Spoofs and frauds to watch out for
 

We've had threads on devious viruses. Spoofs and frauds can bite you pretty badly, too, if you're not careful.

Below is one that came in today. See if you can find what's wrong with it?
(Do NOT fill out the form you link to.)

------------------

From: "Support" <support@ebay.com>
To: <phil@shalomplace.com>
Subject: Your eBay Account Must Be Confirmed

Content-Type: text/html;

Update Your Credit / Debit Card On Your eBay File

Dear eBay member ,

During our regular and verification of the accounts we couldn't verify your current information, either your information Has changed or it is incomplete . if the account is not updated to current information within 5 days then , your access to Buy or Sell on eBay will be restricted

Go to the link below to Update your account information :

http://signin.ebay.com/aw-cgi/eBayISAPI.dll?SignIn&ssPageName=h:h:sin:US

please dont reply to this email as you will not receive a response

Thank You for using eBay!

http://www.eBay.com

_________________________________________________________________________________________________________

As outlined in our user agreement , eBay will periodically send you information about site changes and enhancements, vist our Privacy Policy and User Agreement if you have any questions .

Copyright © 1995-2004 eBay Inc. All Rights Reserved.
Designated trademarks and brands are the property of their respective owners.

I don't know what is wrong, I do know I get at least 3 of those a week. I simply forward them with all headers to spoof@ebay.com, and hope that they are as serious about catching someone as they say.

eBay account info fraud
 

This is clever, but the poor English gives it away!

The linked site does look like eBay! But, one giveway is that it is not a secure site -- https. Ebay would use SSH if they asked you to enter credit card info.

The upsetting thing about this is that experienced computer users would not be fooled, but it is just credible looking enough for an inexperienced person to be a victim of the fraud.

What's wrong with it????

How about simply that you got it? I didn't think it was eBay's policy to send such emails? Further, there's a rather generic salutation. Doesn't eBay claim that they would not use a "dear member" greeting line?

And then the dead give away is the url that you get when you roll over the link : ...p://61.100.12.150/....

Not an eBay address.

just my guesses.
darin


[edit to make url not active--i'd feel like crap if somebody followed that link because of me.]

Well, mainly, the host machine [61.100.12.150] is in Korea.

[ ISP Organization Information ]
Org Name : Enterprise Networks
Service Name : ENTERPRISENET
Org Address : GNG IDC B/D, 343-1 Yhatap-dong, Pundang-gu, Seongnam

This is just another phishing scam, but people might be fooled because the English is pretty good (I've seen much worse), and the site that you end up on looks pretty legit.

Whoa, I'm a slow typer today...

1. This is a known scam, eBay has issued advisories about it. ( ;) )

2. Poor grammar, typos. While not a sure fire method of seeing scams, it should raise flags.

3. Link provided doesn't go where it says it goes. This is the biggie. If you roll the mouse over the link (and have your status bar visible) you can see that it links to 61.100.12.150, not signin.ebay.com like it shows. There shouldn't be any discrepancy here. I've also seen links to addresses all in HTML entities. That is, links like http%3a%2f%2fwww%2efoobar%2ecom (that's http://www.foobar.com).

my day is complete....i can die a happy man....i beat Yellow to the right answer ;)

Best,
d

This fraud appears to be from Korea. Try typing just the IP into your browser, i.e., http://61.100.12.150

OK, you all get an A+, but I don't think poor grammar was the giveaway. There's plenty of that from corproations and people who ought to know better.

Someone not familiar with eBay policies might not pick up on this one, as there's a link to eBay's privacy policies and to the user agreement. Those links are valid, as are the others to ebay, including all the others on the web page, which uses eBay's format.

The IP address was the dead giveaway to me, along with having to provide ID and password on the same page as credit card info. I was about to fill it in when I thought it odd that I wasn't ask to log in first. Then I noticed the IP address.

I wonder how many people fall prey to this sort of thing? It's easy to see how it could happen.

Enough people to make phishing and identity theft a booming "business". These people are getting more sophisticated. How long before there is a phishing scam that directs you to an actual registered domain name with a webpage at http://www.ebey.com? How many people might actually notice the registered name is different?

Some of these phishers do ask you to log in. But the login succeeds no matter what password you enter (because they don't know your password - the point of this is to get you to enter your password).

Hence one simple test you can do is to deliberately enter a wrong password. If it succeeds, you are certainly dealing with a phishing scam. But note that if it doesn't succeed, it still might be a scam, just a more sophisticated one that knows that people might be doing this sort of test!

Of course, as others have said, it is almost 100% true that no reputable organization will be making this sort of request of you by email. Such requests are almost always scams.

My favorite was an email very similar to the one provided here. But instead of a text link, there was a button provided.

This was sent to my Hotmail address (and many other Hotmail addresses (any mail sent there is automatically suspect anyway, since that's my trash account)) so they knew that my email 'client' would put the button on the page, not the HTML. I had to view the raw message text (an option in Hotmail) to verify that it was not going where I thought it should.

Ouch! Scary thought! Maybe Apple could built an IP address checker into, say Key Chain, so that the machine could spot the prob even if the user doesn't. i.e. Key Chain remembers the IP address from the first login and compares them for all future logins.

Happened with PayPal Too...
 

When I contacted PayPal, their rule of thumb is... "Never provide information via an email link. Always go directly to the site and login. No legit business would ever have you give account information via email."

By the by, I've received spoof emails for ebay where the URL went to something along the lines of:

http://www.ebay.comblahblahblah:more...ress.in.korea/

In other words, they used the login field of a URL to make it look like an ebay address.

That's kind of the point of security certificates for sites; to validate that they are who they say they are. This does require a secure connection, typically using the https protocol.

I admit that my knowledge of how security certificates et al work is a little sketchy. I keep meaning to sort this out :o

BUT ...

Phil noticed that the site wasn't secure. But if the website "shop front" had looked authentic, and the email had a website that looked at first glance to be right (and there are ways of making it look completely right to the casual observer - I can think of two ways, and I'm hardly a HTML expert) how many people would have noticed the address bar in their browser was "unusual" and they weren't secure as they logged in?

Far too many, I feel. So how about Safari (not Keychain) being able to use Baynesian techniques (like Apple's junk mail filters) to spot the "sounds likes" and post a warning. Actually come to think of it you could probably bolt something together in Applescript fairly easily, if only for proof of concept .... Hmmm! [goes away, engaging boffin mode]

While a noble idea, I'm not sure you could wrangle bayesian filtering to work for websites. Let's face it, there's a lot of diffferent ways to do the same thing and all have them look pretty much the same in a web browser. I believe that there would be so much variation that it would confuse a bayesian system. Bayesian filtering (for mail at least) uses specific keys in what it reads to recognize good from bad. What exactly would you focus on? Unfortunately in webpages, I could write a really poor website with tons of spelling mistakes, HTML faux pas, screwy addresses, and it might still be a legitimate site.
Besides, you'd have to 'feed' 'bad' web pages to it as well as good ones to make it accurate.

LOL!! :D Click on the link...get rid of the junk in front of the IP address and it takes you to some totally ebay unrelated site!!! LOL!

All perfectly good points. I was thinking more about filtering the url text i.e. what appears in the address bar on your browser. A filter will never get the whole page, and doesn't need to. The human brain would spot a fake page long before a filter ever could. Most people seem to have "flagged" the spelling mistakes in Phil's email as more important than the detail of the url's, for example. Admittedly, Phil prompted us with the knowledge that it wasn't kosher beforehand.

A filter (not necessarily Baynesian) could be restricted to comparing the current "http" url with "https" urls abstracted from the user's history (giving a list of "good" sites that are assumed to also be critical), and go "AWOOGA! AWOOGA!" if it finds a similarity. We don't use too many https sites, so each personal list of secure sites might be good enough as a set of search keys.

This leaves the possibility of the bad guys using "https" themselves, but this is where security certificates have to come in.

i find if u just don't go giving your credit card over the web you're safe!

Sadly, this isn't possible to do for some people in this day and age..
Well, that's not necessarily true.. I should have said, this makes life much more difficult for some people.

Well, that would be the end of e-commerce, which I depend upon for at least part of my income.

There really does need to be a "Consumer-Beware!" campaign about all this. I'm realizing now how easy it would be to spoof people into believing they've logged in, and even to set up a subdomain that would begin with ebay, paypal, or something else.

I've actually had notices from paypal about needing to update credit card info that were legit (the expiration date on the card I'd input was about to expire). I had to log in first and go to my account settings and there was my old information. I think the key has to be that secure log-in, leading to settings that you can see you've actually input. Without these two factors in place, then you're probably looking at a scam.

