Yohannon (yohannon) wrote,

  • Mood:

Scary Shit... Spam That Almost Looks Real

You know, I think if people actually paid attention in english class, they would spot things as fakes and not hand organized crime in another country the keys to their identity. Case in point, this is an actual email I received today...

Dear eBay Member,

The eBay Team from The Department of Payments and Fees Cost inform you that the data provided by you can not be processed to charge the monthly fees. Click on the link below to update your credit/debit card on your eBay account so the monthly fees can be charged directly from your credit/debit card.

[utterly convincing link to: http://dll-ebay.com/index.html]

"If your eBay Account will not be updated in 5 days with a credit/debit card your account will be suspended in conformity with eBay Terms of Agreement paragraph 9 in which is stated that we can temporary or permanently stop providing our services to you.

Thank you for understanding and using our services !

eBay Team

Department of Payments and Fees Cost

Copyright © 1995-2004 eBay Inc. All Rights Reserved.

The observant will note the glaring grammatical deficiencies almost immediately. The unwary, however, will click on the link and be taken to what LOOKS like an actual e-bay site. For the technically challenged I should point out that it's absurdly simple to duplicate the exact appearance of an e-bay site... all one needs to do is steal the code and required graphics straight from any eBay page.

"But the URL!" you might proclaim, "Isn't that an eBay server?" No, it just contains the word "ebay". If it were really ebay, it might look like "dll.ebay.com". dll-ebay is registered through a less than scrupulous (or perhaps just criminally sloppy) registrar who doesn't care that eBay is a registered trademark.

The proof of the scam is in the way the site functions. For example, the log-in screen will take ANY random input as if it was an actual user name and password. The so called validation screen will also take any input whatsoever... I made sure to enter something particularly nasty in those fields (leaving them blank generates another realistic message regarding the "required" information needing to be in specific fields... a fairly simple script built into most web pages that accepts these kinds of forms can be whipped up fairly quickly), and "submitted" it. If it was a real submission, I would have received a polite error message saying my credit card info was invalid. Here, it actually accepted the phrase "Bite my ass, shit monkeys" as a valid credit card number.

So, who is committing this massive fraud? Digging deeper into the email reveals this hidden field (at least for most users):

Received: from smtp1.iplus.ro (unknown []) by smtp1.iplus.ro (Postfix on SuSE Linux 9.0 (i586)) with SMTP id 406C63D80D for [yohannon@rotunda.com]; Sat, 3 Apr 2004 04:23:29 +0300 (EEST)

Now, most "top level" domains are three are more letters in length (.com, .net, .org, etc.). Two letter suffixes are country domains. For example, there's a .us for this country, .uk for the UK, and so forth. Russia, a notorious source for spam, is .ru. Unless my memory is completely gone ( a very real possibility at this point), .ro is Romania.

In other words, some asshole Romanian Mafioso running a Linux server is "spoofing" as eBay to trick y'all into revealing key bits of info to steal your identity. As I said, the only flaw is in the broken english, which could easily be tweaked before long to be indistinguishable to a majority of americans. I'm certain that, even in this format, a lot of people might be duped... ARE being duped... by it.

Be careful out there, folks.
  • Post a new comment


    default userpic

    Your reply will be screened

    Your IP address will be recorded 

    When you submit the form an invisible reCAPTCHA check will be performed.
    You must follow the Privacy Policy and Google Terms of use.