Ebay Account info confirm spoof email
Straight_Man
Geeky, in my own wayNaples, FL Icrontian
[PHP]From - Sat May 22 11:17:19 2004
X-UIDL: 20040522144926s13008jm6ae001mh6
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
Received: from a_15 (unknown[62.251.150.145](misconfigured sender)) <--- INSERTED: Clue to spam
by sccrmxc13.comcast.net (sccrmxc13) with SMTP
id <20040522144914s1300frhpbe>; Sat, 22 May 2004 14:49:25 +0000
X-Originating-IP: [62.251.150.145]
From: "eBay Accounts Manager" <accounts@ebay.com>
Subject: Verify Your eBay Account
To: CUT OUT, this was my valid comcast email address
Content-Type: text/html;iso-8859-1
Reply-To: accounts@ebay.com<-- INSERTED: reply to that does not work is a spam clue, possibly. Use in combo with other clues.
Date: Sat, 22 May 2004 14:49:25 +0000
X-Priority: 3
X-Library: Indy 8.0.25
Dear eBay User,<P>
During our regular update and verification of the accounts, <BR>
we couldn't verify your current information. <BR>
Either your information has changed or it is incomplete.<BR>
Please update and verify your information by signing in your account.<P>
If your account information is not updated within 5 days, <BR>
your access will be restricted.<P><BR>
please go to the link below and enter the information required:<BR>
<A HREF="http://ebay.secure-informations.org">http://www.ebay.com/accounts/member/avncenter/?dll874432</A><P>
INSERTED: When a site that is not even in web address is shown in link is used, this is a phishing clue. When you are asked to give data fo personal kinds on a site the begins http: and not https: is used, DO NOT DO SO! This email results in BOTH happening.
*** Please Do Not Reply To This E-Mail As You Will Not Receive A Response ***<P>
Sincerely,<BR>
eBay Account Review Department<P>[/PHP]
I gave this as source code, in toto, because I got this today. And becasue after checking out the email and where it led versus where eBay's ACTUAL account management goes, the site you see when you are actually in eBay's account management and the site you go to from this email are different. This site that the email leads to is not an https secure site. Ebay's account edit functions ARE always run in https mode using SSL. ebay.secure-informations.org is NOT an ebay registered domain. The links that are on page DO lead to ebay.
An email from ebay will have a valid sender config shown in headers. This one has none, sender is masqed by simply being misconfigured as to sender info given to email server that accepted email at Comcast's inbound gating.
This is a pretty good example of a very VERY deceptive pfishing email and site. The header and footer are taken from an ebay page, but that page shows a copyright of 2001 and ebay's pages for account management do not use this entry structure that this page at teh pfishing site has nor were they last revised in 2001. Actually, ebay IS moving to a whole new accounting system-- but the legitimate ebay pages have different copyright years.
I am sending this email to eBay's abuse department, Comcast's abuse department and possibly elsewhere also, as what it leads to is VERY subtly done from what an end user sees both on the web and in email.
BTW, I do not even have a eBay seller's account that is fully created-- i partly created one to see the interface details. I DO have a Paypal account. It is NOT tied to an ebay seller account.
John D.
X-UIDL: 20040522144926s13008jm6ae001mh6
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
Received: from a_15 (unknown[62.251.150.145](misconfigured sender)) <--- INSERTED: Clue to spam
by sccrmxc13.comcast.net (sccrmxc13) with SMTP
id <20040522144914s1300frhpbe>; Sat, 22 May 2004 14:49:25 +0000
X-Originating-IP: [62.251.150.145]
From: "eBay Accounts Manager" <accounts@ebay.com>
Subject: Verify Your eBay Account
To: CUT OUT, this was my valid comcast email address
Content-Type: text/html;iso-8859-1
Reply-To: accounts@ebay.com<-- INSERTED: reply to that does not work is a spam clue, possibly. Use in combo with other clues.
Date: Sat, 22 May 2004 14:49:25 +0000
X-Priority: 3
X-Library: Indy 8.0.25
Dear eBay User,<P>
During our regular update and verification of the accounts, <BR>
we couldn't verify your current information. <BR>
Either your information has changed or it is incomplete.<BR>
Please update and verify your information by signing in your account.<P>
If your account information is not updated within 5 days, <BR>
your access will be restricted.<P><BR>
please go to the link below and enter the information required:<BR>
<A HREF="http://ebay.secure-informations.org">http://www.ebay.com/accounts/member/avncenter/?dll874432</A><P>
INSERTED: When a site that is not even in web address is shown in link is used, this is a phishing clue. When you are asked to give data fo personal kinds on a site the begins http: and not https: is used, DO NOT DO SO! This email results in BOTH happening.
*** Please Do Not Reply To This E-Mail As You Will Not Receive A Response ***<P>
Sincerely,<BR>
eBay Account Review Department<P>[/PHP]
I gave this as source code, in toto, because I got this today. And becasue after checking out the email and where it led versus where eBay's ACTUAL account management goes, the site you see when you are actually in eBay's account management and the site you go to from this email are different. This site that the email leads to is not an https secure site. Ebay's account edit functions ARE always run in https mode using SSL. ebay.secure-informations.org is NOT an ebay registered domain. The links that are on page DO lead to ebay.
An email from ebay will have a valid sender config shown in headers. This one has none, sender is masqed by simply being misconfigured as to sender info given to email server that accepted email at Comcast's inbound gating.
This is a pretty good example of a very VERY deceptive pfishing email and site. The header and footer are taken from an ebay page, but that page shows a copyright of 2001 and ebay's pages for account management do not use this entry structure that this page at teh pfishing site has nor were they last revised in 2001. Actually, ebay IS moving to a whole new accounting system-- but the legitimate ebay pages have different copyright years.
I am sending this email to eBay's abuse department, Comcast's abuse department and possibly elsewhere also, as what it leads to is VERY subtly done from what an end user sees both on the web and in email.
BTW, I do not even have a eBay seller's account that is fully created-- i partly created one to see the interface details. I DO have a Paypal account. It is NOT tied to an ebay seller account.
John D.
0
Comments