Joe
07-22-2005, 07:14 PM
This was received via a Security Focus newsletter I get - I thought I would share it with you:
bugtraq@securityfocus.com
I just got another phishing scam (targeting eBay).
The twist is that the subject line included my eBay username,
and it was sent to my eBay e-mail address. The Phishers have
figured out how to get one from the other, I don't know how.
I sent it on to eBay but just got a standard form letter
back.
Is this happening to anyone else? Anyone know how they
were able to figure out my e-mail from user name (or
vice versa)?
j
text, with relevant portions removed:
Return-Path: <apache@www.nec.com.hk>
Delivered-To: xxxx@xxxx.xxxx.org
Received: (qmail 15267 invoked by alias); 21 Jul 2005 17:05:07 -0000
Delivered-To: xxxx@xxxx.org
Received: (qmail 15264 invoked from network); 21 Jul 2005 17:05:07 -0000
Received: from unknown (HELO localhost.localdomain) (203.194.209.141)
by xxxx.xxxx.com with SMTP; 21 Jul 2005 17:05:07 -0000
Received: from www.nec.com.hk (www.nec.com.hk [127.0.0.1] (may be forged))
by localhost.localdomain (8.13.1/8.13.1) with ESMTP id j6LIL8VB001107
for <xxxx@xxxx.org>; Fri, 22 Jul 2005 02:21:08 +0800
Received: (from apache@localhost)
by www.nec.com.hk (8.13.1/8.13.1/Submit) id j6LIL7MX001106;
Fri, 22 Jul 2005 02:21:07 +0800
Date: Fri, 22 Jul 2005 02:21:07 +0800
Message-Id: <200507211821.j6LIL7MX001106@www.nec.com.hk>
From: "eBay" <aw-confirm@ebay.com>
Reply-to: 6884-lbpl-4t94@noreplay.ebay.com
Subject: Notification of Limited Account Access for xxxx
To: xxxx@xxxx.org
Content-type: text/html
<html>
<style type="text/css">
<!--
.style3 {color: #FFFFFF}
-->
</style>
<body>
<table border="0" width="100%">
<tr>
<td width="15%" align="left">To:</td>
<td>xxxx</td>
</tr>
<tr>
<td width="15%" align="left">From:</td>
<td>eBay<span class="style3">( codeID=2574-h04b-ug97)</span></td>
</tr>
<tr>
<td width="15%" align="left">Subject:</td>
<td>Notification of Limited Account Access for xxxx<span class="style3"> x route </span></td>
</tr>
<tr>
<td colspan="2">------------------------------------------------------------</td>
</tr>
<tr>
<td colspan="2"><table cellpadding="2" cellspacing="0" border="0" style="border: #e0e0e0 1px solid;" width="100%">
<tr>
<td><p class="V1Gray">http://battellemedia.com/images/ebayLogo-tm.jpg</p>
<p class="V1Gray">eBay sent this message to xxxx (xxxx@xxxx.org
).
</p></td>
</tr>
</table>
<table cellSpacing="0" cellPadding="0" width="100%" align="center" border="0">
<tbody>
<tr>
<td bgColor="#9999cc" width="1">http://pics.ebaystatic.com/aw/pics/s.gif</td>
<td>
<table cellSpacing="0" cellPadding="0" width="100%" align="center" border="0">
<tbody>
<tr bgColor="#9999cc" height="26">
<td> <span class="A3B" style="color:white;">Welcome to My Messages</span></td>
</tr>
<tr>
<td>
<table cellSpacing="0" cellPadding="5" width="100%" bgColor="white" border="0">
<tbody>
<tr>
<td colSpan="6" bgcolor="#FFFFFF">http://pics.ebaystatic.com/aw/pics/myMessages/note_570x30.gif
Dear <span class="V1Gray"> xxxx(xxxx@xxxx.org
),</span></p>
This e-mail is the notification of recent innovations taken by eBay to detect inactive customers and
non-functioning billing process.
The inactive customers are subject to restriction and removal in the next 3 days.
You must click the link to complete the process.</p>
<a href="http://signin.ebay.com.aw-cgi2.com/eBayISAPI.dll?VerifyID&PlaceInfo&LogUID=xxxx;UserRoute=2574-h04b-ug97">http://signin.ebay.com/eBayISAPI.dll?Signln&UserIDmail=xxxx@xxxx.org
</a> <span class="style3"> =
type=state&param=xxxx-2574-h04b-ug97</span></p>
<p align="left">(To complete the verification process you must fill in all the required fields)</p>
Notice: Refusal to cooperate in an investigation or provide confirmation of identity when requested are subject to restriction and removal in the next 3 days </p>
Regards,
Customer Support (Trust and Safety Department), <span class="style3"> </span></p></td>
</tr>
<tr>
<td height="10"></td>
</tr>
</tbody>
</table>
</td>
</tr>
<tr>
<td width="100%" bgColor="#9999cc">http://pics.ebaystatic.com/aw/pics/s.gif</td>
</tr>
</tbody>
</table>
</td>
<td bgColor="#9999cc" width="1">http://pics.ebaystatic.com/aw/pics/s.gif</td>
</tr>
</tbody>
</table>
<hr size="1"></td>
</tr>
</table>
</body>
</html>
bugtraq@securityfocus.com
I just got another phishing scam (targeting eBay).
