HP Forums / HP Museum Forums / Old HP Forum Archives v / WARNING: New scam

Linear Mode
WARNING: New scam



Post: #2
01-13-2006, 06:44 PM
Vassilis Prevelakis Offline
Unregistered
Posts: 669
Threads: 63
Joined: Dec 2009

I got the following email (excerpts):

From aw-confirm@ebay.com  Fri Jan 13 17:31:46 2006

From: "aw-confirm@ebay.com" <aw-confirm@ebay.com>

Subject: Question from ebay member

MIME-Version: 1.0

Content-Transfer-Encoding: 7bit

X-Priority: 3

X-MSMail-Priority: Normal

X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000

[...]

Your registered name is included to show this message originated from eBay. 

<A href="http://ssiiggnniinn.100free.com/ws/

eBayISAPIdllSignInfavoritenav=2sid2=ruproduct=pp=co_partnerId=2

ru=i1=ruparams=pageType=pa2=bshowgif=pa1=pUserId=errmsg=

UsingSSL-runame-iteid=1/signin.htm" 

target=_blank><FONTcolor=#003399>Learn more</FONT></A>.

[...]

This is a fake message. Notice the http://ssiiggnniinn.100free.com url!

Apart from that, the email did not include my registered name, and the To: field was not my
registered ebay email address.

BEWARE

**vp

Find

Post: #3
01-13-2006, 10:50 PM
Howard Owen Offline
Unregistered
Posts: 1,830
Threads: 113
Joined: Aug 2005

I've been getting a lot of these. They usually ask questions such as "what forms of payment do you accept for your item?" Aside from the fact that the reply URL, as you point out, is spoofed, and actually points to some other site than eBay, the mail headers should also show a spoof in the last Received: header listed. The last header listed should be the first one generated. But sometimes the miscreants add phony Received: headers so the first real one isn't the last one listed. Regardless, the first real Received: header usually contains a spoof of the originating system's name. Knowing this can be helpful in identifying malicious mail when other clues are inconclusive.

For example, here's a sample from a virus laden mail that hit my mailbox a couple of weeks back:

Received: from vansbro.se (ASt-Lambert-151-1-23-237.w82-120.abo.wanadoo.fr [82.120.234.237]) by [...]

So this one claimed to be from 'vansbro.se' but actually originated from 'ASt-Lambert-151-1-23-237.w82-120.abo.wanadoo.fr'.

Find
Post: #4
01-15-2006, 09:16 AM
Marcus Aurelius Offline
Unregistered
Posts: 3
Threads: 1
Joined: Jan 1970

I've gotten so many of these of different variations that I closed my eBay account. The fun of trading on eBay is not worth exposing yourself, (however they're getting your email off eBay?), to these scam artists.

Find

Post: #5
01-15-2006, 12:25 PM
Howard Owen Offline
Unregistered
Posts: 1,830
Threads: 113
Joined: Aug 2005

It's doubtful that your membership in eBay or PayPal has anything at all to do with the phishing spam you are getting. Spam is a volume game, and the miscreants who send out that stuff just don't have time to target groups of people. They assume that some percentage of the multiple millions of messages they send will reach people who have eBay accounts, and that some percentage of those will be selling. Since eBay is popular, they are obviously right to think that. But then they also have to get some percentage (of the percentage, of the percentage) of targets who are dumb enough to fall for the (usually) transparently false scam spam spew. As long as you can tell the difference (which you obviously can) then you are safe.

Regards,
Howard

Find

Forum Jump: