eBay Phishing Scheme
Upon sitting down at my desk just now it appeared that I had email from an eBay user named ‘yuki668’ asking simply “Hello,do you accept PayPal?”. This seemed a bit fishy, so I decided to dig into it a little bit.
Come to find out, it’s the best made phishing scheme that I’d not yet seen. It appears to look like valid email from eBay, takes you to a look-alike login page, allows one to compose a reply, and even appears to send the message, then offering to redirect the user to My eBay and various other pages.
Here are some screenshots of this message and the hosted false pages:
· Original email from ‘yuki668’ asking a ‘question’.
· Fake eBay login page.
· Fake message composition page.
· Fake sent message confirmation.
I have to say, with my actively selling something on eBay, this almost fooled me. The way I knew it not to be right, is the original email message was sent, it didn’t say that it was a question about a particular item…
Anyway, here is the full header if the email, if you are curious:
X-Spam-Checker-Version: SpamAssassin 3.1.0 (2005-09-13) on rez.nuxx.net
X-Spam-Level: *
X-Spam-Status: No, score=1.3 required=5.0 tests=HTML_FONT_BIG,HTML_MESSAGE,
HTML_TAG_EXIST_TBODY,MIME_HEADER_CTYPE_ONLY,MIME_HTML_ONLY,
UNDISC_RECIPS autolearn=no version=3.1.0
Received: (qmail 33525 invoked by uid 89); 9 Feb 2006 22:19:28 -0000
Delivered-To: nuxx.net-ebay@nuxx.net
Received: (qmail 33523 invoked from network); 9 Feb 2006 22:19:27 -0000
Received: from unknown (HELO nj.jtbusa.com) (209.113.224.178)
by bornslippy.nuxx.net with SMTP; 9 Feb 2006 22:19:27 -0000
Received: from net1.nj.jtbusa.com (localhost.nj.jtbusa.com [127.0.0.1])
by nj.jtbusa.com (8.12.9p2/8.11.6) with ESMTP id k19MHhcV051714
for; Thu, 9 Feb 2006 17:17:44 -0500 (EST)
(envelope-from root@net1.nj.jtbusa.com)
Received: (from root@localhost)
by net1.nj.jtbusa.com (8.12.9p2/8.12.9/Submit) id k19MHg6Q051713
for ebay@nuxx.net; Thu, 9 Feb 2006 17:17:42 -0500 (EST)
(envelope-from root)
Date: Thu, 9 Feb 2006 17:17:42 -0500 (EST)
Message-Id: <200602092217.k19MHg6Q051713@net1.nj.jtbusa.com>
From: "eBay Member: yuki668"
Subject: Message from eBay Member
Content-Type: text/html
To: undisclosed-recipients:;
So, yeah… You might want to keep an eye out for something like this. Additionally, I’m not sure how easy it’ll be to filter, because except for eBay’s inclusion of a plain text copy of the message, and the phishing message’s proper formatting of the raw HTML (eBay’s isn’t like this) the messages appear to be quite similar.
Hmm. A south korean domain.
Thusly the username and password used were:
u: lickmyballs
p: you_dirty_korean_dog
ive been getting hit with a lot of phishing emails lately too
Yeh man, I got one of these the other day. And since my site does utilize the paypal wrapper through ssl curl, for a split second I thought it was someone who used my site. I get alot of random paypal transaction in my account from these people so it made me think.
I just was wondering why someone would email me through ebay/paypal instead of directly through my site.
Taking a glance at the domain name and then the general clickable link to respond made me delete the email right after that.
These phishing attempts are getting better.
This one really impressed me… Normally I just sort of giggle at the broken HTML of the sites, but except for the domain name (and it’s accepting anything for the username and password), this one was spot on.
Yeh, you’re right. I got mine early in the morning, pre-coffee. It made me think a minute. Like you said, the others are just funny. Especially for bank accounts from banks I’ve never heard of!
Re: Good timing
Those ones I get all the time… Fortunately they are almost all marked as spam. This one, though, had a really good fake page which had complete follow-though.
All that ultimately matters is we know we have changed for the better and will continue leading our lives in the best way possible. :)
i keep getting those on my work e-mail account. just dumb dumb dumb.
i get those all the time for my MSU account, the worse ones are the one from banks, i never fall for them but a lot of people at my school do. a lot of times the message reads “we have lose (something something) please log into your account within 24 hours or else your account will be suspended” followed by a link. unfortunetly, the MSU e-mail doesn’t have a spam filter, so it doesn’t tell people it is spam, and a lot of people have lost money