20216). eBay - Email.Phishing.RB-90

This email targets customers of eBay.

Message Details

Malware Name:Email.Phishing.RB-90
Origin: United States
Date first seen:13/01/2007 06:12:08
Number seen:2
Date last seen:13/01/2007 08:12:31
From:"ebay" <question-829@ebay.com>
Subject:Question from eBay member

Attacker's URLs

The following table shows the details of the URLs used by the attacker. These could either be the fake website of the attack, or a site which redirects to the attackers fake site. Sometimes the attacker will use an additional site for hosting resources such as images.

The table shows the current status of the site: if it is still reachable (), or if it has been shut down (). If the site has not been confirmed as a phishing site it is shown with the symbol . The time when the site was first observed is shown, together with the time that the site was shut down, if applicable. Do not visit the attackers site as it may contain malware. You can get more details on the site by clicking on the symbol.

StatusFirst observedShut DownInternet AddressURL
25/01/2007 12:09:37 United States 208.36.123.112 http://home.graffiti.net/turkey19/Ms894234KJSAJK349842kjsdflkdsjAlkfdskj345908fjsdkhf38sdfjhfuyu893uisadjfioj3928uJHDUJHAIUOrfewrewDFF/respondenow.html   
14/01/2007 08:25:10 United States 208.36.123.112 http://home.graffiti.net/kiurl4/jkasdkjJKiuwermajhsHGJhskhadaskl23498asdlkjasdklsajHGiwuqpadlkxzcijqweijd9423432432/98823093210qor_A8gBAZUCCapCCqkCxU7NLQH0sz4   
14/01/2007 08:25:09 14/01/2007 08:25:09 United States 64.233.161.104 http://wwwgoogle.com/pagead/iclk   

Message Text

The text below shows the message content, rendered in a safe way. It does not show images or HTML formatting, but the text is the same as that contained in the phishing email. Each clickable link is shown as a reference. You can see the way the URL is presented in the main body of the text, while the actual URL activated by the link is shown below the main body.

Message Display
Enlarge
How the message body looks in an email client.

   eBay eBay sent this message to Richard Starks (megarick1).
   Your registered name is included to show this message originated from eBay.
   [1]Learn more.

   [ltCurve.gif]

Question from eBay member

   [rtCurve.gif]

   [s.gif]
   [s.gif]
   [s.gif]
   Dear member,
   [s.gif]
   I sent you the money trought westernunion wire transfer,the mtcn# is
   9420912745. where's the package ? You promised that after i send the money
   you send the goods asap . is this a fraud? Please let me know! Should I
   contact the autorities ?
   Thanks and please let me know asap!
   Thank you,
   eBay
   [s.gif]
   Respond to this seller
   [s.gif]
   [2]Respond Now 
   [s.gif]
   item : 190010839211
   [s.gif]
   Details for item number: 190010839211
   Item title: Abercrombie / Hollister Sexy Fitted Baseball Henley M
   Item URL: [3]http://cgi.ebay.com/ws/eBayISAPI.dll?ViewItem&item=190010839211
   End date: Friday, Jan 05, 2007 19:40:00 PDT
   Quantity: 1
   Dispute URL:
   [4]http://feedback.ebay.com/ws/eBayISAPIdll?ViewDisputeConsole&DisputeType=1
   Date dispute was opened: Sunday, Jan 06, 2007 20:29:04 PDT
   [s.gif]
   [s.gif]
   [s.gif]
   [s.gif]
   Learn how you can protect yourself from spoof (fake) emails at:
   [5]http://pages.ebay.com/education/spooftutorial
   This eBay notice was sent to [6]victim@phishery.internetdefence.net[7]sa.net
   from eBay. Your account is registered on [8]www.ebay.com. As outlined in our
   User Agreement, eBay will send you required notifications about the site and
   your transactions. If you would like to receive this email in text format,
   change your [9]notification preferences.
   See our Privacy Policy and User Agreement if you have questio! ns about
   eBay's communication policies.
   Privacy Policy: [10]http://pages.ebay.com/help/policies/privacy-policy.html
   User Agreement: [11]http://pages.ebay.com/help/policies/user-agreement.html
   Copyright © 2007 eBay, Inc. All Rights Reserved.
   Designated trademarks and brands are the property of their respective
   owners.
   eBay and the eBay logo are registered trademarks or trademarks of eBay, Inc.
   eBay is located at 2145 Hamilton Avenue, San Jose, CA 95125.

