Saturday, 3 December 2005

eBay's anti-phishing desk sucks

(EBAY)
I reported a phishing attack last week. Nothing new there, I do it a lot as part of my ongoing research into spam for FixingEmail.org and others.

A scammer put up a fake eBay site and sent spam encouraging people to go there. Predictably, it prompted for the user's eBay username and password. Both the email and the website were very credible-looking. Nothing new there, either.

Naturally, I reported the attack to spoof@ebay.com, expecting them to work with the host of the fake website to take it down quickly. Three days later, I received a reply, basically telling me I'm an idiot because this email was in fact sent by eBay.

Now, idiot I may be (and frequently am), but there's just no way the message could be legitimate. Consider the facts:

  • The email didn't include my eBay username
  • It wasn't sent to an email address that corresponds to an eBay account
  • The site puts up a signin page that's not encypted and isn't hosted at ebay.com
  • The site was hosted on a consumer cable TV connection
  • The site's domain contact information -- the whois data -- was obviously forged

If eBay can't tell the difference between their own messages and phishing, how's a poor consumer supposed to know?

A week after my report, the phishing website is still active.

If I was a victim of this eBay phish, I'd be hopping mad. It's vitally important for brands like eBay to run a fast-response "takedown" service, which can accurately identify phishing and work with hosts, registrars and ISPs to remove fraudsters from the Internet.

Update: for those of you asking for more details, I'm not going to post the phishing site directly, for fear of entrapping the gullible. However, if you're determined to research it, understand that I cannot warrant that the site is malware free. Unless you agree that you take full responsibility for your actions, do not go to www(dot)ebaychristmas(dot)net.

Yesterday, the site was hosted at RoadRunner -- cpe-065-190-247-092.triad.res.rr(dot)com -- but now it's somewhere in China. Looks like it might be hosted on a botnet. The domain was registered through Joker.com with a bogus email address.

Here's what eBay said:

Thank you for writing to eBay with your concern about this email. My name is [redacted], and I am happy to address your concerns. I can confirm that the message you received was an official email message sent on behalf of eBay. This message was sent because you indicated in your preferences that you wished to receive these types of messages. [followed by a description of how to check "My Messages"]
Followups to eBay and Joker.com have gone unanswered.

To the folks who wanted to contact me about this, see the Contact Me page (also linked over on the right column).

This blog post is now old news. Future updates will be in newer posts, so you probably should now go to the home page

Digg this Tags: , , .

19 comments:

Anonymous said...

Sounds like they handed over phishing complaints to their Paypal division.

http://www.paypalsucks.com/

Anonymous said...

Today Ebay sent me an email saying that my password was compromised by one of these fake emails. They said I had clicked on one and that I needed to change my email. I changed it because I had too. The whole point was I didn't click on any random site and they blamed me. I undertand the email but don't blame me.

Anonymous said...

So...what's the link for the scam site? If you provide the link, your story gains credibility. How about you copy and paste the phishing email you received?

Jacob said...

why not actually show us the e-mail?

Anonymous said...

Got a copy of the email we can see?

Anonymous said...

can we see this email?

Ben Moore said...

I got what sounds like the same phishing e-mail on 11/27/05. I didn't report it to eBay but to the ISP where the site was hosted, Mulberry Cooperative Telephone Company. I included all the headers and called out the hyperlink that pointed to one of their customers. To date, I have received no response.

Anonymous said...

You should post the phishing email, the website, and ebay's response...

Anonymous said...

And this is surprising? Have you ever contacted them about a bad seller misrepresenting an item? With proof, no less! They're just too busy counting their money to be bothered.

Anonymous said...

Ok going to netcraft and running this site through their "what's that site running" of the same name but with a .com extenstion

site report-legit

Now that is the problem the above site and owner might be legit.

However your site. (the dot net version) is reported on site report-fake

If you note there is a registration of the domain to a London address. So here is what you do. Call the FBI, report the truth, give them all the data you have. Because it's an international scam it falls under their control. The FBI takes this extremely serious as it's seen by them to be a probable way to finance terrorism. (wrong or right it's what they see.)

What has happened here is we have a typical expert who didn't bother to read your e-mail saw ebaychristmas knows it to be used by a legit site, and didn't pay enough attention to detail to understand that .net and .com are different. This of course is most likely the same individual I see every morning moving over to the left lane to make a right hand turn to exit the freeway.

Anonymous said...

----------
Quoting: anonymous
Today Ebay sent me an email saying that my password was compromised by one of these fake emails. They said I had clicked on one and that I needed to change my email. I changed it because I had too. The whole point was I didn't click on any random site and they blamed me. I undertand the email but don't blame me.
----------

Hey anonymous,

Every email I've gotten that says I need to change my password because my account has been compromised has been a phishing email. I recommend you change your password.

Anonymous said...

A little creative research reveals the following information:

- It is a botnet
- Here are the IP addresses:
82.237.23.141 (aul93-3-82-237-23-141.fbx.proaxd.net)
24.181.51.228 (24-181-51-228.dhcp.gnvl.sc.charter.com)
66.67.236.188 (cpe-66-67-236-188.rochester.res.rr.com)
66.168.175.167 (66-168-175-167.dhcp.chtn.wv.charter.com)
68.50.149.212 (pcp0259151pcs.bowie01.md.comcast.net)
81.18.64.76 (games.resita.rdsnet.ro)
82.139.28.130

- DNS is done with dns-4-free.com
- The bots mostly appear to be weak XP systems
- The HTTP server information returned is "CoffeemakerPro", which may reveal the backdoor/trojan used

Happy hacking/reporting,

Anonymous said...

Funny thing is that they made the site seems so real they even put the following on it: "Be sure the Web site address you see above starts with https://signin.ebay.co.uk/"

Anonymous said...

You're now on the digg front page... enjoy.

Anonymous said...

I got an e-mail just like the one that you describe the other day. I click on the link just for the hell of it and noticed that it directed me to a non-https, non-ebay site.

I closed the Firefox tab, deleted the e-mail and continued with my day, but a non-technical user would EASILY fall for this.

It is blatantly irresponsible for ebay to not take action IMMEDIATELY.

Anonymous said...

The best thing to do is to NEVER answer any e-mails saying "Fradulent activity has been detected on your account" or to answer any unsolicited e-mail trying to sell you something.
Punch in the e-mail address of the place you got the e-mail from yourself, and ONLY do it if you have been to the site that it names before.
Otherwise, you could be in for a world of hurt.

Anonymous said...

I had the same experience -- sent ebay and paypal the phishing site, was a college in China. Got the same lack of interest. Closed my accts in in both.

Anonymous said...

Well, you may be an idiot for questioning the eBay website but, at
least you didnt buy anything and make a "irrevocable contract" with the Devil (eBay), and lose $300 to some eBay Shyster, like ______phan,
_________gr, or ________byr, or
________egg, or ..... ITS ENDLESS!

Remember you can find ANYTHING on eBay! I recommend eBay to all my
enemies and all smart asses! It's a
guaranteed loss-ender.

jerry

Anonymous said...

I've got an Ebay issue. For the last couple of days, whenever I try to log in or contact a seller or anything of that nature, I get directed to a page that wants to "verify my identity" with either my credit card information or another email address from a school or organization. Of course, the email address alternative doesn't work. Can anyone tell me if this is in fact a scam? Please email me at dallasbowling@hotmail.com. I don't know if I'll ever be able to navigate back to this page and I am pretty worried about this. Thank you.

Post a Comment