outgoing@merit.edu
On Friday, 2003-09-26 at 12:25 AST, Mike Tomasura
<MTomasura@BradleyCaldwell.com> wrote:
> I guess e-bay had some problems? A few users got this message from
them.
>
> Dear eBay user!
>
> At 09.24.2003 our company has lost a number
> of accounts in the system during the database
> maintenance. If you have an active account, please
> click on the link below to update your credit card
> information. If you have problems with your account, please let us know
> at email support@ebay.com <mailto:support@ebay.com>
>
> https://cgi.ebay.com/saw-cgi/eBayISAPI.dll?UpdateInformation
> <https://e%31bay.com/saw-cgi/?UpdateInformation>
This is a clever attempt to harvest ebay account information.
The message, with the subject "Official Notice for all eBay users"
consists of 2 parts:
1. An html section, which includes a link to (don't click on this)
http://scgi.ebay.com@%32%31%31%2E%32%31%37%2E%32%32%34%2E%31%=30%32:%34%39%30%31/%75%70%64%61%74%65/%69%6E%64%65%78%2E%68%74%6D,
and
a display of "pic.gif".
2. A base 64 attachment - pic.gif.
What you normally see when you open the message is just the gif file.
But the gif appears to be text, including a picture of the text asking
you to click on
"http://scgi.ebay.com/saw-cig/eBayISAPI.dll?VerifyInformation"
But the real link (as might be displayed at the bottom of your mail client
window if it gives you a preview of links) is the one shown in #1. And
that link doesn't go to ebay.com - it really goes to 211.217.224.102, port
4901. That is because everything in front of the "@" is treated by your
browser as data (a userid, in theory) to be passed to the target host, not
as the host name.
That target web server, when it was working, displayed a page that is
forged to look like an ebay page, asking you to reenter your ebay
userid and password. Don't do it!
Today, the host at 211.217.224.102 is no longer listening on port
4901.
Tony Rall
