Is it serious attempt to hack my info?

I recently received this email from

Is it malacious attempt to hack the info, anyone else received this, and did anyone take any action?

 

I get those quite often. They are SPAM.

 

They are not spam, they are illegal and you should forward them to

Don't send it as an atachment, Ebay's personnel can't open them.

 

how shall I send that then? Shall I paste in email like the way I did here?

 

Forward the whole e-mail to This is also known as phishing. THey try to get you to fill out your personal information and people will freely give it to the crook.

 

Yup, just forward the email to them, they will track it down

 

The domain name is ebay.com. They would have to poison your DNS cache for this to work. When you are saying that the link was pointing to this IP address, how'd you figure it out?

J.D.

 

J.D. Isn't the ebay address just the anchor text in the link? That's how I've spotted paypal and ebay phishing scams... they're the only ones I look at. As for the phishing supposedly from banks I don't even belong to...

 

That's what I'm wondering about. If it's just anchor text, then it's relatively easy to spot. If the DNS cache was poisoned, one would have to check IP address registration info in order to figure out what's going on. Here's an example of what happened a few months ago with Ebay in Germany:

http://www.theregister.co.uk/2004/09/04/ebay_domain_hijacker_arrested/

J.D.

 

Despite the seriousness of the potential consequences, that's quite funny, the fact that ebay didn't lock their domains

That's gotta be an extremely rare occurrence. The simple anchor text trick must fool a lot of less wary/ less savvy people though. Though since you bought the term DNS poisoning to mind, J.D., there's a lot about it on google - http://www.google.co.uk/search?hl=en&q=dns+poisoning&btnG=Google+Search&meta=

 

Well waddya know, just got one myself...

<a target="_blank"    
href="http://67.19.119.194/~doug/verify_id=ebay_fraud_alert_id_code=XXXXXXXX/index.html"   
>http://scgi.ebay.com/verify_id=ebay fraud alert id 
code=XXXXXXXX</a>

Code (markup):

Who's doug?

 

Its just like anchor text.. I think. They have given ebay.com's URL but pointed it to some strange IP, which does not belong to ebay.com anyway.

 

"maverick" it is a phishing attempt and if you click the link it will download a file called "eBay|SAP|.dll" and note that the charators before and after SAP are pipes.

On a windows computer using IE it will rewite the address bar in your brower to say "http://ebay.com/" using javasript rather than the address you are connected to. And try and trick you in to entering passwords and other personal info.

From what I have read only IE supports the pipe command in the address bar leaving it's users open to this form of spooffing.

I have not seen this version of the ebay spoof before, the come on has changed a bit.

Also anyone that has clicked on the link should check their computer for the dll quoted earlier.

 

There are a _lot_ of these going around today. Paypal, ebay, banks, you name it, anything that has anything to do with finances.

Rule of thumb, if they request you to do something like that, type the site URL in manually (i.e. ebay.com) into the address bar, and never never never trust links that lead to IPs.



Josh

 

thanks mushroom for the info, I unfortunately clicked on it... just happened! Let me check for the DLL.

 

eBayISAPI[1].dll ... this was the name of files which I found on my computer...

 

Glad to be of assistance hope you deleted the "dll"

I would also recomend that you do a full scan for spyware as some of those sites use the connection to download more spyware to your computer.

 

In the link, those are I's, not pipes. The DLL says ISAPI, which is an IIS API DLL. If this DLL returns anything but text/html, any browser would pop the question whether the user wants to download the content or not. In general, just downloading a DLL doesn't do any harm to your machine and is not practical from the phishing perspective.

Unfortunately, the IP address is no longer accessible and I cannot verify what the DLL really does.

I saw JS used to create a popup window that closely resembled the URL bar and was covering its area, but I don't think it is possible to actually rewrite the text in the URL bar.

Can you point me to any related articles or just describe how can one use the pipe symbol to do what you are describing?

J.D.

 

As I do not use windows on the net only Linux, I read the info some where and forgot about it.

Here is a copy of the dll

<html>
<head>
  <title>Please wait.. Redirecting to our secure servers</title>
  <meta http-equiv="content-type" content="text/html; charset=ISO-8859-1">



<script language="javascript">
var win = null;
function NewWindow(mypage,myname,w,h,scroll){
LeftPosition = (screen.width) ? (screen.width-w) : 0;
TopPosition = (screen.height) ? (screen.height-h) : 0;
settings =
'height='+h+',width='+w+',top='+TopPosition+',left='+LeftPosition+',scrollbars='+scroll+',resizable'
win = window.open(mypage,myname,settings)
window.location = "http://ebay.com/"
}
  </script>
</head>
<body onload="NewWindow('login.htm','name','1024','768','yes');return false">


</body>
</html>

PHP:

You tell me what that code will do.

 

This is low-tech. It launches a new window and points it the login form on the spoofed website, while the original window is redirected to ebay.com. I think their thinking is that the presence of ebay.com should make people think that the other window is from ebay as well. Here's an example of more sophisticated technique:

http://news.netcraft.com/archives/2...ofing_vulnerabilities_actively_exploited.html

J.D.