The Museum of HP Calculators

HP Forum Archive 15

[ Return to Index | Top of Index ]

WARNING: New scam
Message #1 Posted by Vassilis Prevelakis on 13 Jan 2006, 6:44 p.m.

I got the following email (excerpts):

From aw-confirm@ebay.com  Fri Jan 13 17:31:46 2006
From: "aw-confirm@ebay.com" <aw-confirm@ebay.com>
Subject: Question from ebay member
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000

[...]

Your registered name is included to show this message originated from eBay. 
<A href="http://ssiiggnniinn.100free.com/ws/
eBayISAPIdllSignInfavoritenav=2sid2=ruproduct=pp=co_partnerId=2
ru=i1=ruparams=pageType=pa2=bshowgif=pa1=pUserId=errmsg=
UsingSSL-runame-iteid=1/signin.htm" 
target=_blank><FONTcolor=#003399>Learn more</FONT></A>.

[...]

This is a fake message. Notice the http://ssiiggnniinn.100free.com url!

Apart from that, the email did not include my registered name, and the To: field was not my registered ebay email address.

BEWARE

**vp

      
Re: WARNING: New scam
Message #2 Posted by Howard Owen on 13 Jan 2006, 10:50 p.m.,
in response to message #1 by Vassilis Prevelakis

I've been getting a lot of these. They usually ask questions such as "what forms of payment do you accept for your item?" Aside from the fact that the reply URL, as you point out, is spoofed, and actually points to some other site than eBay, the mail headers should also show a spoof in the last Received: header listed. The last header listed should be the first one generated. But sometimes the miscreants add phony Received: headers so the first real one isn't the last one listed. Regardless, the first real Received: header usually contains a spoof of the originating system's name. Knowing this can be helpful in identifying malicious mail when other clues are inconclusive.

For example, here's a sample from a virus laden mail that hit my mailbox a couple of weeks back:

Received: from vansbro.se (ASt-Lambert-151-1-23-237.w82-120.abo.wanadoo.fr [82.120.234.237]) by [...]

So this one claimed to be from 'vansbro.se' but actually originated from 'ASt-Lambert-151-1-23-237.w82-120.abo.wanadoo.fr'.

      
Re: WARNING: New scam
Message #3 Posted by Marcus Aurelius on 15 Jan 2006, 9:16 a.m.,
in response to message #1 by Vassilis Prevelakis

I've gotten so many of these of different variations that I closed my eBay account. The fun of trading on eBay is not worth exposing yourself, (however they're getting your email off eBay?), to these scam artists.

            
Re: WARNING: New scam
Message #4 Posted by Howard Owen on 15 Jan 2006, 12:25 p.m.,
in response to message #3 by Marcus Aurelius

It's doubtful that your membership in eBay or PayPal has anything at all to do with the phishing spam you are getting. Spam is a volume game, and the miscreants who send out that stuff just don't have time to target groups of people. They assume that some percentage of the multiple millions of messages they send will reach people who have eBay accounts, and that some percentage of those will be selling. Since eBay is popular, they are obviously right to think that. But then they also have to get some percentage (of the percentage, of the percentage) of targets who are dumb enough to fall for the (usually) transparently false scam spam spew. As long as you can tell the difference (which you obviously can) then you are safe.

Regards,
Howard

[ Return to Index | Top of Index ]

Go back to the main exhibit hall