[39818] in bugtraq
eBay phishing - phishers are getting better
daemon@ATHENA.MIT.EDU (John Gateley)
Fri Jul 22 17:29:33 2005
Date: Thu, 21 Jul 2005 15:33:22 -0500
From: John Gateley <gateley@jriver.com>
To: bugtraq@securityfocus.com
Message-Id: <20050721153322.382ab0cc.gateley@jriver.com>
Mime-Version: 1.0
Content-Type: multipart/signed; protocol="application/pgp-signature";
micalg="PGP-SHA1";
boundary="Signature=_Thu__21_Jul_2005_15_33_22_-0500_s+cJSitmUhk.kYcs"
--Signature=_Thu__21_Jul_2005_15_33_22_-0500_s+cJSitmUhk.kYcs
Content-Type: text/plain; charset=ISO-8859-1
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
I just got another phishing scam (targeting eBay).
The twist is that the subject line included my eBay username,
and it was sent to my eBay e-mail address. The Phishers have
figured out how to get one from the other, I don't know how.
I sent it on to eBay but just got a standard form letter
back.
Is this happening to anyone else? Anyone know how they
were able to figure out my e-mail from user name (or
vice versa)?
j
text, with relevant portions removed:
Return-Path: <apache@www.nec.com.hk>
Delivered-To: xxxx@xxxx.xxxx.org
Received: (qmail 15267 invoked by alias); 21 Jul 2005 17:05:07 -0000
Delivered-To: xxxx@xxxx.org
Received: (qmail 15264 invoked from network); 21 Jul 2005 17:05:07 -0000
Received: from unknown (HELO localhost.localdomain) (203.194.209.141)
by xxxx.xxxx.com with SMTP; 21 Jul 2005 17:05:07 -0000
Received: from www.nec.com.hk (www.nec.com.hk [127.0.0.1] (may be forged))
by localhost.localdomain (8.13.1/8.13.1) with ESMTP id j6LIL8VB001107
for <xxxx@xxxx.org>; Fri, 22 Jul 2005 02:21:08 +0800
Received: (from apache@localhost)
by www.nec.com.hk (8.13.1/8.13.1/Submit) id j6LIL7MX001106;
Fri, 22 Jul 2005 02:21:07 +0800
Date: Fri, 22 Jul 2005 02:21:07 +0800
Message-Id: <200507211821.j6LIL7MX001106@www.nec.com.hk>
From: "eBay" <aw-confirm@ebay.com>
Reply-to: 6884-lbpl-4t94@noreplay.ebay.com
Subject: Notification of Limited Account Access for xxxx
To: xxxx@xxxx.org
Content-type: text/html
<html>
<style type=3D"text/css">
<!--
.style3 {color: #FFFFFF}
-->
</style>
<body>
<table border=3D"0" width=3D"100%">
<tr>
<td width=3D"15%" align=3D"left">To:</td>
<td>xxxx</td>
</tr>
<tr>
<td width=3D"15%" align=3D"left">From:</td>
<td>eBay<span class=3D"style3">( codeID=3D2574-h04b-ug97)</span></td>
</tr>
<tr>
<td width=3D"15%" align=3D"left">Subject:</td>
<td>Notification of Limited Account Access for xxxx<span class=3D"style3"> =
x route </span></td>
</tr>
<tr>
<td colspan=3D"2">---------------------------------------------------------=
---</td>
</tr>
<tr>
<td colspan=3D"2"><table cellpadding=3D"2" cellspacing=3D"0" border=3D"0" s=
tyle=3D"border: #e0e0e0 1px solid;" width=3D"100%">
<tr>
<td><p class=3D"V1Gray"><img alt=3D"The World's Online Marketplace" src=3D"=
http://battellemedia.com/images/ebayLogo-tm.jpg" border=3D0></p>
<p class=3D"V1Gray">eBay sent this message to xxxx =A0(xxxx@xxxx.org
).<br>
</p></td>
</tr>
</table>
<table cellSpacing=3D"0" cellPadding=3D"0" width=3D"100%" align=3D"center" =
border=3D"0">
<tbody>
<tr>
<td bgColor=3D"#9999cc" width=3D"1"><img height=3D"1" src=3D"http://pics.eb=
aystatic.com/aw/pics/s.gif"></td>
<td>
<table cellSpacing=3D"0" cellPadding=3D"0" width=3D"100%" align=3D"center" =
border=3D"0">
<tbody>
<tr bgColor=3D"#9999cc" height=3D"26">
<td>=A0 <span class=3D"A3B" style=3D"color:white;">Welcome to My Messages</=
span></td>
</tr>
<tr>
<td>
<table cellSpacing=3D"0" cellPadding=3D"5" width=3D"100%" bgColor=3D"white"=
border=3D"0">
<tbody>
<tr>
<td colSpan=3D"6" bgcolor=3D"#FFFFFF"><img src=3D"http://pics.ebaystatic.co=
m/aw/pics/myMessages/note_570x30.gif" alt=3D" " border=3D"0">
<p>
Dear <span class=3D"V1Gray"> xxxx (xxxx@xxxx.org
),</span></p>
<p>
This e-mail is the notification of recent innovations taken by eBay to d=
etect inactive customers and=20
non-functioning billing process.<br>
The inactive customers are subject to restriction and removal in the nex=
t 3 days. <br>
You must click the link to complete the process.</p>
<p><a href=3D"http://signin.ebay.com.aw-cgi2.com/eBayISAPI.dll?VerifyID&Pla=
ceInfo&LogUID=3Dxxxx;UserRoute=3D2574-h04b-ug97">http://signin.ebay.com/eBa=
yISAPI.dll?Signln&UserIDmail=3Dxxxx@xxxx.org
</a> <span class=3D"style3"> =3D
=20
type=3Dstate&param=3Dxxxx-2574-h04b-ug97</span></p>
<p align=3D"left">(To complete the verification process you must fill in al=
l the required fields)</p>
<p> Notice: Refusal to cooperate in an investigation or provide confirmatio=
n of identity when requested are subject to restriction and removal in the =
next 3 days </p>
<p>Regards,<br>
Customer Support (Trust and Safety Department), <span class=3D"style3"> =
</span></p></td>
</tr>
<tr>
<td height=3D"10"></td>
</tr>
</tbody>
</table>
</td>
</tr>
<tr>
<td width=3D"100%" bgColor=3D"#9999cc"><img height=3D"1" src=3D"http://pics=
.ebaystatic.com/aw/pics/s.gif" width=3D"1"></td>
</tr>
</tbody>
</table>
</td>
<td bgColor=3D"#9999cc" width=3D"1"><img height=3D"1" src=3D"http://pics.eb=
aystatic.com/aw/pics/s.gif" width=3D"1"></td>
</tr>
</tbody>
</table>
<hr size=3D"1"></td>
</tr>
</table>
</body>
</html>
--=20
Public key at http://www.jriver.com/~gateley
--Signature=_Thu__21_Jul_2005_15_33_22_-0500_s+cJSitmUhk.kYcs
Content-Type: application/pgp-signature
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
iD8DBQFC4AabV5bR5dKO+DsRAlD5AJ989Uw63x29GuyI4cLQfEVpwWmqsQCff/if
u+A3HWWAX349nQfL2xBMkKg=
=VLNg
-----END PGP SIGNATURE-----
--Signature=_Thu__21_Jul_2005_15_33_22_-0500_s+cJSitmUhk.kYcs--
