Dear eBay Member,
The eBay Team from The Department of Payments and Fees Cost inform you that the data provided by you can not be processed to charge the monthly fees. Click on the link below to update your credit/debit card on your eBay account so the monthly fees can be charged directly from your credit/debit card.
[utterly convincing link to: http://dll-ebay.com/index.html]
"If your eBay Account will not be updated in 5 days with a credit/debit card your account will be suspended in conformity with eBay Terms of Agreement paragraph 9 in which is stated that we can temporary or permanently stop providing our services to you.
Thank you for understanding and using our services !
Department of Payments and Fees Cost
Copyright © 1995-2004 eBay Inc. All Rights Reserved.
The observant will note the glaring grammatical deficiencies almost immediately. The unwary, however, will click on the link and be taken to what LOOKS like an actual e-bay site. For the technically challenged I should point out that it's absurdly simple to duplicate the exact appearance of an e-bay site... all one needs to do is steal the code and required graphics straight from any eBay page.
"But the URL!" you might proclaim, "Isn't that an eBay server?" No, it just contains the word "ebay". If it were really ebay, it might look like "dll.ebay.com". dll-ebay is registered through a less than scrupulous (or perhaps just criminally sloppy) registrar who doesn't care that eBay is a registered trademark.
The proof of the scam is in the way the site functions. For example, the log-in screen will take ANY random input as if it was an actual user name and password. The so called validation screen will also take any input whatsoever... I made sure to enter something particularly nasty in those fields (leaving them blank generates another realistic message regarding the "required" information needing to be in specific fields... a fairly simple script built into most web pages that accepts these kinds of forms can be whipped up fairly quickly), and "submitted" it. If it was a real submission, I would have received a polite error message saying my credit card info was invalid. Here, it actually accepted the phrase "Bite my ass, shit monkeys" as a valid credit card number.
So, who is committing this massive fraud? Digging deeper into the email reveals this hidden field (at least for most users):
Received: from smtp1.iplus.ro (unknown [18.104.22.168]) by smtp1.iplus.ro (Postfix on SuSE Linux 9.0 (i586)) with SMTP id 406C63D80D for [firstname.lastname@example.org]; Sat, 3 Apr 2004 04:23:29 +0300 (EEST)
Now, most "top level" domains are three are more letters in length (.com, .net, .org, etc.). Two letter suffixes are country domains. For example, there's a .us for this country, .uk for the UK, and so forth. Russia, a notorious source for spam, is .ru. Unless my memory is completely gone ( a very real possibility at this point), .ro is Romania.
In other words, some asshole Romanian Mafioso running a Linux server is "spoofing" as eBay to trick y'all into revealing key bits of info to steal your identity. As I said, the only flaw is in the broken english, which could easily be tweaked before long to be indistinguishable to a majority of americans. I'm certain that, even in this format, a lot of people might be duped... ARE being duped... by it.
Be careful out there, folks.