[TAG] I caught an amusing phish from the eBay...
Benjamin A. Okopnik
ben at linuxgazette.net
Fri Feb 17 20:29:28 MSK 2006
Here's one that might get past a number of people; other than the
way-too-crude XSS attack imitation, it's going to be rather effective
for a certain segment of the population.
About a day ago, Kat put up some of our boat cruft up on eBay. Last
night, I got this email:
------------------------------------------------------------------------
Your registered name is included to show this message originated from eBay.
Learn more.
[hdrLeft_13] Question about Item -- Respond Now eBay
eBay sent this message on behalf of an eBay member via My Messages.
Responses sent using email will go to the eBay member directly and will
* include your email address. Click the Respond Now button below to send your *
response via My Messages (your email address will not be included).
[s]
Question from rubyndao [s] Marketplace Safety Tip Marketplace Safety Tip
This message was ! sent while Always remember to complete your transactions
the listing was active. on eBay - it's the safer way to trade.
rubyndao is a potential buyer.
Is this message an offer to buy your item
* directly through email without winning the item
Hi, ???????????????????? on eBay? If so, please help make the eBay
?Respond to this ? marketplace safer by reporting it to us. These
I would like to ?question in My ? external transactions may be unsafe and are
know S&H and ?Messages. ? against eBay policy. Learn more about trading
also if you ? ? safely.
have a buy it ?http:// ?
now? ?contact.ebay.co.uk? *
?/ws/eBayISAPI.dll?? *
Thanks ?M2MContact&item= ? Is this email inappropriate? Does it breach
?4589070441& ? eBay policy? Help protect the community by
Ruby ?requested= ? reporting it.
?yamama_r6&qid= ?
?1470018712& ?
?redirect=0& ?
?sspagename= ?
?ADME:B:AAQ:UK:2 ?
????????????????????
*
*
* *
*
*
*
*
*
Thank you for using eBay
http://www.ebay.com/
*
*
*
Learn how you can protect yourself from spoof (fake) emails at:
http://pages.ebay.com/education/spooftutorial
*
This eBay notice was sent to kvnmtchll200 at aol.com on behalf of another eBay
member through the eBay platform and in accordance with our Privacy Policy. If
you would like to receive this email in text format, change your notification
preferences.
*
See our Privacy Policy and User Agreement if you have questions about eBay's
communication policies.
Privacy Policy: http://pages.ebay.com/help/policies/privacy-policy.html
User Agreement: http://pages.ebay.com/help/policies/user-agreement.html
*
Copyright ? 2005 eBay, Inc. All Rights Reserved.
Designated trademarks and brands are the property of their respective owners.
eBay and ! the eBay logo are registered trademarks or trademarks of eBay, Inc.
------------------------------------------------------------------------
Notice anything unusual? Here are a couple of things that sent up red
flags for me right away:
1) "Your registered name is included to show this message originated
from eBay." Really? Where is it, then?
2) "This message was ! sent while" - I don't think that eBay formats
their messages per the Jargon File.
3) "Respond to this question in My Messages" - these are supposed to be
_my_ messages, and it shows an eBay.uk address? Uh-huh.
4) "This eBay notice was sent to kvnmtchll200 at aol.com" - sure, I've been
using AOL all my life; I've just been hiding it from my friends. [sob]
I'll go kill myself with a plastic fork now!
Best of all, though, is what happens when you load it up in a browser
(I'll include the HTML just so those who are interested can play with
it):
------------------------------------------------------------------------
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=Content-Type content="text/html; charset=iso-8859-1">
<META content="MSHTML 6.00.2900.2802" name=GENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=#ffffff>
<DIV><FONT face=Arial size=2>
<TABLE cellSpacing=0 cellPadding=0 width="100%" border=0
xmlns:x="urn:schemas-microsoft-com:xslt">
<TBODY>
<TR>
<TD>
<TABLE cellSpacing=0 cellPadding=0 width="100%" border=0>
<TBODY>
<TR>
<TD>
<TABLE cellSpacing=0 cellPadding=2 width="100%" border=0>
<TBODY>
<TR>
<TD><FONT face="Verdana, sans-serif" color=#666666 size=1>Your
registered name is included to show this message originated
from eBay. <A
title=http://pages.ebay.co.uk/help/confidence/name-userid-emails.html
href="http://pages.ebay.co.uk/help/confidence/name-userid-emails.html"
target=_blank><FONT color=#003399>Learn more</FONT></A>.
