Previous Politech message: "Scam extracts credit card numbers, bank info from eBay members" http://www.politechbot.com/p-03476.html
--- Date: Thu, 02 May 2002 08:25:45 -0500 To: [EMAIL PROTECTED] From: "Randal J. King" <[EMAIL PROTECTED]> Subject: Re: FC: Scam extracts credit card numbers, bank info from eBay members Declan - Quick action on someone's part - the domain is down. I had a similar thing last week for PayPal. The tip off often is, as it is in your case, poor grammar and overall sentence/paragraph construction. These scum spend a lot of time duplicating the look of a legitimate site to trap people. -- Randy --- From: "D McOwen" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Subject: RE: Scam extracts credit card numbers, bank info from eBay members Date: Thu, 2 May 2002 09:39:40 -0400 Declan, I've been getting the same sort of E-mails in the last two weeks with various big name headers such as Yahoo, Amazon, MSN, AOL, Earthlink etc all trying to do the same thing. If you put your info in their website including credit card numbers, you give them the store. Scammers and spammers have been really cranking it up a notch lately. I suspect out of work programmers from the dot com crash have been recruited for illegal purposes unfortunately. Dave McOwen --- From: "Anthony Healy" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Subject: RE: Scam extracts credit card numbers, bank info from eBay members Date: Fri, 3 May 2002 01:04:11 +1000 And reason 6: Clumsy phraseology and innaccurate grammar. ( How come scammers are never good with grammer?) > To avoid any inconvenience concerning an > interruption of your service membership, in future. > ...Remember to "doublecheck" all the fields for Regards, Tony Healy --- Date: Thu, 2 May 2002 19:34:01 -0700 To: [EMAIL PROTECTED] From: Stanton McCandlish <[EMAIL PROTECTED]> Subject: Re: FC: Scam extracts credit card numbers, bank info from eBay members At 9:57 AM -0400 on 5/2/02, Declan McCullagh wrote: > Obvious reasons this is a scam: > 1. Headers show it originated from sdn-ar-001nynyorp256.dialsprint.net > 2. The destination URL is http://64.177.3.234/, which receives connectivity > from qwest.net, not ebay.com. > 3. There's no reason for eBay to send this message to me > 4. The site is not using a secure connection (https://) URLs for > to protect sensitive information, which eBay almost certainly would. > 5. Replies are directed to to a yahoo.com address 6. A load of addresses in the To header, instead of Bcc'd or sent individually, yet there are not nearly ENOUGH of them for this to really be an eBay message. There are millions of eBay users, so even between [EMAIL PROTECTED] and [EMAIL PROTECTED] would be many, many other addresses. 7. Really bad grammar, e.g.: "incorrect and/or (fraudulent)" and "To avoid any inconvenience concerning an interruption of your service membership, in future. Please take..." -- Stanton McCandlish [EMAIL PROTECTED] http://www.eff.org/~mech Technical Director/Webmaster Electronic Frontier Foundation voice: +1 415 436 9333 x105 fax: +1 415 436 9993 EFF, 454 Shotwell St. San Francisco CA 94110 USA --- From: "Allen Smith" <[EMAIL PROTECTED]> Message-Id: <[EMAIL PROTECTED]> Date: Thu, 2 May 2002 09:00:20 -0400 To: Declan McCullagh <[EMAIL PROTECTED]> Subject: Re: FC: Scam extracts credit card numbers, bank info from eBay members Mime-Version: 1.0 On May 2, 8:40am, Declan McCullagh wrote: > Obvious reasons this is a scam: > 1. Headers show it originated from sdn-ar-001nynyorp256.dialsprint.net > 2. The destination URL is http://64.177.3.234/, which receives connectivity > from qwest.net, not ebay.com. > 3. There's no reason for eBay to send this message to me > 4. The site is not using a secure connection (https://) URLs for > to protect sensitive information, which eBay almost certainly would. > 5. Replies are directed to to a yahoo.com address While I believe you're correct on most of this: A. eBay is not that great on security: http://news.com.com/2100-1017-870959.html http://spoor12.edup.tudelft.nl/SkyLined/docs/cross_site_scripting.archive.html so it would not be _that_ surprising to see them not using proper encryption. B. There's one thing you aren't mentioning, namely that email from ebay is unlikely to be coming from an email address they're shutting down in favor of a web form, namely "[EMAIL PROTECTED]". -Allen