Avoid the Smelly eBay Phishing Scam

The subject today is eBay phishing!

It seems like this thing is going around more and more. I think everyone knows what phishing is: scammers attempt to get someone to click on a hyperlink in an email that brings to them to a private server which attempts to collect PPI (Personal Private Information).

What a better target than eBay where a lot of people have setup accounts and may react quickly to a message telling them their account is about to be disabled. It usually arrives with some official-looking logos and even a quaisi-official email address (accounts@ebay.com). For example, here was the content of a phish addressed to me:

Password change required!

Dear sir, We recently have determined that different computers have logged onto your eBay account, and multiple password failures were present before the logons. We strongly advice CHANGE YOUR PASSWORD. If this is not completed by October 24, 2006, we will be forced to suspend your account indefinitely, as it may have been used for fraudulent purposes. Thank you for your cooperation.

A couple of things stand out here. First, look at the grammar, mechanics, spelling, choice of vocabulary, and sentence construction – a dead give away: clever as the thieves are, their lack of experience with the English language is dead apparent.

Second, eBay phishing has been around for a while. Here is a notice from PrivacyRights.org concerning this brand of scamming. Before clicking look up some of the wording, subject header, or key words from the message and search for them on Google, or, at a location like PrivacyRights.org to see if there are known articles.

Third, and for you techies out there, one can always look at the hyperlink they want you to click on and check out it’s IP address. Using an IP Checker, I was able to conclude that the target server they wanted me to talk to was in Quito, Equidor…

I doubt that eBay has a server farm over there. Plus, maybe I can learn more about this scammer by using a reverse WHOSIS lookup utility from DNSstuff.com:

inetnum: 200.105.240/20status: allocatedowner: PUNTONET S.A.ownerid: EC-PUSA-LACNICresponsible: Enrique Quiroz R.address: Amazonas y Pereira, 4545, Of. 401address: 0000 – Quito – PIcountry: ECphone: +593 02 2260760 [125]owner-c: RFCtech-c: RFCinetrev: 200.105.240/20nserver: SERVER.PUNTO.NET.EC nsstat: 20061016 AAnslastaa: 20061016nserver: DNS2.PUNTO.NET.EC nsstat: 20061016 AAnslastaa: 20061016created: 20040716changed: 20040716nic-hdl: RFCperson: Roberto Falconi Cardonae-mail: *******@PUNTO.NET.ECaddress: Amazonas 45 45 y Pereira Of. 401, 4545, address: 0000 – Quito – PIcountry: ECphone: +593 22 2989900 [125]created: 20030221changed: 20060112

Look at that. Roberto Falconi Cardonae. I don’t like Roberto anymore – he’s trying to steal my information, or, hosting phishers who’re trying to steal who I am! Well, I think that’s more likely a false name and phone number, or an unaware ISP provider, but I bet I just might be able to give him a call if I wanted to so that I could express my dissatisfaction – there’s an international phone number right there. Well, I don’t speak Spanish so I might be out of luck there, anyway.

Lastly, use some caution and common sense. Why would eBay want to contact you via email anyway to change your password. That seems a little odd. Quell the emotional response in favor of critically analyzing the message for legitimacy.

Good luck!

R

Russell Mickler works a technology consultant in Battle Ground, WA, USA. With over thirteen years of experience, Mickler holds a CISSP, MCSE, a Masters Degree in Information Technology, and is pursuing his Doctorate at Walden University. His website can be found at www.micklerandassociates.com; he can be contacted at mickler@micklerandassociates.com.

Name (required)

Mail (will not be published) (required)

Website

Notify me of follow-up comments by email.

Notify me of new posts by email.