Even then you can't entirely be sure you're safe, as legit websites have been hijacked before. You might think you've gone to www.paypal.com, but the site was being DDOS'd and spoofed and you actually ended up someplace else. Like you said, there needs to be improvement in the infrastructure and the education of end users. Scammers will get more sophisticated and security people are running out of appendages to jam in the dike. Proactive man, not reactive! Contemporize! It sounds like yooou, are working for your car, maaan!
Ack! The hippie Simpsons guy appeared!

to make things worse, these scammers are branching out. over the past few months i've gotten similar messages with subjects like: "you need to verify your citicards account", "please verify your capital one account", "update your wells fargo information", etc. (FYI these are credit card and banking institutions)

they are all similar to the ebay notes, tho the grammar is getting better. the *REALLY* sad thing is i think the capital one note may have been legit. i spent about 15 minutes checking out the link and doing some research and it looks like it went to their real site.

it doesnt help the problem if legitimate companies are going to link from email messages. some sort of policy needs to be implemented so that it becomes a knee-jerk reaction for users to close down the email message, switch to a browser, and manually type in your url/click your bookmark if *real* accounts need attention. if the legitimate corporations reiterate this in their messages it would help. but, if (and i repeat IF) capital one is passing messages that mimic the scam messages i think there will end up being some real floridian-hanging-chad style confusion here.

Man alive! I got the same exact email today that I posted at the top of this thread, including the eBay URL, which now leads to this: http://61.100.12.150/verification/account/enter.htm

You could easily be duped by that one! Looking at the form action in the page source, even that seems to point to eBay. Still, there's that oriental IP, and no security.

Edit: of course eBay has a Standard sign-in form as well, so the lack of security isn't necessarily the giveaway. And, the deceptive site I now notice even has secure sign-in and a secure connection is registered (on eBay . . . I think).

So all you have, really, is that bogus IP address, and if they were slick, they could fix that up with a subdomain prefix.

I think a lot of people are going to get really screwed with this one! :eek:

URL Deciphering Tools
 

There's some good URL decipering tools available here.

You can paste in any URL and it will tell you exactly what that URL will do/will go/with which username etc. Really useful.Check it out.

BTW, it correctly decoded that long URL on the first page of comments!

So, out of curiosity, I went to that link and tried "signing in" a variety of random account names and passwords and they were all rejected. Is this just random luck, or do they have some way to check these?

Best,
d

Nooooo... I imagine this would be a way to gather people's usernames and passwords. People tpye in their correct username & password and get reject. Then they do it again, and possibly again. Compare the 3 for accuracy and voila, you have some poor fool's login on eBay. This would make targeted phishing scam emails more accurate later. Instead of a generic email, they know your username (& might provide password for further "proof"). I wonder how it'll handle buffer overflows? :)

That's what "Phish"-ing is!
 

You were maybe expecting that it would sign you in to eBay? The website is "phish"-ing for username/passwords that they will save and later try on eBay to get into your account.

So if someone naively thought it really was an eBay site and their password didn't work, they wouldn't suspect fraud, just "oh, it's not working now" or "I must have mistyped it", not suspecting they told the 'phish'ers exactly what password to try.

Sneaky, eh?

LOL, yellow! :) I got it in my email, however.

6Ad 60Y! ;)

Yeah I thought better of my post, it didn't really add much to the discussion.

It wasn't clear to me that they were phishing for username/password as opposed to credit/debit card information. In the latter case, which seems to have been the point of the initial email, I would expect any username/password to work so that you could "verify" the credit/debit card info.

Best,
d

I discovered today that Eudora alerts one to a possible spoof when you hold the cursor over the link. I received a phishing spam inviting me to update my account information for accounts.keybank.com (I don't even bank with them!). When hovering over the link, a dialogue box appeared noting that I don't know if other email programs do this, but it's a nice feature.

Very interesting.. and pretty easy to write and include into an app. Hopefully they tested a bit with false positives.

Heh; I got one the other day saying Paris Hilton needed my bank account information. I didn't believe it, and she'd probably store it on her cellphone anyway. ;)

I wonder when the asteroid is finally going to hit Earth and put an end to this stuff.

Muahahaha! :D

http://www.glarkware.com/media/produ..._u_paris_1.jpg

I installed clamavX the other day. When I ran it on a copy my /Library/Mail folder, it identified an PayPal phishing email as such. I don't know how accurate it is, but it does attempt to identify them.

What about adding internationalized domain names... :eek:

http://www.betanews.com/article/Mozi...law/1108511234