register
-- Home
-- Phishing Archive
-- Report Phishing
-- Events
-- APWG News
-- Resources
-- Membership
-- APWG Member Site
-- Contact Us
-- JOIN THE APWG
 
LATEST NEWS IN THE FIGHT AGAINST PHISHING:		  
 
 
     
     
     
     
 

eBay- 'TKO NOTICE: Verify Your Identity'
29-Oct-2004

Summary
Email title: 'TKO NOTICE: Verify Your Identity'
Scam target: eBay customers
Email format: HTML email
Sender:

aw-confirm@ebay.com
Sender spoofed? Yes
Scam call to action: 'During our regularly scheduled account maintenance and verification procedures, we have detected a slight error in your billing information...Please update and verify your information by clicking the link below...'
Scam goal: Getting victim's credit card information, contact information (name, address, phone number, etc.) , wamu.com username/pass.
Call to action format:

URL link
Visible link: https://scgi.ebay.com/saw-cgi/eBayISAPI.dll?RegisterEnterInfo
Called link :

http://signin-ebay.com-cgi-bin.tk/eBaydll.php
Phish website IP: 212.0.98.50
 
E-mail
 

This phish falls into the 'social engineering' category. It is well designed, and relies on its persuasiveness, rather than on technical tricks.

The email looks nice:
 
 
The sender is spoofed, and the URL link is 'masked'. This makes up for a persuasive scam.
 
Web Site
Visible link: https://scgi.ebay.com/saw-cgi/eBayISAPI.dll?RegisterEnterInfo
Called link :

http://signin-ebay.com-cgi-bin.tk/eBaydll.php
Phish website IP: 212.0.98.50
 
The phish site opens up with a login screen first, just like you would expect from eBay. Notice the URL in the address bar:
 
 

This is what the 'social engineering' approach is all about - make the whole thing as close to the real one as possible, so the potential victim does not notice the small details that expose the scam.

After eventually 'signing in', the main phish page opens:

 
 

There are a couple of things to pay attention here, too - the URL remains the same as it was on the first page. And even when it's cleverly chosen, the vigilant can still find it suspicious.

The second thing is the fact that the site is not a secure one. Remember, legitimate institutions always use secure sites to transfer sensitive information. The browser indication of being in a secure site is a padlock icon in the right part of the status bar. It is missing in this case:

 
 
A smart move from the phishers is the use of the legitimate eBay logout page - displayed when the information is eventually 'phished' :
 

 

The main protection against such scams is the increased level of awareness and vigilance from the user side. Small details (like the suspicious URL and the missing site security) indicate a big scam.

 
Phish server WHOIS information:
WHOIS data (for IP 212.0.98.50)

IP Address: 212.0.98.50 (ARIN & RIPE IP search)
IP Location: ES(SPAIN)-CATALUNA-BARCELONA
DMOZ no listings
Y! Directory: see listings
Data as of: 08-Jun-2004

Domain name:
COM-CGI-BIN.TK

Organisation:
N/A
ARTHUR WINBORN
12327 Joyner ave.
34654 New Port Richey
U.S.A.
Phone: 0-727-8572447
Fax: 0-727-8572447
E-mail: my26f@yahoo.com

Domain Nameservers:

Domain registered: 09/12/2004
Record will expire on: 09/12/2006
Record maintained by: Dot TK Domain Registry