</FONT></TD></TR></TBODY></TABLE></TD></TR></TBODY></TABLE>
<TABLE cellSpacing=0 cellPadding=0 width="100%" bgColor=white border=0>
<TBODY>
<TR>
<TD noWrap width="1%"><IMG
src="http://pics.ebaystatic.com/aw/pics/uk/email/syiSessions/hdrLeft_13x39.gif"></TD>
<TD noWrap width="98%"
background=http://pics.ebaystatic.com/aw/pics/uk/email/syiSessions/imgSpan_5x39.gif><SPAN
class=SectionTitle><FONT size=4><B>Question about Item -- Respond
Now</B></F! ONT></SPAN></FONT></TD>
<TD vAlign=bottom noWrap width="1%"><IMG alt=eBay
src="http://pics.ebaystatic.com/aw/pics/uk/email/syiSessions/hdrRight_90x39.gif"></TD></TR></TBODY></TABLE>
<TABLE cellSpacing=0 cellPadding=0 width="100%" border=0>
<TBODY>
<TR>
<TD><IMG height=1 src="http://pics.ebaystatic.com/aw/pics/s.gif"
width=10></TD>
<TD>
<TABLE cellSpacing=0 cellPadding=0 width="100%" border=0>
<TBODY>
<TR>
<TD>
<TABLE
style="BORDER-RIGHT: #9999cc 1px solid; BORDER-LEFT: #9999cc 1px solid; BORDER-BOTTOM: #9999cc 1px solid"
width="100%" bgColor=#eeeef8 border=0>
<TBODY>
<TR>
<TD style="PADDING-LEFT: 8px" height=30><FONT
face="Arial, Verdana" size=2>eBay sent this message on
behalf of an eBay member via My Messages. Responses sent
using email will go to the eBay member directly and will
include your email address. Click the <B>Respond Now</B>
button below to send your response via My Messages (your
email address will not be included).</FONT>
</TD></TR></TBODY></TABLE></TD>
<TD><IMG height=1
src="http://pics.ebaystatic.com/aw/pics/s.gif" width=10
!></TD></TR></TBODY></TABLE></TD></TR></TBODY></TABLE></TD></TR>
<TR>
<TD><IMG height=10 src="http://pics.ebaystatic.com/aw/pics/s.gif"></TD></TR>
<TR>
<TD>
<TABLE cellSpacing=0 cellPadding=0 width="100%" border=0>
<TBODY>
<TR>
<TD><IMG height=1 src="http://pics.ebaystatic.com/aw/pics/s.gif"
width=10></TD>
<TD vAlign=top>
<TABLE cellSpacing=0 cellPadding=0 width="100%" border=0>
<TBODY>
<TR>
<TD vAlign=top>
<TABLE cellSpacing=0 cellPadding=0 width="100%" border=0>
<TBODY>
<TR>
<TD>
<TABLE cellSpacing=0 cellPadding=1 width="100%"
align=center bgColor=#9999cc border=0>
<TBODY>
<TR bgColor=#9999cc height=26>
<TD><FONT color=#ffffff> <SPAN
class=SectionTitle>Question
from rubyndao</SPAN></FONT> </TD></TR>
<TR>
<TD>
<TABLE cellSpacing=0 cellPadding=0 width="100%"
align=center border=0>
<TBODY>
<TR bgColor=#eeeeee>
<TD>
<TABLE cellSpacing=4 cellPadding=0 width="100%">
<TBODY>
<TR>
<TD>
<TABLE cellSpacing=0 cellPadding=0 width="100%"
border=0>
<TBODY>
<TR>
<TD><FONT face="Arial, Verdana"
size=2></FONT></TD></TR>
<TR>
<TD><FONT face="Arial, Verdana" size=2>This
message was ! sent while the listing was
<B>active</B>.</FONT></TD></TR>
<TR>
<TD><FONT face="Arial, Verdana" size=2>rubyndao
is a <B>potential
buyer</B>.</FONT></TD></TR></TBODY></TABLE></TD></TR></TBODY></TABLE></TD></TR>
<TR bgColor=#c6c6c6>
<TD><IMG height=1
src="http://pics.ebaystatic.com/aw/pics/s.gif"
width=1></TD></TR>
<TR bgColor=#ffffff>
<TD>
<TABLE cellSpacing=0 cellPadding=4>
<TBODY>
<TR>
<TD vAlign=top width="75%">
<P><FONT face="Arial, Verdana"
size=2>Hi, </FONT></P>
<P><FONT face="Arial, Verdana" size=2>I would
like to know S&H and also if you have a buy
