« The Hour of Doom: Conquered?  •  My Son, the Atomic Clock »

eBay Scam at anytimeforums.org

August 2, 2005 in General, OSL by scott

Wow. If I was an actual user of eBay I might have been fooled by this. I was sent a note by “eBay” saying that my account had been locked out. The email was HTML and said I should respond immediately. They even tease you a bit with “we’ll never ask you for your email, account information, etc.”:

Now, digging a little deeper into the actual HTML we find this where the “Repond Now” button is I find:


<a href=\”http://anytimeforums.org/ebayisapidllsignin.html\”><img alt=\”Respond Now\” src=\”http://pics.ebaystatic.com/aw/pics/VIQnA/respondNowButton_117×21.gif\” border=0/></a>

So they are actually using images off of eBay’s servers. Now, how about this domain “anytimeforums.org” … let’s check it out:


kveton@ack:~$ whois anytimeforums.org
Domain ID:D107060364-LROR
Domain Name:ANYTIMEFORUMS.ORG
Created On:01-Aug-2005 17:30:48 UTC
Expiration Date:01-Aug-2006 17:30:48 UTC
Sponsoring Registrar:eNom, Inc. (R39-LROR)
Status:TRANSFER PROHIBITED
Registrant ID:AC900BDA71766AFE
Registrant Name:Krystle Van Dyke
Registrant Organization:
Registrant Street1:541 Roxanne Dr
Registrant Street2:
Registrant Street3:
Registrant City:Antioch
Registrant State/Province:Tn
Registrant Postal Code:37013
Registrant Country:US
Registrant Phone:+1.6157819794
Registrant Phone Ext.:
Registrant FAX:
Registrant FAX Ext.:
Registrant Email:PHILIPNEOVO@AOL.COM

Wow. Looks like it was registered just over a day ago and then the mail starts showing up. Interesting. Alright, how about this little domain, let’s take a look at that:

Which you can look at if its still up at here (if its even still up when you read this).

My guess is the “_private” directory is where things are shoved (the input user names and passwords) which can then be yoinked if you authenticate. I wonder if they even have a nice CGI in there? Who knows. Back to the task at hand.

Now, if you click on the link (or just navigate from the directory listing there) to the ebayisapidllsignin.html file you get this little gem:

All of this is pretty clever and I know that some people are going to get caught by this. I can’t imagine this is the first time this has ever been done but this just seemed very clever. In any case, I have forwarded the note I received onto the abuse group at eBay.

About

This is the blog of Scott Kveton, digital identity promoter, open source contributor, avid gardener, passionate pizza maker, loving husband and proud father. Read More ...

Also Known As

Once or twice in my life people have mis-spelled my name (I know, its a shocker) ... you may have seen my lastname appear as any or all of the following:

Kverton • Kvelton • Keaton
Rueton • Kreton • Kventon
Kevton • Kevin • Smith (true story)
Kueton• Kvetan• Keveton


    Note: This post is over 3 years old. You may want to check later in this blog to see if there is new information relevant to your comment.