P.S. See http://news.com.com/2100-1017-857177.html for one past report on this scam. -- Allen Smith http://cesario.rutgers.edu/easmith/ September 11, 2001 A Day That Shall Live In Infamy II "They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety." - Benjamin Franklin --- Date: Thu, 02 May 2002 09:09:05 -0400 To: [EMAIL PROTECTED] From: Brian McWilliams <[EMAIL PROTECTED]> Subject: Re: FC: Scam extracts credit card numbers, bank info from eBay members Declan, That IP resolves to NOREAGAX02.COM . Was just registered yesterday and is using an EarthLink drop-box ( [EMAIL PROTECTED] ) according to the HTML. Responsible parties have been notified. This type of scam is getting old: http://www.newsbytes.com/news/02/173962.html Brian +++ Olive Johnson 3650 CARLTON ST BARNUM, Minnesota 55707 US Domain Name: NOREAGAX02.COM Administrative Contact: Olive Johnson [EMAIL PROTECTED] Olive Johnson 3650 CARLTON ST BARNUM, Minnesota 55707 US Phone: 2183890280 Fax: 555-555-5555 Technical Contact: Apollo Hosting [EMAIL PROTECTED] Apollo Hosting, Inc 11712 Jefferson Ave. Suite 423 Newport News, Virginia 23606 US Phone: 7578988666 Fax: 8008610986 Record updated on 2002-05-01 10:50:08. Record created on 2002-05-01. Record expires on 2003-05-01. Database last updated on 2002-05-02 08:58:17 EST. Domain servers in listed order: NS.APOLLOHOSTING.COM 216.147.43.193 NS2.APOLLOHOSTING.COM 216.147.1.144 --- Subject: Re: FC: Scam extracts credit card numbers, bank info from eBay members From: Steve Withers <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] Date: 03 May 2002 01:15:28 +1200 This looks like the guilty party: input type="HIDDEN" name="redirect" action="refresh" delay =" 0.3" value="http://64.177.3.234/redirect.html" input type=HIDDEN name="recipient" value="[EMAIL PROTECTED]" Steve --- From: "FourMat Technologies, Inc" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> References: <[EMAIL PROTECTED]> Subject: Re: Scam extracts credit card numbers, bank info from eBay members Date: Thu, 2 May 2002 09:15:28 -0400 Organization: FourMat Technologies, Inc Another confirmation that it's a scam is the script that it uses to collect information inside the code of the page, formmail.pl. This is classically just an information collecting script that emails the form fields to the recipient, using the sendmail protocol. Very simple and a total security concern. The recipient of the mail is [EMAIL PROTECTED] if that says anything. Hmm, interesting, go to the page and try to right click. It moves the browser window around and beeps at you a lot. Annoying. I wonder if eBay uses these tactics on their pages. I would bet not. This would probably be of interest to the guys over at slashdot. Matt Hartman FourMat Technologies, Inc [EMAIL PROTECTED] --- Date: Thu, 02 May 2002 09:41:12 -0400 To: [EMAIL PROTECTED] From: [someone who seemed to want to remain anonymous] Subject: Re: FC: Scam extracts credit card numbers, bank info from eBay members 64.177.3.234 is a web server owned/operated by "noreagax02.com" running Apache 1.3.20 unix Apache JServ/1.1.2 PHP/4.1.2 FrontPage5.0.2.2510 Rewrit 1.1a on the Alabanza netblock. Here are the details of Alabanza: Alabanza, Inc. (NETBLK-ALABANZA-BALT-4) 8309 Tinsley Rd. Baltimore, MD 21244 US Netname: ALABANZA-BALT-4 Netblock: 64.176.0.0 - 64.177.255.255 Maintainer: ALAB Coordinator: Cunningham, Thomas (TC12-ARIN) [EMAIL PROTECTED] 410-779-1400 Domain System inverse mapping provided by: NS.ALABANZA.COM 209.239.47.252 NS2.ALABANZA.COM 209.239.47.201 ADDRESSES WITHIN THIS BLOCK ARE NON-PORTABLE Record last updated on 06-Oct-2000. Database last updated on 1-May-2002 19:59:42 EDT. On the side....netsol cannot resolve noreagax02.com...?! Hope this gets you on track :) regards ------------------------------------------------------------------------- POLITECH -- Declan McCullagh's politics and technology mailing list You may redistribute this message freely if you include this notice. To subscribe to Politech: http://www.politechbot.com/info/subscribe.html This message is archived at http://www.politechbot.com/ Declan McCullagh's photographs are at http://www.mccullagh.org/ ------------------------------------------------------------------------- Sign this pro-therapeutic cloning petition: http://www.franklinsociety.org -------------------------------------------------------------------------