{"id":8037,"date":"2006-02-09T17:38:00","date_gmt":"2006-02-09T22:38:00","guid":{"rendered":"https:\/\/nuxx.net\/blog\/2006\/02\/09\/ebay-phishing-scheme\/"},"modified":"2026-07-01T11:34:08","modified_gmt":"2026-07-01T15:34:08","slug":"ebay-phishing-scheme","status":"publish","type":"post","link":"https:\/\/nuxx.net\/blog\/2006\/02\/09\/ebay-phishing-scheme\/","title":{"rendered":"eBay Phishing Scheme"},"content":{"rendered":"<p>Upon sitting down at my desk just now it appeared that I had email from an eBay user named &#8216;yuki668&#8217; asking simply &#8220;Hello,do you accept PayPal?&#8221;. This seemed a bit fishy, so I decided to dig into it a little bit.<\/p>\n<p>Come to find out, it&#8217;s the best made phishing scheme that I&#8217;d not yet seen. It appears to look like valid email from eBay, takes you to a look-alike login page, allows one to compose a reply, and even appears to send the message, then offering to redirect the user to My eBay and various other pages.<\/p>\n<p>Here are some screenshots of this message and the hosted false pages:<\/p>\n<blockquote><p>&middot; <a href=\"https:\/\/nuxx.net\/blog\/wp-content\/uploads\/2026\/06\/ebay_phishing_1.png\">Original email from &#8216;yuki668&#8217; asking a &#8216;question&#8217;.<\/a><br \/>\n&middot; <a href=\"https:\/\/nuxx.net\/blog\/wp-content\/uploads\/2026\/06\/ebay_phishing_2.png\">Fake eBay login page.<\/a><br \/>\n&middot; <a href=\"https:\/\/nuxx.net\/blog\/wp-content\/uploads\/2026\/06\/ebay_phishing_3.png\">Fake message composition page.<\/a><br \/>\n&middot; <a href=\"https:\/\/nuxx.net\/blog\/wp-content\/uploads\/2026\/06\/ebay_phishing_4.png\">Fake sent message confirmation.<\/a><\/p><\/blockquote>\n<p>I have to say, with my actively selling something on eBay, this <em>almost<\/em> fooled me. The way I knew it not to be right, is the original email message was sent, it didn&#8217;t say that it was a question about a particular item&#8230;<\/p>\n<p>Anyway, here is the full header if the email, if you are curious: <!--more Clicky Clicky--><\/p>\n<blockquote><p><tt>X-Spam-Checker-Version: SpamAssassin 3.1.0 (2005-09-13) on rez.nuxx.net<br \/>\nX-Spam-Level: *<br \/>\nX-Spam-Status: No, score=1.3 required=5.0 tests=HTML_FONT_BIG,HTML_MESSAGE,<br \/>\n\tHTML_TAG_EXIST_TBODY,MIME_HEADER_CTYPE_ONLY,MIME_HTML_ONLY,<br \/>\n\tUNDISC_RECIPS autolearn=no version=3.1.0<br \/>\nReceived: (qmail 33525 invoked by uid 89); 9 Feb 2006 22:19:28 -0000<br \/>\nDelivered-To: nuxx.net-ebay@nuxx.net<br \/>\nReceived: (qmail 33523 invoked from network); 9 Feb 2006 22:19:27 -0000<br \/>\nReceived: from unknown (HELO nj.jtbusa.com) (209.113.224.178)<br \/>\n  by bornslippy.nuxx.net with SMTP; 9 Feb 2006 22:19:27 -0000<br \/>\nReceived: from net1.nj.jtbusa.com (localhost.nj.jtbusa.com [127.0.0.1])<br \/>\n\tby nj.jtbusa.com (8.12.9p2\/8.11.6) with ESMTP id k19MHhcV051714<br \/>\n\tfor <ebay@nuxx.net>; Thu, 9 Feb 2006 17:17:44 -0500 (EST)<br \/>\n\t(envelope-from root@net1.nj.jtbusa.com)<br \/>\nReceived: (from root@localhost)<br \/>\n\tby net1.nj.jtbusa.com (8.12.9p2\/8.12.9\/Submit) id k19MHg6Q051713<br \/>\n\tfor ebay@nuxx.net; Thu, 9 Feb 2006 17:17:42 -0500 (EST)<br \/>\n\t(envelope-from root)<br \/>\nDate: Thu, 9 Feb 2006 17:17:42 -0500 (EST)<br \/>\nMessage-Id: <200602092217.k19MHg6Q051713@net1.nj.jtbusa.com><br \/>\nFrom: \"eBay Member: yuki668\" <member@ebay.com><br \/>\nSubject: Message from eBay Member<br \/>\nContent-Type: text\/html<br \/>\nTo: undisclosed-recipients:;<\/tt><\/p><\/blockquote>\n<p>So, yeah&#8230; You might want to keep an eye out for something like this. Additionally, I&#8217;m not sure how easy it&#8217;ll be to filter, because except for eBay&#8217;s inclusion of a plain text copy of the message, and the phishing message&#8217;s proper formatting of the raw HTML (eBay&#8217;s isn&#8217;t like this) the messages appear to be quite similar.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Upon sitting down at my desk just now it appeared that I had email from an eBay user named &#8216;yuki668&#8217; asking simply &#8220;Hello,do you accept PayPal?&#8221;. This seemed a bit fishy, so I decided to dig into it a little bit. Come to find out, it&#8217;s the best made phishing scheme that I&#8217;d not yet\u2026<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[13,34],"tags":[],"class_list":["post-8037","post","type-post","status-publish","format-standard","hentry","category-computers","category-moved-from-livejournal"],"_links":{"self":[{"href":"https:\/\/nuxx.net\/blog\/wp-json\/wp\/v2\/posts\/8037","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/nuxx.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/nuxx.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/nuxx.net\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/nuxx.net\/blog\/wp-json\/wp\/v2\/comments?post=8037"}],"version-history":[{"count":1,"href":"https:\/\/nuxx.net\/blog\/wp-json\/wp\/v2\/posts\/8037\/revisions"}],"predecessor-version":[{"id":13592,"href":"https:\/\/nuxx.net\/blog\/wp-json\/wp\/v2\/posts\/8037\/revisions\/13592"}],"wp:attachment":[{"href":"https:\/\/nuxx.net\/blog\/wp-json\/wp\/v2\/media?parent=8037"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/nuxx.net\/blog\/wp-json\/wp\/v2\/categories?post=8037"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/nuxx.net\/blog\/wp-json\/wp\/v2\/tags?post=8037"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}