Introduction
Design
Construction
Publicity
Scamhunt
The Hunt for Carfilhiot
The Diamond Mine
Paypal Phishing
Blog

The Ebay Phishing Email

This is the email that arrived. Not for MY address but a friend who forwarded it:
Now this all looks OK with the right logo and the copyright stuff. And if you click any link other than the one in the middle it takes you to the real eBay site for stuff like User Agreement or Privacy Policy

Even the URL in the middle looks OK. Its a genuine eBay one. But on this page its only the description of the link not the link iself.

If you hover on this URL, the URL your really going to is something like:
https://signin.ebay.com/sw-cgi/eBayITAPI.dll?SignIn& runame=LIVEWORLD_US_ANSWER_CENTER
& ruproduct= User + Agreement + Update & amp; ruparams=page%3D@http://69.56.253.18/ ~lizard/ebay/aw-cgi/login.php https://signin.ebay.com/sw-cgi/eBayITAPI.dll

This still looks pretty good to you because it starts an finishes with the right kind of URL. But the way a browser processes an URL it checks thru for the "@" sign (which your noticing because I made it red) and the next thing after that is the site it really goes to.

So its really going to http://69.56.253.18/~lizard/ebay/aw-cgi/login.php.

And this page in turn was set up by somebody who took out a anonymous subscription for a web site from ThePlanet.com Internet Services, Inc but it could of been any big ISP.

When you get there you see a screen like this:

Which looks like the real eBay log in screen. If you fill in your name and password they got you. They take the name and password then they pass you to a screen to verify your PayPal data so they get that too. I dont have an image for that page because I would need to give away my eBay login info to get to it.

Finally they pass you to the real eBay log in. You think something went wrong so you log in again and after that its all normal except that they have your important passwords. They can change your address details, make a big Buy It Now purchase and they get away with it.

I would of liked to find the scammer who did this but its hopeless he probably didnt even live in America never mind England. And the site was dead two days later.

But what I did I reported him to the ISP and to various scambuster sites so over time it might mean its harder for him also spam filters are beginning to be able to recognise these concealed URLs.

©Alfredo García 2004-2006 All Rights Reserved