Phishtale
March 6th, 2006 5:38:57 pm pst by 
Sterling Camden
Ooh, those wiley phishers are at it again. This one got past both of my junk mail filters (Postini and the one in Outlook 2003) by posing as aw-confirm@eBay.com. Since we recently made a purchase over eBay, that address is allowed through both filters. Here’s the message:
First reaction: pulse quickens and blood pressure jumps. Somebody’s made a mistake and billed me for something I didn’t buy. I better click on the link and see what’s going on.
And that would be the first step into the scam.
Two things tipped me off. First, the message is to “undisclosed-recipients:”. eBay always sends its messages to the e-mail account on file.
Second thing. I almost never click on a link in an e-mail without first inspecting the link. Right click in the message body, and select “View source”, then when notepad comes up, Ctrl-F to search for “href=” (find all the links). If they aren’t on an eBay server, they’re bogus. The first few links are on eBay, but the money punch is not:
xhref=”http://toons.hu/img/eBayISAPIdllSignIncopartnerId2pUserIdsiteidpageTypepai1bshowgifUsingSSLrupppaerrmsgrunameruparamsruproductsidfavoritenavmigrateVisitor.html” mce_href=”http://toons.hu/img/eBayISAPIdllSignIncopartnerId2pUserIdsiteidpageTypepai1bshowgifUsingSSLrupppaerrmsgrunameruparamsruproductsidfavoritenavmigrateVisitor.html” >
<img xsrc=”http://pics.ebaystatic.com/aw/pics//email/btnRespond.gif ” alt=”Respond to this notification”></a>
It still looks pretty legit at first glance (it’s complicated enough, isn’t it?), but all you really need to look at is the server name: toons.hu. The TLD (top-level domain) “hu” means that it’s a site somewhere in Hungary — and I bet they can’t wait to sink their teeth into my credit card.
Posted in Get Outta Here | 
5 Comments » RSS 2.0 | Sphere it!
Subscribe by Email
I sold a few digital cameras on Ebay recently and was blown away by the amount of phishing I encountered then. Some seem to be working to scam sellers directly. Ugly stuff. Tread lightly.
-Ed
http://www.technologyevangelist.com
Thanks for stopping by, Ed. Yes, it is getting ugly out there. You have to wonder how the average user avoids getting scammed all the time.
Yet one more reason I use a text-only mail user agent.
Good point, apotheon. Too bad most of us are enamoured of the HTML glitz.
[...] always, beware of clicking links within email messages. If you really need to click through, view the source of the message and inspect the domain name of the link itself first. Better yet, type the known, good URL yourself into your browser’s address [...]