We recently have determined that different computers have logged onto your eBay account, and multiple password failures were present before the logons. We now need you to re-confirm your account information to us. If this is not completed by January 17, 2006, we will be forced to suspend your account indefinitely, as it may have been used for fraudulent purposes. We thank you for your cooperation in this manner.
Thus begins another eBay phishing scam email that just came into my Inbox:
[click to enlarge]Lets take a brief look at this one. The images are being pulled from eBay's static image server, and all the rest of the links point right to eBay. Minus one. The "Sign In Securely >" button goes straight to this IP: 64.7.93.146, its the same IP when you hover over the link in the email. Looks like this:
http://64.7.93.146/~eric/.SingIn.eBay.com_ws2_eBaySingIn.dll_index.html/login.html
Now lets look at this particular eBay phishing scam's email header:
Return-Path: <test@AventuraOfficeCenter.com>
Received: from AventuraOfficeCenter.com (66.83.189.106.nw.nuvox.net [66.83.189.106])
by bugsbunny.castlecops.com (8.13.4/8.13.4) with ESMTP id k07NlikV007974
for <paul@computercops.biz>; Sat, 7 Jan 2006 18:47:44 -0500
Received: from AventuraOfficeCenter.com (localhost [127.0.0.1])
by AventuraOfficeCenter.com (8.13.1/8.13.1) with ESMTP id k07NlsqT006417
for <paul@computercops.biz>; Sat, 7 Jan 2006 18:47:54 -0500
Received: (from test@localhost)
by AventuraOfficeCenter.com (8.13.1/8.13.1/Submit) id k07NlrMZ006415;
Sat, 7 Jan 2006 18:47:53 -0500
It claims to come from AventuraOfficeCenter.com, but really we see it coming from 66.83.189.106.nw.nuvox.net. AventuraOfficeCenter.com uses mail.telcom.net for its mail routing which has this IP: 200.80.13.13 and 200.80.13.14. AventuraOfficeCenter.com uses this IP for its web site: 200.80.13.67. So we have a domain being spoofed in the email header, but we know better, tis 66.83.189.106 the culprit.
The IP 66.83.189.106 doesn't come back in any spam lookups at the moment, so it must be a fresh spam. If we visit that IP via HTTP we see this:
[click to enlarge]
So what happens when you visit the above link?
http://64.7.93.146/~eric/.SingIn.eBay.com_ws2_eBaySingIn.dll_index.html/login.html
This is what you see:
[click to enlarge]
As I click on the 'secure' sign in link, I get this page and error in red:
[click to enlarge]
Still in the same location, trying to phish out my eBay login account. All for something that looks as innocent as this in the email:
http://cgi1.ebay.com/aw-cgi/ebayISAPI.dll?UPdate
So buyer beware. eBay doesn't ask you things like this in email.
