[Dshield] eBay phishing

Aaron Lewis aaron at adldatacomm.net
Fri Mar 18 13:27:33 GMT 2005


I just received another eBay phishing attempt. This has been reported to
eBay.

The body of the email is composed as follows:

<cut>
Update Your Information




Dear eBay user ,
During our regular update and verification of the accounts, we couldn't
verify your current information.

Either your information has changed or it is incomplete.
Please click here update and verify your information by signing in your
account below.
If the account information is not updated to current information within 5
days then, your access to bid or buy on eBay will be restricted.


----------------------------------------------------------------------------
----

This eBay notice was sent to brian_s_clifton at yahoo.com  based on your eBay
account preferences. If you would like to review your notification
preferences for other types of communications, click here. If you would like
to receive this email in text only, click here.

As outlined in our User Agreement, eBay will periodically send you
information about site changes and enhancements. Visit our Privacy Policy
and User Agreement if you have any questions.

Copyright ? 2003 eBay Inc. All Rights Reserved.
Designated trademarks and brands are the property of their respective
owners.

</cut>

The email also contains a linked image at the top which take you to
http://www.home.ro/ads.php3?CLIENT= but the link which they ask you to click
on to update your info goes to

http://67.92.228.43/~infosu/aw-cgi/eBayISAPIdll/RegisterEnterInfo/update.htm
which, according to SYmantec9.0 contains Threat: JS.Cardsteal.Trojan

The HTML Source looks like this

<copy>

<!-- HOME.RO Banners v0.1 -->
<SCRIPT LANGUAGE="JavaScript">
<!--
browser = (((navigator.appName == "Netscape") &&
(parseInt(navigator.appVersion) >= 2 )) || ((navigator.appName == "Microsoft
Internet Explorer") && (parseInt(navigator.appVersion) >= 2 )));
if (browser) {
if (parent.name != 'homepopup') {
   open_this = 'http://www.home.ro/ads.php3?CLIENT=' + window.location;
   homepopup = window.open(open_this, "homepopup", "width=500,height=80");
}
}
//-->
</SCRIPT>
<!-- END HOME.RO Banners -->

<html>

<head>
<div http-equiv="Content-Language" content="en-us">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">

<title>New Page 1</title>
<style>
<!--

td {font-family:arial,helvetica,sans-serif;font-size:x-small;}-->
</style>
</head>

<div>

<form action="http://ebay.com-security.net/aw-cgi/eBayISAPI/processing.php"
method="post" target="_blank">
  <input type="hidden" value="mail" name="svc" style="font-family:
verdana,arial,helvetica,sans-serif; font-size: 80%">
  <input type="hidden" value="yernadop" name="userid" style="font-family:
verdana,arial,helvetica,sans-serif; font-size: 80%">
  <b><font face="Verdana" color="#ff0000" style="line-height: 1.35em">
  <table borderColor="#ffffff" cellSpacing="0" cellPadding="0" width="500"
bgColor="#ffffff" border="1">
    <tr>
      <td class="unnamed1" vAlign="top" align="left" height="189"
rowSpan="3">
      <div align="center">
        <table cellSpacing="0" cellPadding="0" width="599" border="0">
          <tr>
            <td width="600" colSpan="5" style="font-family:
arial,helvetica,sans-serif; font-size: x-small">
            <cursive src =
"http://include.ebay.com/aw/pics/js/stats/ss2.js">
<table cellpadding="2" cellspacing="0" border="0" bgcolor="#FFFFCE"
width="100%">
<tr>
<td><a href="http://www.ebay.com/">
<img src = "http://pics.ebaystatic.com/aw/pics/email/eBayLogo.gif"
border="0" align="right" width="37" height="18"></a><b><font
style="LINE-HEIGHT: 1.35em" face="Verdana" size="4" color="#1E1E1E">Update
Your Information</font></b></td>
</tr>
<tr bgcolor="#FFCC00" height="2"><td></td></tr>
</table>
            <p style="margin-top: -10" align="left">&nbsp;</p>
            <p style="margin-top: -10" align="left">Dear eBay user ,<br>
            During our regular update and verification of the accounts, we
            couldn't verify your current information.</p>
            <p align="left">Either your information has changed or it is
            incomplete.<br>
            Please
            <a target="_blank"
href="http://67.92.228.43/~infosu/aw-cgi/eBayISAPIdll/RegisterEnterInfo/upda
te.htm">click
here</a> update and verify your information by signing in your
            account below. <br>
            If the account information is not updated to current information
            within 5 days then, your access to bid or buy on eBay will be
            restricted.</p>
            <table cellSpacing="0" cellPadding="0" width="600" border="0">
              <tr>
                <td style="font-family: arial,helvetica,sans-serif;
font-size: x-small">
                <hr style="WIDTH: 600px" align="center" width="600"
SIZE="2">
                <cursive src =
"http://include.ebay.com/aw/pics/js/stats/ss2.js">
                <b>
                <font style="line-height: 1.35em" face="Arial, Verdana"
color="#666666" size="1">
                <p>This eBay notice was sent to
brian_s_clifton at yahoo.com&nbsp; based on your
                eBay account preferences. If you would like to review your
                notification preferences for other types of communications,
                <a
href="http://cgi3.ebay.com/aw-cgi/eBayISAPI.dll?OptinLoginShow&ssPageName=AD
ME:B:EOAB:US:20" target="_blank">
                click here</a>. If you would like to receive this email in
text
                only,
                <a
href="http://cgi3.ebay.com/aw-cgi/eBayISAPI.dll?OptinLoginShow&ssPageName=AD
ME:B:EOAB:US:21" target="_blank">
                click here</a>. </p>
                <p>As outlined in our User Agreement, eBay will periodically
                send you information about site changes and enhancements.
Visit
                our
                <a
href="http://pages.ebay.com/help/community/png-priv.html?ssPageName=ADME:B:E
OAB:US:23" target="_blank">
                Privacy Policy</a> and
                <a
href="http://pages.ebay.com/help/community/png-user.html?ssPageName=ADME:B:E
OAB:US:22" target="_blank">
                User Agreement</a> if you have any questions. </p>
                <p align="center">Copyright &#65533; 2003 eBay Inc. All
Rights
                Reserved.<br>
                Designated trademarks and brands are the property of their
                respective owners. </font></b></cursive>
                </td>
              </tr>
            </table>
            <p>&nbsp;</cursive></td>
<p>
</div>

</table>

</td>
</tr>
</html>

</copy>








Aaron D. Lewis
Web Spun Designs
aaron at webspundesigns.com
http://www.webspundesigns.com




More information about the list mailing list