References

   1. http://www.google.com/pagead/iclk?sa=l&ai=Br3ycNQz5Q-fXBJGSiQLU0eDSAueHkArnhtWZAu-FmQWgjlkQAxgFKAg4AEDKEUiFOVD-4r2f-P____8BoAGyqor_A8gBAZUCCapCCqkCxU7NLQH0sz4%BD%03m=5&adurl=http://home.graffiti.net/turkey19/Ms894234KJSAJK349842kjsdflkdsjAlkfdskj345908fjsdkhf38sdfjhfuyu893uisadjfioj3928uJHDUJHAIUOrfewrewDFF/respondenow.html
   2. http://www.google.com/pagead/iclk?sa=l&ai=Br3ycNQz5Q-fXBJGSiQLU0eDSAueHkArnhtWZAu-FmQWgjlkQAxgFKAg4AEDKEUiFOVD-4r2f-P____8BoAGyqor_A8gBAZUCCapCCqkCxU7NLQH0sz4%BD%03m=5&adurl=http://home.graffiti.net/turkey19/Ms894234KJSAJK349842kjsdflkdsjAlkfdskj345908fjsdkhf38sdfjhfuyu893uisadjfioj3928uJHDUJHAIUOrfewrewDFF/respondenow.html
   3. http://www.google.com/pagead/iclk?sa=l&ai=Br3ycNQz5Q-fXBJGSiQLU0eDSAueHkArnhtWZAu-FmQWgjlkQAxgFKAg4AEDKEUiFOVD-4r2f-P____8BoAGyqor_A8gBAZUCCapCCqkCxU7NLQH0sz4%BD%03m=5&adurl=http://home.graffiti.net/turkey19/Ms894234KJSAJK349842kjsdflkdsjAlkfdskj345908fjsdkhf38sdfjhfuyu893uisadjfioj3928uJHDUJHAIUOrfewrewDFF/respondenow.html
   4. http://www.google.com/pagead/iclk?sa=l&ai=Br3ycNQz5Q-fXBJGSiQLU0eDSAueHkArnhtWZAu-FmQWgjlkQAxgFKAg4AEDKEUiFOVD-4r2f-P____8BoAGyqor_A8gBAZUCCapCCqkCxU7NLQH0sz4%BD%03m=5&adurl=http://home.graffiti.net/turkey19/Ms894234KJSAJK349842kjsdflkdsjAlkfdskj345908fjsdkhf38sdfjhfuyu893uisadjfioj3928uJHDUJHAIUOrfewrewDFF/respondenow.html
   5. http://www.googlecom/pagead/iclk?sa=l&ai=Br3ycNQz5Q-fXBJGSiQLU0eDSAueHkArnhtWZAu-FmQWgjlkQAxgFKAg4AEDKEUiFOVD-4r2f-P____8BoAGyqor_A8gBAZUCCapCCqkCxU7NLQH0sz4%BD%03m=5&adurl=http://home.graffiti.net/turkey19/Ms894234KJSAJK349842kjsdflkdsjAlkfdskj345908fjsdkhf38sdfjhfuyu893uisadjfioj3928uJHDUJHAIUOrfewrewDFF/respondenow.html
   6. http://wwwgoogle.com/pagead/iclk?sa=l&ai=Br3ycNQz5Q-fXBJGSiQLU0eDSAueHkArnhtWZAu-FmQWgjlkQAxgFKAg4AEDKEUiFOVD-4r2f-P____8BoAGyqor_A8gBAZUCCapCCqkCxU7NLQH0sz4%BD%03m=5&adurl=http://home.graffiti.net/turkey19/Ms894234KJSAJK349842kjsdflkdsjAlkfdskj345908fjsdkhf38sdfjhfuyu893uisadjfioj3928uJHDUJHAIUOrfewrewDFF/respondenow.html
   7. http://home.graffiti.net/kiurl4/jkasdkjJKiuwermajhsHGJhskhadaskl23498asdlkjasdklsajHGiwuqpadlkxzcijqweijd9423432432/98823093210qor_A8gBAZUCCapCCqkCxU7NLQH0sz4&num=5&adurl=http://home.graffiti.net/sdsfff/skjfdfsdfsdkfahdkaslkdklajdklajljdlkajdklasjdlakjdlkasjdlkasdjklsajdkaskjdas/skjfdfsdfsdkfahdkaslkdklajdklajljdlkajdklasjdlakjdlkasjdlkasdjklsajdkaskjdas/mailform1.html
   8. http://www.google.com/pagead/iclk?sa=l&ai=Br3ycNQz5Q-fXBJGSiQLU0eDSAueHkArnhtWZAu-FmQWgjlkQAxgFKAg4AEDKEUiFOVD-4r2f-P____8BoAGyqor_A8gBAZUCCapCCqkCxU7NLQH0sz4%BD%03m=5&adurl=http://home.graffiti.net/turkey19/Ms894234KJSAJK349842kjsdflkdsjAlkfdskj345908fjsdkhf38sdfjhfuyu893uisadjfioj3928uJHDUJHAIUOrfewrewDFF/respondenow.html
   9. http://www.google.com/pagead/iclk?sa=l&ai=Br3ycNQz5Q-fXBJGSiQLU0eDSAueHkArnhtWZAu-FmQWgjlkQAxgFKAg4AEDKEUiFOVD-4r2f-P____8BoAGyqor_A8gBAZUCCapCCqkCxU7NLQH0sz4%BD%03m=5&adurl=http://home.graffiti.net/turkey19/Ms894234KJSAJK349842kjsdflkdsjAlkfdskj345908fjsdkhf38sdfjhfuyu893uisadjfioj3928uJHDUJHAIUOrfewrewDFF/respondenow.html
  10. http://www.google.com/pagead/iclk?sa=l&ai=Br3ycNQz5Q-fXBJGSiQLU0eDSAueHkArnhtWZAu-FmQWgjlkQAxgFKAg4AEDKEUiFOVD-4r2f-P____8BoAGyqor_A8gBAZUCCapCCqkCxU7NLQH0sz4%BD%03m=5&adurl=http://home.graffiti.net/turkey19/Ms894234KJSAJK349842kjsdflkdsjAlkfdskj345908fjsdkhf38sdfjhfuyu893uisadjfioj3928uJHDUJHAIUOrfewrewDFF/respondenow.html
  11. http://www.google.com/pagead/iclk?sa=l&ai=Br3ycNQz5Q-fXBJGSiQLU0eDSAueHkArnhtWZAu-FmQWgjlkQAxgFKAg4AEDKEUiFOVD-4r2f-P____8BoAGyqor_A8gBAZUCCapCCqkCxU7NLQH0sz4%BD%03m=5&adurl=http://home.graffiti.net/turkey19/Ms894234KJSAJK349842kjsdflkdsjAlkfdskj345908fjsdkhf38sdfjhfuyu893uisadjfioj3928uJHDUJHAIUOrfewrewDFF/respondenow.html

Additional Examples

Functions

Advice