[THIN] FW: Identity theft scam against eBay users

From: george.wasgatt@xxxxxxxxxxxx
To: thin@xxxxxxxxxxxxx
Date: Tue, 11 Feb 2003 11:02:44 -0500


-----Original Message-----
From: Thomas Giudice [mailto:tlgenterprises@xxxxxxxxxxx]
Sent: Tuesday, February 11, 2003 6:33 AM
To: pi@xxxxxxxxxxx; jwiens@xxxxxxxxxxxxxxxxxxx
Cc: incidents@xxxxxxxxxxxxxxxxx
Subject: Re: Identity theft scam against eBay users


The last time one of my clients had this happen, when I was finally able to 
contact eBay, they advised me to contact local or Federal law enforcement 
about these types of scams.

Thomas Giudice
TLG Enterprises
Computer Emergency Response Team






>From: Patrick Bryant <pi@xxxxxxxxxxx>
>To: Jordan K Wiens <jwiens@xxxxxxxxxxxxxxxxxxx>
>CC: incidents@xxxxxxxxxxxxxxxxx
>Subject: Re: Identity theft scam against eBay users
>Date: Mon, 10 Feb 2003 17:29:43 -0800
>
>The text in the "hook" email in my incident is slightly different. I'm 
>including it below. Note subtle grammical errors in the text.
>
>I've been trying to advise eBay all day, since it's their name that's being

>exploited, but all of my calls and emails have fallen into a blackhole.
>
>It now appears that the attackers are playing a shell game with the 
>redirector site. Even though the site that receives the victim's post 
>(bayers.netfirms.com) has been shut down, now the attackers are redirecting
>to at least one different site for receiving the posts.
>
>Here's the text that initiated my team's involvement:
>
>------------
>Dear eBay User,
>During our regular update and verification of the accounts, we couldn't 
>verify your current information. Either your
>information has changed or it is incomplete.
>Please update and verify your information by signing in your account below 
>:
>If the account information is not updated to current information within 5 
>days then, your access to bid or buy on
>eBay will be restricted.
>go to this link below:
>------------
>
>Jordan K Wiens wrote:
>
> > A user on our network just reported a very similar situation, however 
>the
> > details differed slightly.
> >
> >         From address: update@xxxxxxxx
> >         Mail was not sendmail
> >         Obfuscated link was: 
>http://%65%62%61%79%2e%69%6e%74%65%72%70%6f%6f%6c%2e%75%73/index.htm?sss=%6
6%77%6f%66%48%5a%70%55%76%46%4a%6c%69%47[OBFUSCATED 
>TO PROTECT THE USER]6%68%4b%51%4b%6b%46%6f%65%42%58%75
> >         Real link: 
>http://ebay.interpool.us/index.htm?sss=fwofHZpUvFiGg[OBFUSCATED TO PROTECT 
>THE USER]hKQKkFoeBXu
> >
> > As of right now the page appears to still be up, can you see if it is
> > similar to the page you were seeing before?  I've archived it if it goes
> > down.
> >
> > Snippet of text from the email:
> > --------------snip-------------
> > Dear valued ebay member XXXXXX :
> > It has come to our attention that your
> > [link to obfuscated url]ebay[/link]
> > Billing information's records are out of date. thats require update your
> > billing information's
> >
> > If you could please take 5-10 minutes out of your online experience and
> > [link again]update[/link]
> > Your billing records you will not run into any future problems with the
> > problems with the online service. However, failure to update your 
>records
> > will result in account termination. Please update your records by 
>tomorrow.
> > --------------snip-------------
> >
> > --
> > Jordan Wiens
> > UF Network Incident Response Team
> > (352)392-2061
> >
> > On Mon, 10 Feb 2003, Patrick Bryant wrote:
> >
> > > The scam is a social engineering hack to obtain personal information
> > > presumably for the purpose of identity theft.
> > >
> > > E-mails are being sent from an address claiming to be 
>'service@xxxxxxxx'
> > > requesting personal information including the recipient/victim's bank
> > > account number and routing number, checking account account name /
> > > number and routing number, eBay user ID / password, PayPal password,
> > > credit card number and associated ATM PIN number, social security
> > > number, driver's license number and state of issue, and mother's 
>maiden
> > > name.
> > >
> > > Hopefully, half-savvy users will recognize this for what it is or at
> > > least object to the disclosure, but it takes some attention to detail 
>to
> > > identify that it is a bogus request originating from outside eBay.
> > >
> > > Here are the technical details:
> > >
> > >   - The claimed origin address is: service@xxxxxxxxx
> > >   - The message ID is in sendmail format 
>(YYMMDDHHMMSSprocessID@server)
> > > and ends with the string '@www.websiteseasy.com'.
> > >   - The message TEXT directs the user to the URL:
> > > http://www.ebay.com/acounts/memb/avncenter/?dll87443%2213. That text
> > > displayed in the URL masquerades the actual URL to which the
> > > user-supplied data is posted.
> > >   - The ACTUAL URL in the http directs the browser to:
> > > 'http://bayers.crossfade.la/' which then does a 'refresh' redirect to
> > > 'http://bayers.netfirms.com/'.
>
>
>---------------------------------------------------------------------------
-
>This list is provided by the SecurityFocus ARIS analyzer service.
>For more information on this free incident handling, management
>and tracking system please see: http://aris.securityfocus.com


_________________________________________________________________
The new MSN 8: smart spam protection and 2 months FREE*  
http://join.msn.com/?page=features/junkmail


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com
*********************************************************
This Week's Sponsor - RTO Software / TScale
TScale increases terminal server capacity. 
Get 30-40% more users per server to save $$$ and time. 
Add users now! - not more servers. If you?re using Citrix, 
you must learn about TScale!  Free 30-day eval:
http://www.rtosoft.com/Enter.asp?ID=79
**********************************************************

For Archives, to Unsubscribe, Subscribe or 
set Digest or Vacation mode use the below link:
http://thethin.net/citrixlist.cfm
[THIN] FW: Identity theft scam against eBay users

Other related posts:
