Welcome to Orange Frog Productions Scams, Shams & Flim-Flams Section [Banner]

Search this site powered by FreeFind

Page Title:

Spoof/Phishing Scam  - 04/15/2007 Example (eBay)

Please be sure to read my Spoof/Phishing Scams Home Page

NOTE: This page Under Construction/Conversion
This page has not been completely converted to OFPv2 Standards.
When this is completed, this paragraph will go away.
Meanwhile, all external links on this page open a new window.

Things I Did, Below

I, personally, receive email in HTML format. Since the email headers could be included, I did not "forward" the email to get the brief headers. The following was received (and looks) like I received it, with the following exceptions:

  • Any notes I added in the actual letter are in square brackets ("[" "]"), are bold, red in color, and highlighted. If what I found "behind the links" (email or website) are different than what was displayed, I will include them in this type of note.
  • Actual links in the email message have been changed to null (allowing them to still appear as links), have arrows pointing to them ("<=="), have been "named", and appear as one of "my notes" (bold, red in color, and highlighted). They are listed below the email example using the "names".
  • All spelling, spacing, line-wrapping, and punctuation errors are the ones that appeared in the original received email. (I may or may not analyze some or all of these.) This email started with the HTML from the email I received. Most of the HTML and the look is original to the email (making this page non-standard HTML 4.01!)

Scam Example
Received 04/15/2007

This was interesting, because I received it, though no name in the email is mine. My guess it was sent to a mailing list. Why? Assume you are an eBay member and receive something that tells you that you did something wrong, though you know you didn't. My guess is that many who receive this, and don't check it out, will either go check out their eBay account (the smart move), or will click a link in the email (a BAD move). There they will be asked to verify who they are, and enter their information, which the spoofer will now have. NOW, they (the bad guys) can use a valid eBay account to cheat people (selling items they don't plan on sending), causing other trouble on eBay, or buying all kinds of things under the new account, getting them, and canceling payments, which will cause the REAL eBay owner no ends of trouble.

BE SURE TO CHECK OUT ANY EMAILS LIKE THIS YOU GET!

[Please note: This whole page will not validate HTML 4.01, though it says it will at the bottom. The reason is because I cut-and-pasted the HTML from the email. Because it was so bad, I did a few things to it:

  1. Reformatted it (partially to help find missing pieces)
  2. Corrected it (Added "end tags" - commented within the HTML) as needed.
  3. Removed all "noBreak"s from the code.
  4. Changed the three (3) main table widths from 100% to 90%.

 This was one ugly set of HTML, folks! -wds]

ebay eBay sent this message to freddie rasmussen (freddie4243).
Your registered name is included to show this message originated from eBay. Learn more.

eBay Item Not Received Dispute Opened for Item #140062186871
Dear eBay member,
harak-tur has informed eBay that they have not yet received item dell m2010 (#140062186871).

There are many reasons why this might have happened. Perhaps the item is still in transit, the payment has not yet cleared, or maybe it was accidentally shipped to the wrong address. In addition, buyers can sometimes have unrealistic expectations about how much time it can take for payment, shipping, and delivery. As a result, no action is being taken by eBay at this time.

However, it's important to remember that when you sell an item on eBay you're agreeing to a contract between you and the buyer. If you don't send an item that a buyer has purchased you may be committing fraud.

Most Item Not Received disputes can be solved with direct communication between the buyer and seller, and we encourage you to work with your trading partner to resolve this situation.

Learn more about eBay's [bad link (missed end quote and end gt]
Thank you,
eBay
Respond to this notification
Respond Now
If you don't respond by Feb-10-2007 the buyer may elect to escalate this matter to a reimbursement claim
Details for item number: 140062186871
Item title: dell m2010
Item URL: http:// cgi.ebay .com/ws/eBayISAPI.dll?ViewItem&item=140062186871
End date: Saturday, Jan 09, 2006 21:50:15 PST
Quantity: 1
Dispute URL: http:// rebulk.ebay .com/ws/eBayISAPI.dll?ViewDisputeConsole&DisputeType=3
Date dispute was opened: Wednesday, Mar 31, 2007 10:24:04 PST
Learn how you can protect yourself from spoof (fake) emails at:
http://adsl-71-130-207-127.dsl.irvnca.pacbell.net/www.ebay.com/eBayISAPI.htm

This eBay notice was sent to tatto @ mail.dk from eBay. Your account is registered on www.ebay .com. As outlined in our User Agreement, eBay will send you required notifications about the site and your transactions. If you would like to receive this email in text format, change your notification preferences.

See our Privacy Policy and User Agreement if you have questions about eBay's communication polic

 

[NOTE: I left any names, email addresses, and phone numbers in here for the search engines to find. DO NOT TRY TO CONTACT THEM! I'm SURE you will be ripped off! -LE]

Email Headers

[DO NOT send email to any of the following email addresses]

X-Message-Status: s3:0
X-SID-PRA: eBay Security Center <aw-confirm @ eBay.com>
X-SID-Result: SoftFail
X-Message-Info: txF49lGdW43k7iysAUoCYqWbP9gKZuc7 [space added] bmm43kFtx+Ze93y3lQ3A1aKIwgVIiaGY
Received: from server.suntree.local ([72.17.198.122]) by bay0-mc9-f4.bay0.hotmail.com with Microsoft SMTPSVC(6.0.3790.2668);
Sun, 15 Apr 2007 14:57:31 -0700
Received: from User ([216.48.29.66]) by server.suntree.local with Microsoft SMTPSVC(5.0.2195.6713);
Sun, 15 Apr 2007 18:59:35 -0400
Reply-To: <donotreply @ eBay.com>
From: "eBay Security Center"<aw-confirm @ eBay.com>
Subject: eBay Item Not Received Dispute Opened for Item #140062186871
Date: Sun, 15 Apr 2007 17:40:59 -0400
MIME-Version: 1.0
Content-Type: text/html;
charset="Windows-1251"
Content-Transfer-Encoding: 7bit
X-Priority: 1
X-MSMail-Priority: High
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
Bcc:
Return-Path: aw-confirm @ eBay.com
Message-ID: <SERVERLEBUvF8IP3Vzz00000550 @ server.suntree.local>
X-OriginalArrivalTime: 15 Apr 2007 22:59:35.0421 (UTC) FILETIME=[BCA4E2D0:01C77FB1]

Notes

Links from email, above: (This information is from the SOURCE of the email.)

