I received a different kind of fake email today. We've all probably seen our share of phishing emails trying to get personal information – whether it is for our banking information, our PayPal information, or our eBay information. I get a lot of them in my Hotmail account, most of which get caught by the spam filter but some do not.
Today, I got one totally different than the others. Luckily, I've used the messaging function enough in eBay that I recognized that it was probably a fake but it was such a good fake that it would be easy to not realize it was a fake. I knew I hadn't sold anything on eBay recently, so instead of clicking the "Respond" button, I went directly to eBay and did a search on the item number. Once I didn't find the number, I went to the message section of My eBay to see if there was a message in the Inbox. There wasn't, which was not a surprise at all. Incidentally, anytime you get an email from someone you don't recognize, don't click the links in the email. Go directly to the Web site before you sign on or offer up any login credentials.
Once I saw that the "buyer" hasn't had any activity on eBay since 2001, I assumed the ID had been hijacked for fraudulent use. I obtained the message header and emailed the entire thing to spoof@ebay.com for them to investigate. It didn't take too long before I received the answer I knew I'd get… The email was a phishing attempt and eBay is working to disable any links it contains.
Here is a screen shot of an authentic message from eBay: 
Here is a screen shot of the phishing email: 
The header information from the phishing email:
Return-Path: members@e-bay.com (notice the "dash" in the ebay.com; the authentic email does not have a dash)
by eastrmmtai103.cox.net
InterMail vM.7.08.02.01 201-2186-121-102-20070209) with ESMTP
id <20090421164610.GGAF20901.eastrmmtai103.cox.net@eastrmimpi04.cox.net>
for <removed >; Tue, 21 Apr 2009 12:46:10 -0400
Received: from raq.worldtribeweb.com ([205.201.146.54]) (wonder where this is??)
by eastrmimpi04.cox.net with IMP
id iGnB1b03u1AeqSM01GnCLW; Tue, 21 Apr 2009 12:47:13 -0400
X-VR-Score: 30.00
X-Authority-Analysis: v=1.0 c=1 a=yYppR2Dm4_cA:10 a=WzGo0-4RvAoA:10
a=ykGuVdM82vjTnx4KJiqgrw==:17 a=pwIP7ZobAAAA:8 a=e2jjkNj-AAAA:8
a=pjdaNNIBAAAA:8 a=K0kfupq547W-2h52jvIA:9 a=hSqAzPuDWbixqneFihsA:7
a=BFN-bM3CxBAY7BiNQZwkvzCEgy0A:4 a=g-ujO8JncRpV5FmE:21 a=UDNJUJ7P9ktp7_xn:21
X-CM-Score: 0.00
Received: from User (static-68-236-167-251.ny325.east.verizon.net [68.236.167.251])
(authenticated bits=0) by raq.worldtribeweb.com (8.13.6/8.13.6) with ESMTP id n3LGjtSh002317; Tue, 21 Apr 2009 12:45:56 -0400
Message-Id: <200904211645.n3LGjtSh002317@raq.worldtribeweb.com>
From: "eBay"<members@e-Bay.com>
Subject: You've received a question about your eBay item: #300164611370
Date: Tue, 21 Apr 2009 12:42:51 -0400
MIME-Version: 1.0
Content-Type: text/html;
charset="Windows-1251"
X-Priority: 5
X-MSMail-Priority: Low
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
Content-Transfer-Encoding: quoted-printable
X-MIME-Autoconverted: from 8bit to quoted-printable by raq.worldtribeweb.com id n3LGjtSh002317
The header information from the authentic email:
RETURN-PATH:
(InterMail vM.7.08.02.01 201-2186-121-102-20070209) with ESMTP
id <20090421170346.QEZR10471.eastrmmtai105.cox.net@eastrmimpi02.cox.net>
for <removed>; Tue, 21 Apr 2009 13:03:46 -0400
Received: from mxpool01.ebay.com ([66.135.197.14])(legitimate)
by eastrmimpi02.cox.net with IMP id iH3k1b04l0K7LdN01H3lwb; Tue, 21 Apr 2009 13:03:45 -0400
X-VR-Score: -120.00
X-Authority-Analysis: v=1.0 c=0 awl=host:9605
X-CM-Score: 0.00
Received: from sj-v3conta22 (sj-v3conta22.sjc.ebay.com [10.11.88.105])
by mxpool01.ebay.com (8.13.8/8.13.8) with ESMTP id n3LH31Vs002557
for <removed>; Tue, 21 Apr 2009 10:03:44 -0700 (GMT)
DomainKey-Signature: a=rsa-sha1; s=dksm28; d=ebay.com; c=nofws; q=dns;
h=message-id:from:reply-to:to:subject:mime-version:
content-type:x-ebay-mailtracker:x-ebay-mailversiontracker;
b=Z/R/fqtn7buHV4xw85Fo+WctNQ9kaQ9f145GTQsaMjTsUUO65IR0zbodUkk3jcnSl
YF9NIr+1ids8HEb7e7vHQ==
Date: Tue, 21 Apr 2009 10:03:44 -0700 (GMT)
Message-ID: <654321408.1240333424756.JavaMail.SYSTEM@sj-v3conta22>
From: "eBay Member: soapymom" <member@ebay.com>
Reply-To: removed
To: removed
Subject: You've received an answer to your question about item ATG TAPE STARTER KIT - ATG 50 DISPENSER & 6 ROLLS ATG
Mime-Version: 1.0
Content-Type: multipart/alternative; boundary=1953133674.1240333424756.JavaMail.SYSTEM.sj-v3conta22
X-eBay-MailTracker: 11051.613.0.0
X-eBay-MailVersionTracker: 613.8321612
No comments:
Post a Comment