Search our Spoof Library...
Another Spoof Email and Phishing Scam report by MillerSmiles.co.uk - click this image to go to our home page.

eBay official notice - Spoof Email Phishing Scam
3rd March 2004

please forward any scams you've received to spoof@millersmiles.co.uk

 

 
Report Summary
Date Reported
1st March 2004 and repeated reports continue
Apparent Sender
eBay
Return Address
various spoofed ebay.com addresses used
Subject
various inc. "! eBay official notice", "!0fficiaI Notice for aII eBay customers", "! your account - eBay", "eBay's official notice."
Format
HTML
Method
disguised link leads to bogus web content
Bogus Web Content?
Yes
URL of web content
multiple URLs are being used including
http://64.231.104.124:4922/dl/
http://68.88.15.175:4944/dl/confirm.htm
http://67.9.110.127:4903/dl/
http://64.231.78.96:4903/dl/
RISK LEVEL
HIGH
WARNINGS

1. Exploits URL Spoofing (canonicalisation) vulnerability in Internet Explorer browsers - run Windows Update to ensure your browser is patched.
2. Employs script to open the genuine eBay.com home page as a backdrop to the bogus page.
3. Text body has letters between words (instead of spaces) to fool spam or email filters.

 

 

" Dear eBay User, During our reguIar update and verification of the accounts, we couIdn't verify your current information. "...

 

This spoof eBay email (see image below) is in HTML format (although it does look like a text only email in order add a sense of authenticity to the link text). The link in the email has been disguised using HTML code to look like a genuine link to eBay and it has been further coded to exploit the URL Spoofing bug in Internet Explorer browsers (test your browser - see link on right).

Using that link will trigger 2 new browser windows, first we will see the genuine eBay.com home page, then what appears to be a pop up window will appear in front of that. This is achieved through the use of JavaScript, and its purpose is purely to convince users that they are seeing a genuine pop up window from the eBay.com page. The pop up window has been crafted to open without the address bar to prevent users from seeing the true URL which would reveal its bogus nature (http://68.88.15.175:4944/dl/confirm.htm).

Any information submitted is processed through a script located on the same server as the bogus content.

If you have received this email, please remember that it is very common for these email scams to be redistributed at a later date with only slightly different content or the same but with the fake page(s) hosted by a different provider. Also, once you have received one of these hoaxes, it is also common place to receive at least another one and usually a day or two after the first, although not necessarily from the same apparent sender.

 

The Spoof Email ...

 

The bogus web page (pop up with genuine page in background window)...

 

Stay informed of the latest Spoof Email Phishing Scams with either of our FREE alert services...
 

Stay informed of the latest Spoof Email Phishing Scams with either of our FREE alert services...

Email Alerts
Add your email address to our email alert service...
Subscribe

Privacy Policy

RSS News Feed
Tap into our Scam Alert service using your News Reader or Aggregator (including My Yahoo!).
Scam Alert News Feed

You can even put the latest alerts on your own web site.

Click here to learn more about RSS News Feeds and our Scam Alert Service!

Resources links - use one of the links below to access more information on Spoof Email & Phishing Scams.

Library of Spoof Email Phishing Scams

Brief guide to Phishing

Full article on spoof email scams

Spoof URL Checker

Link Checker

Browser URL Spoofing Vulnerability Check

Latest browser bug aids Phishing Scams - beware!

Destinations - other resources available on the MillerSmiles.co.uk web site.

Click the arrow to return to previous page

Home

Guides...

Book Terminology

How to identify a first edition book

Auction Watcher

List of the main Auction Sites world wide