The twist is that the subject line included my eBay username,
and it was sent to my eBay e-mail address. The Phishers have
figured out how to get one from the other, I don't know how.
I sent it on to eBay but just got a standard form letter
back.
Is this happening to anyone else? Anyone know how they
were able to figure out my e-mail from user name (or
vice versa)?
j
text, with relevant portions removed:
Return-Path: <apache@www.nec.com.hk>
Delivered-To: xxxx@xxxx.xxxx.org
Received: (qmail 15267 invoked by alias); 21 Jul 2005 17:05:07 -0000
Delivered-To: xxxx@xxxx.org
Received: (qmail 15264 invoked from network); 21 Jul 2005 17:05:07 -0000
Received: from unknown (HELO localhost.localdomain) (203.194.209.141)
by xxxx.xxxx.com with SMTP; 21 Jul 2005 17:05:07 -0000
Received: from www.nec.com.hk (www.nec.com.hk [127.0.0.1] (may be forged))
by localhost.localdomain (8.13.1/8.13.1) with ESMTP id j6LIL8VB001107
for <xxxx@xxxx.org>; Fri, 22 Jul 2005 02:21:08 +0800
Received: (from apache@localhost)
by www.nec.com.hk (8.13.1/8.13.1/Submit) id j6LIL7MX001106;
Fri, 22 Jul 2005 02:21:07 +0800
Date: Fri, 22 Jul 2005 02:21:07 +0800
Message-Id: <200507211821.j6LIL7MX001106@www.nec.com.hk>
From: "eBay" <aw-confirm@ebay.com>
Reply-to: 6884-lbpl-4t94@noreplay.ebay.com
Subject: Notification of Limited Account Access for xxxx
To: xxxx@xxxx.org
Content-type: text/html
<html>
<style type="text/css">
<!--
.style3 {color: #FFFFFF}
-->
</style>
<body>
<table border="0" width="100%">
<tr>
<td width="15%" align="left">To:</td>
<td>xxxx</td>
</tr>
<tr>
<td width="15%" align="left">From:</td>
<td>eBay<span class="style3">( codeID=2574-h04b-ug97)</span></td>
</tr>
<tr>
<td width="15%" align="left">Subject:</td>
<td>Notification of Limited Account Access for xxxx<span class="style3"> x route </span></td>
</tr>
<tr>
<td colspan="2">------------------------------------------------------------</td>
</tr>
<tr>
<td colspan="2"><table cellpadding="2" cellspacing="0" border="0" style="border: #e0e0e0 1px solid;" width="100%">
<tr>
<td><p class="V1Gray">http://battellemedia.com/images/ebayLogo-tm.jpg</p>
<p class="V1Gray">eBay sent this message to xxxx (xxxx@xxxx.org
).
</p></td>
</tr>
</table>
<table cellSpacing="0" cellPadding="0" width="100%" align="center" border="0">
<tbody>
<tr>
<td bgColor="#9999cc" width="1">http://pics.ebaystatic.com/aw/pics/s.gif</td>
<td>
<table cellSpacing="0" cellPadding="0" width="100%" align="center" border="0">
<tbody>
<tr bgColor="#9999cc" height="26">
<td> <span class="A3B" style="color:white;">Welcome to My Messages</span></td>
</tr>
<tr>
<td>
<table cellSpacing="0" cellPadding="5" width="100%" bgColor="white" border="0">
<tbody>
<tr>
<td colSpan="6" bgcolor="#FFFFFF">http://pics.ebaystatic.com/aw/pics/myMessages/note_570x30.gif
Dear <span class="V1Gray"> xxxx(xxxx@xxxx.org
),</span></p>
This e-mail is the notification of recent innovations taken by eBay to detect inactive customers and
non-functioning billing process.
The inactive customers are subject to restriction and removal in the next 3 days.
You must click the link to complete the process.</p>
<a href="http://signin.ebay.com.aw-cgi2.com/eBayISAPI.dll?VerifyID&PlaceInfo&LogUID=xxxx;UserRoute=2574-h04b-ug97">http://signin.ebay.com/eBayISAPI.dll?Signln&UserIDmail=xxxx@xxxx.org
</a> <span class="style3"> =
type=state&param=xxxx-2574-h04b-ug97</span></p>
<p align="left">(To complete the verification process you must fill in all the required fields)</p>
Notice: Refusal to cooperate in an investigation or provide confirmation of identity when requested are subject to restriction and removal in the next 3 days </p>
Regards,
Customer Support (Trust and Safety Department), <span class="style3"> </span></p></td>
</tr>
<tr>
<td height="10"></td>
</tr>
</tbody>
</table>
</td>
</tr>
<tr>
<td width="100%" bgColor="#9999cc">http://pics.ebaystatic.com/aw/pics/s.gif</td>
</tr>
</tbody>
</table>
</td>
<td bgColor="#9999cc" width="1">http://pics.ebaystatic.com/aw/pics/s.gif</td>
</tr>
</tbody>
</table>
<hr size="1"></td>
</tr>
</table>
</body>
</html>