Spoof email and web site
sent out on
20th August 2003

This spoof eBay email was distributed on 20th August 2003 and we also have images of two pages of the spoof web site that it would have sent you to. These are just images of the originals, so there is absolutely no code included and none of the links or buttons will now work.

The email contains everything you'd expect to see in a genuine eBay email. You'll see that it contains a link to update your billing information, but the link has been heavily disguised, and it would have taken you to the spoofed eBay web site.

From the images of the spoofed web site, you will see that the URL shown in the browser address bar (see web page images below) is not as you would see if you went to eBay.com (the first part of the spoofed pages is "http://207.44.208.108/....."). In fact, the web site was hosted on servers owned by Global Internet Solutions (Los Angeles, CA, USA) for one of their users. The pages were removed on the same day that the email was distributed (most likely removed by the scammers themselves, as is commonly the case according to eBay).

The page that you arrive at from the link in the email is a web form which asks for your eBay user ID and password, Credit/Debit card details, Banking details, etc (see image below). Once the "Continue" button is pressed, you would arrive at the confirmation page (see below) while the information given was sent to the scammer(s) by email with the clever use of some Javascript (it was being distributed to to 4 separate email addresses at yahoo, aol, juno and netzero).

and then the spoof web page, but notice the URL shown in the browser address bar - this is not what you would expect to see with a genuine eBay page...

The fake web page...

On pressing the submit button there, you would arrive at this next page.....