On Friday, 2003-09-26 at 12:25 AST, Mike Tomasura <[EMAIL PROTECTED]> wrote: > I guess e-bay had some problems? A few users got this message from them. > > Dear eBay user! > > At 09.24.2003 our company has lost a number > of accounts in the system during the database > maintenance. If you have an active account, please > click on the link below to update your credit card > information. If you have problems with your account, please let us know > at email [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> > > https://cgi.ebay.com/saw-cgi/eBayISAPI.dll?UpdateInformation > <https://e%31bay.com/saw-cgi/?UpdateInformation>
This is a clever attempt to harvest ebay account information. The message, with the subject "Official Notice for all eBay users" consists of 2 parts: 1. An html section, which includes a link to (don't click on this) http://[EMAIL PROTECTED]:%34%39%30%31/%75%70%64%61%74%65/%69%6E%64%65%78%2E%68%74%6D, and a display of "pic.gif". 2. A base 64 attachment - pic.gif. What you normally see when you open the message is just the gif file. But the gif appears to be text, including a picture of the text asking you to click on "http://scgi.ebay.com/saw-cig/eBayISAPI.dll?VerifyInformation"; But the real link (as might be displayed at the bottom of your mail client window if it gives you a preview of links) is the one shown in #1. And that link doesn't go to ebay.com - it really goes to 211.217.224.102, port 4901. That is because everything in front of the "@" is treated by your browser as data (a userid, in theory) to be passed to the target host, not as the host name. That target web server, when it was working, displayed a page that is forged to look like an ebay page, asking you to reenter your ebay userid and password. Don't do it! Today, the host at 211.217.224.102 is no longer listening on port 4901. Tony Rall
