eBay Spoof email hoax
in distribution from
2nd August 2003

One of our site users sent this email to me for further investigation. Its quite a large file which had to be reduced and optimised to make it viewable on this page, although it may take a little while to completely load.

We'll take a look at the email first, then the method by which the scammer(s) gain your information. Following this, I've added header information and a summary of my investigation results (I have not included all results in respect of other people's privacy). Please ensure that you forward any spoofs to me so that I can continue to keep our readers up to date on the latest spoofing techniques which target eBay and Paypal users.

One of the most worrying factors in using email is that the design of most SMTP servers allows almost anyone to log into a server and use it to send spoof emails without any user verification. We can only hope that at some time in the future, some legislation will be passed on a worldwide basis that compels web hosts to secure their SMTP mail servers, which would in turn put an end to spoofs as we see them now.

Following the receipt of this spoof I immediately reported it to eBay, as a
consequence the offending remote files were removed very quickly. I was therefore unable to retrieve the code outside of the email which would have completed the transfer of the users' information to the scammer(s), so there has been a limit to how far I've been able to go into this. Despite this I will continue to immediately report any spoof to the appropriate place/persons as it is of the utmost importance to put an end to such spoofs as quickly as possible.

Spoof eBay email received by an eBay user on the 2nd August 2003.....

How it works...

There is some quite clever code in this email, the graphics are genuine and are drawn directly from eBay's servers. The code also calls other code from eBay's servers to make the form appear even more genuine. If the recipient had entered the information requested into the form and then clicked the submit button, the code would have sent that information into a CGI script file located at a domain by the name of user-access2.com. The purpose of the CGI script is to retrieve and save or relay the information to the scammer(s). It sounds fairly ordinary as far as web design goes, but a good working knowledge of HTML, Javascript and CGI was needed to create this spoof email.

The Email Header...

X-Message-Info: JGTYoYF78jEHjJx36Oi8+YDSEg8qKPPD
Received: from loveothers.com ([ 66.223.21.134 ]) by mc4-f30.law16.hotmail.com with Microsoft SMTPSVC(5.0.2195.5600);
Sat, 2 Aug 2003 04:49:08 -0700
Received: from ([127.0.0.1]) with MailEnable ESMTP; Sat, 02 Aug 2003 05:27:11 -0400
From: "aw-confirm@ebay.com" <aw-confirm@ebay.com>
To: susumuro@hotmail.com
Subject: eBay Account Verification
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
Reply-To: aw-confirm@ebay.com
Date: Sat, 2 Aug 2003 02:25:51 -0700
Mime-Version: 1.0
Content-Type: text/html; charset=us-ascii
Return-Path: aw-confirm@ebay.com
Message-ID: <MC4-F30evWOITN9SoGy0011e901@mc4-f30.law16.hotmail.com>
X-OriginalArrivalTime: 02 Aug 2003 11:49:08.0117 (UTC) FILETIME=[14CF6C50:01C358EC]

The highlighted part is the bit that we should be interested in here, it gives the server address for the source of the email. This server belongs to the Adducent Corporation who were very helpful in tracing the email's path further, see the Investigation Summary for details on that. As I have stated in my article on Spoofs , almost 100% of email headers can be spoofed if the scammer has sufficient knowledge of how to ( I am not going to be discussing those gritty details here because quite a few search engine referals to this site ask "how to spoof an email", which is the opposite of this site's purpose ). However, in this instance the highlighted portion clearly shows us that the email definitely did not originate from eBay at all - ownership records show that this particular server has nothing to do with eBay at all (ownership records can be found by conducting a whois lookup ).

Investigation Summary...

As stated before, the code written around the 'Submit>' button causes the information entered into the form (and once the button is pressed) to be relayed to a CGI script which would have either saved the information into a file for later retrieval or further relayed to the scammer(s). These kinds of scripts are very common in web design but a good knowledge of design is needed to put it into use in email and/or web pages. The web page that you would have arrived at would most likely have appeared to be a genuine eBay page as is commonly the case (see a copy of a spoof web page here ).

I used information contained within the email's header to trace the email's route, and I was even more concerned with that result. It had originated from a domain called loveothers.com, which is owned by the Adducent Corporation. I took a look at their web site and it was immediately clear that they would not be involved in this kind of scam. I contacted their CEO (Scott Malcolm) who was very helpful and emailed me by return with further information on the email's origin. Scott states that his technical people have determined that hackers reached their mail server 'via an authenticated ebay IP address'. This is very worrying, but reminds us how real it is that most SMTP servers can be used for the purposes of distrbuting these email scams.

The problem with conducting an investigation after reporting the issue is that things get shut down, and sources close, very quickly. However, I also looked into ownership of the domain user-access2.com to which the information would have been relayed. To be frank, I cannot say for certain that the ownership details are correct, I am awaiting confirmation of the contact information given, and whilst that information does correlate with records of living person at the address given, there are a couple of pieces of false information included (such as the email address and telephone number) and it does not necessarily mean that that person has actually set up that domain. The domain was first registered on 29th July 2003, which is just 4 days before the email was received; this would imply that the domain was set up purely to operate this scam. I am not going to publish the domain ownership details at this point or until I receive some confirmation from the genuine individual at the contact information given during the domain registration process.

The domain was being hosted by ipowerweb.com, and I am still awaiting further information from them. I expect to publish this on receipt and following any further enquiries, so this page will be updated in the near future . The problem with domain registration is that the system does not require you verify the registrant's details, so you could pretty much register a domain with any registrant information you wanted.

In conclusion...

From the information I've found, I so far believe that fraudsters have created a domain with false contact information, and that they most likely did so with stolen credit card information (domain registration is almost instant with a credit card). I expect that this will be confirmed in the near future not least by a change in the registrant's information for the domain (when payment for the domain gets refused) and verified by responses that I receive to my enquiries (from the registrant data and the domain host).

If it is found that the domain registrant's information is genuine and that they are involved in this spoof, it would be a very foolish act indeed, not least because they have left themselves open to tracing.

I have also forwarded a reports, via the web forms provided to for this kind of issue, to the Federal Trade Commission, FBI and the International Web Police who take up this kind of internet fraud crime and pursue the problem until criminal justice can be brought to the perpetrators. I must urge anyone who receives these kinds of spoofs to make these reports.

I cannot emphasis enough to you that eBay would NOT request your user data, credit card data or your banking data by email. Any such information would be only be requested from within their own web site on one of their own web pages. If you want to be sure that you are at the right web site, please read my article on spoof email and spoof web pages where you'll see other examples of this kind of email and also spoof web pages.