Spoof Email and Fake Web Site
1st September 2003

This spoof eBay email was distributed on 1st September 2003 and we also have images of the spoof web pages that it would have sent you to. These are just images of the originals, so there is absolutely no code included and none of the links or buttons will now work. The images shown have been reduced 80% of the original size.

The email hoax...

The spoof email states that eBay have made a charge to your credit card which has been declined, and is therefore asking that you resubmit the credit card information. The link that is provided in the email, to do this, is disguised to look like a genuine link from eBay.

When you click the link in the email, a should pop up (the site attempts to utilise a Security Certificate, and this is a common check by your browser to ensure that it is indeed connecting to a known and valid secure server - a 'https' server).

Important - this security window should always show if you have your browser's security settings set to default (please check now that this is the case - in Internet Explorer, you can check this by going to 'Tools', 'Internet Options' and 'Security' tab and then press the 'Default Level' button). You will notice that this security certificate is shown as not completely valid (see an image here) - the certificate is shown as being from a recognised certifying body (Verisign), the date on the certificate is correct, BUT the name on the certificate does NOT match the site which you are going to. This is where you should stop the process by clicking the 'No' button in that window.

If you happened to have proceeded past this security check, you would arrive at a secure sign in page that looks exactly as you would expect to see on eBay. This page is a spoof which has been constructed using code from eBay's own servers. It is clearly apparent that the page is spoofed when you see the URL/web address in your browser's address bar - 'https://207.150.192.12/temp/support7/' has absolutely nothing to do with eBay whatsoever, and is in fact an IP address registered to Affinity Internet Inc. in El Segundo, CA.

If you then proceed to give your eBay sign in information and click 'Sign In' on that page, you are taken to another spoof web page which contains a web form which requires your credit/debit card and banking details. Once the "Submit" button is pressed, any information you have entered on this page (and the preceding page) is relayed to the scammer(s) via an online web form processing service operated by Whizzmail utilising PHP code. In fact you will actually arrive at the whizzmail form processed confirmation page, by which time it is too late, and your information is as good as in the hands of the scammers.

...and once you click on that link in the email, you should receive the 'Security Alert' window...

If you proceed pass the Security Alert, you will then arrive at the first spoof web page, but notice the URL shown in the browser address bar - this is not what you would expect to see with a genuine eBay page...

On pressing the submit button there, you would arrive at the Whiz-mail successful form submission page - at which point all the information you've given is already on its way to the scammers....