i find if u just don't go giving your credit card over the web you're safe!

Sadly, this isn't possible to do for some people in this day and age..
Well, that's not necessarily true.. I should have said, this makes life much more difficult for some people.

Well, that would be the end of e-commerce, which I depend upon for at least part of my income.

There really does need to be a "Consumer-Beware!" campaign about all this. I'm realizing now how easy it would be to spoof people into believing they've logged in, and even to set up a subdomain that would begin with ebay, paypal, or something else.

I've actually had notices from paypal about needing to update credit card info that were legit (the expiration date on the card I'd input was about to expire). I had to log in first and go to my account settings and there was my old information. I think the key has to be that secure log-in, leading to settings that you can see you've actually input. Without these two factors in place, then you're probably looking at a scam.

Even then you can't entirely be sure you're safe, as legit websites have been hijacked before. You might think you've gone to www.paypal.com, but the site was being DDOS'd and spoofed and you actually ended up someplace else. Like you said, there needs to be improvement in the infrastructure and the education of end users. Scammers will get more sophisticated and security people are running out of appendages to jam in the dike. Proactive man, not reactive! Contemporize! It sounds like yooou, are working for your car, maaan!
Ack! The hippie Simpsons guy appeared!

to make things worse, these scammers are branching out. over the past few months i've gotten similar messages with subjects like: "you need to verify your citicards account", "please verify your capital one account", "update your wells fargo information", etc. (FYI these are credit card and banking institutions)

they are all similar to the ebay notes, tho the grammar is getting better. the *REALLY* sad thing is i think the capital one note may have been legit. i spent about 15 minutes checking out the link and doing some research and it looks like it went to their real site.

it doesnt help the problem if legitimate companies are going to link from email messages. some sort of policy needs to be implemented so that it becomes a knee-jerk reaction for users to close down the email message, switch to a browser, and manually type in your url/click your bookmark if *real* accounts need attention. if the legitimate corporations reiterate this in their messages it would help. but, if (and i repeat IF) capital one is passing messages that mimic the scam messages i think there will end up being some real floridian-hanging-chad style confusion here.

Man alive! I got the same exact email today that I posted at the top of this thread, including the eBay URL, which now leads to this: http://61.100.12.150/verification/account/enter.htm

You could easily be duped by that one! Looking at the form action in the page source, even that seems to point to eBay. Still, there's that oriental IP, and no security.

Edit: of course eBay has a Standard sign-in form as well, so the lack of security isn't necessarily the giveaway. And, the deceptive site I now notice even has secure sign-in and a secure connection is registered (on eBay . . . I think).

So all you have, really, is that bogus IP address, and if they were slick, they could fix that up with a subdomain prefix.

I think a lot of people are going to get really screwed with this one! :eek:

URL Deciphering Tools
 

There's some good URL decipering tools available here.

You can paste in any URL and it will tell you exactly what that URL will do/will go/with which username etc. Really useful.Check it out.

BTW, it correctly decoded that long URL on the first page of comments!

So, out of curiosity, I went to that link and tried "signing in" a variety of random account names and passwords and they were all rejected. Is this just random luck, or do they have some way to check these?

Best,
d

Nooooo... I imagine this would be a way to gather people's usernames and passwords. People tpye in their correct username & password and get reject. Then they do it again, and possibly again. Compare the 3 for accuracy and voila, you have some poor fool's login on eBay. This would make targeted phishing scam emails more accurate later. Instead of a generic email, they know your username (& might provide password for further "proof"). I wonder how it'll handle buffer overflows? :)

That's what "Phish"-ing is!
 

You were maybe expecting that it would sign you in to eBay? The website is "phish"-ing for username/passwords that they will save and later try on eBay to get into your account.

So if someone naively thought it really was an eBay site and their password didn't work, they wouldn't suspect fraud, just "oh, it's not working now" or "I must have mistyped it", not suspecting they told the 'phish'ers exactly what password to try.

Sneaky, eh?

LOL, yellow! :) I got it in my email, however.

6Ad 60Y! ;)

Yeah I thought better of my post, it didn't really add much to the discussion.

It wasn't clear to me that they were phishing for username/password as opposed to credit/debit card information. In the latter case, which seems to have been the point of the initial email, I would expect any username/password to work so that you could "verify" the credit/debit card info.

Best,
d

I discovered today that Eudora alerts one to a possible spoof when you hold the cursor over the link. I received a phishing spam inviting me to update my account information for accounts.keybank.com (I don't even bank with them!). When hovering over the link, a dialogue box appeared noting that I don't know if other email programs do this, but it's a nice feature.

Very interesting.. and pretty easy to write and include into an app. Hopefully they tested a bit with false positives.

Heh; I got one the other day saying Paris Hilton needed my bank account information. I didn't believe it, and she'd probably store it on her cellphone anyway. ;)

I wonder when the asteroid is finally going to hit Earth and put an end to this stuff.

Muahahaha! :D

http://www.glarkware.com/media/produ..._u_paris_1.jpg

I installed clamavX the other day. When I ran it on a copy my /Library/Mail folder, it identified an PayPal phishing email as such. I don't know how accurate it is, but it does attempt to identify them.

What about adding internationalized domain names... :eek:

http://www.betanews.com/article/Mozi...law/1108511234