  • Image Sources:
    • eBay Logo: http:// pics.ebaystatic .com/aw/ pics/logos/ ebay_95x39.gif
    • Item Title: Top left curve: http:// pics.ebaystatic .com/aw/ pics/globalAssets/ ltCurve.gif
    • Item Title: Top right curve: http:// pics.ebaystatic .com/aw/ pics/globalAssets/ rtCurve.gif
    • Resizable spacer: http:// pics.ebaystatic .com/aw/pics/ s.gif
    • Respond Now Button: http:// pics.ebaystatic .com/aw/ pics/buttons/ btnRespondNow.gif
  • Links (behind the words):
    • Learn More: http:// adsl-71-130-207-127 .dsl.irvnca.pacbell .net/www. ebay.com/ eBayISAPI.htm
    • [Bad link: missing end quote and gt]: http:// adsl-71-130-207-127 .dsl.irvnca.pacbell .net/ww
    • notification preferences: http:// adsl-71-130-207-127 .dsl.irvnca.pacbell .net/www. ebay.com/ eBayISAPI.htm
    • tatto @ mail.dk: http:// uk.f279.mail.yahoo .com/ym/ Compose? To=tatto @ mail.dk
    • www.ebay .com: http:// www.ebay .com/
  • Link Behind Image:
    • Respond Now Button: http:// adsl-71-130-207-127 .dsl.irvnca.pacbell .net/www. ebay.com/ eBayISAPI.htm

Things to note in the links:

  • Image Sources:
    NOTE: All of these images are located at "pic.ebaystatic.com". "ebaystatic.com" appears to be owned by the eBay corp. By it's name, it's probably where they place all the non-changing portions of their sites. I'm sure the spoofers copied an actual eBay letter and changed the email and link addresses to fit their own needs... That what spoofers do, right?
    • eBay Logo: Obvious what this is, huh?
    • Item Title: Top Left and Top Right Curve: These are the little rounded corners at the top of the orange bar that contains the name of the item. Again, notice
    • Resizable spacer: This is probably a single-pixel transparent GIF. All images can be expanded or shrunken online by defining the height and width. These are used throughout the letter, defined to the height needed at that point.
    • Respond Now Button: Obvious. Another stolen eBay image.
  • Links (behind the words) and Link Behind Image:
    NOTE: ALL links except the www.ebay .com link in the fine-print, and the email address appear to go to the same link - adsl-71-130-207-127 (possibly an actual ISP, a subdomain of the dsl subdomain of the irvnca subdomain of pacbell.net, in the directory www.ebay .com on the page eBayISAPI.htm. Technically, I don't think www.ebay .com is a valid directory, but some computers allow periods in directory names, and, obviously, this one does. (If you wish, you can see ISAPI - Wikipedia, the free encyclopedia, and follow the links for full definition of it.) This includes BOTH the Item and Dispute URLs (which appear to have a valid URL showing). In other words, if you click any link on the page but the www.ebay .com link listed in the fine-print at the bottom, you will go to their page. The "Learn More" link was incomplete, but probably went to the same place.
  • Email link: The email link uses a United Kingdom YAHOO email address, more specifically, Denmark.

Other "problems" and things I see:

  • I am NOT either freddie rasmussen (freddie4243), nor am I harak-tur.
  • I have never bought a computer on eBay, and haven't bought anything for some time, nor have I sold ANYTHING on eBay.
  • eBay would not have sent an email with a bad link. The "Learn more" sentence was incomplete, as was the link.
  • I believe there was an error in the fine-print, too... The "Learn how you can protect yourself" link ALSO goes to the same page as the others, but is shown. My bet is this was an error on the sender's part.
  • From the Email Headers:
    • All of the email addresses appear to be eBay email addresses.
    • The "To" address was blank in my client, and didn't exist in the headers. This, to me, usually means it was sent to a mailing list.
  • Speaking of that last point, there's NO WHERE in the email that mentions MY NAME.

As you can see, the email "looks" very official, but with a little checking BEFORE YOU CLICK A LINK OR REPLY, you can find inconsistencies that can save you from a world of hurt! (and empty bank accounts!)

Send comments/questions about this page to Bill Sanders at:

Go to Scams - Spoof/Phishing Scams Home page
Go to Scams - Spoof/Phishing Scams Examples Links

| Home | Main | Owner | Scams, Shams & More Flim-Flams | Glossary | Sitemap | Contact |

Send email to Bill Sanders ()
with questions or comments about this page or site.

This site, all text and graphics (unless otherwise noted) on it
were designed, developed and published by Bill Sanders of Orange Frog Productions.
It and it's CSS was validated and complies with both the: CSS and HTML 4.01 validators from W3C.
NOTE: All CSS validates except the "New Window Buttons" which include some invalid code (ie: hacks),
added PicoSearch Tables, and warnings for using transparent backgrounds when color foregrounds defined.
Copyright © 2003, 2004, 2005, 2006, 2007 by Bill Sanders / Full site last modified: October 21, 2006
Any reproduction, printing, or selling of this content is prohibited without express written consent from William D. Sanders.
ctr