it now?</FONT></P>
<P><FONT face="Arial, Verdana"
size=2>Thanks</FONT></P>
<P><FONT face=Arial size=2>Ruby</FONT></P></TD>
<TD vAlign=top align=middle width="22%">
<TABLE borderColor=#999999 cellSpacing=0
cellPadding=0 width="100%" bgColor=#eeeef8
border=1>
<TBODY>
<TR>
<TD>
<TABLE cellSpacing=3 cellPadding=3 width="100%">
<TBODY>
<TR>
<TD align=middle><FONT face="Arial, Verdana"
size=2><B>Respond to this question in My
Messages.</B></FONT> </TD></! TR>
<TR>
<TD align=middle><A
title=http://contact.ebay.co.uk/ws/eBayISAPI.dll?M2MContact&item=4589070441&requested=yamama_r6&qid=1470018712&redirect=0&sspagename=ADME:B:AAQ:UK:2
onclick="return ShowLinkWarning()"
href="http://www.varzavarzarau.go.ro/ws/ws/arribada/issapidll/SignIncopartnerId2pUserIdsiteidpageTypepa1i1bshowgifUsingSSLruwwwebaycomppp2errmsgrunameruparamsruproductsidfavoritenavmigrateVisitor/SignIn.html"
target=_blank
onfiltered="return ShowLinkWarning()"><IMG
title=http://contact.ebay.co.uk/ws/eBayISAPI.dll?M2MContact&item=4589070441&requested=yamama_r6&qid=1470018712&redirect=0&sspagename=ADME:B:AAQ:UK:2
alt=http://contact.ebay.co.uk/ws/eBayISAPI.dll?M2MContact&item=4589070441&requested=yamama_r6&qid=1470018712&redirect=0&sspagename=ADME:B:AAQ:UK:2
src="http://pics.ebaystatic.com/aw/pics/uk/email/message/btnRespondNow.gif"
border=0></A></TD></TR></TBODY></TABLE></TD></TR></TBODY></TABLE></TD>
<TD
width="3%"></TD></TR></TBODY></TABLE></TD></TR></TBODY></TABLE></TD></TR></TBODY></TABLE></TD></TR>
<TR>
<TD><IMG height=15
src="http://pics.ebaystatic.com/aw/pics/s.gif"
width=1></TD></TR>
<TR>
<TD>
<TABLE cellSpacing=0 cellPadding=0 width="100%"
border=0>
<TBODY>
<TR bgColor=#9c9c9c>
<TD colSpan=3><IMG height=1
src="http://pics.ebaystatic.com/aw!/pics/s.gif"
width=1 border=0></TD></TR>
<TR bgColor=#d6deff height=22>
<TD align=left width="1%"><IMG height=1
src="http://pics.ebaystatic.com/aw/pics/s.gif"
width=16 border=0></TD>
<TD align=left></TD></TR>
<TR bgColor=#ffffff>
<TD colSpan=3><IMG height=1
src="http://pics.ebaystatic.com/aw/pics/s.gif"
width=1 border=0></TD></TR>
<TR bgColor=#fed73b>
<TD colSpan=3><IMG height=1
src="http://pics.ebaystatic.com/aw/pics/s.gif"
width=1 border=0></TD></TR></TBODY></TABLE></TD></TR>
<TR>
<TD><IMG height=5
src="http://pics.ebaystatic.com/aw/pics/s.gif"
width=1></TD></TR>
<TR>
<TD>
<TABLE cellSpacing=0 cellPadding=0 border=0>
<TBODY>
<TR>
<TD><IMG height=8
src="http://pics.ebaystatic.com/aw/pics/s.gif"
width=1 border=0></TD></TR>
<TR>
<TD></TD></TR>
<TR>
<TD></TD></TR>
<TR>
<TD><IMG height=10
src="http://pics.ebaystatic.com/aw/pics/s.gif"
width=1 border=0></TD></TR>
<TR>
<TD><FONT face="Arial, Verdana" size=2>Thank you
for using eBay</FONT></TD></TR>
<TR>
<TD><FONT face="Arial, Verdana" color=#003399
size=2><A title=http! href="http://www.ebay.com/"
target=_blank :
www.ebay.co.uk>http://www.ebay.com/</A></FONT></TD></TR>
<TR>
<TD><FONT color=#003399><IMG height=10
src="http://pics.ebaystatic.com/aw/pics/s.gif"
width=1
border=0></FONT></TD></TR></TBODY></TABLE></TD></TR></TBODY></TABLE></TD>
<TD vAlign=top width=10><FONT color=#003399><IMG
src="http://pics.ebaystatic.com/aw/pics/s.gif"
width=10></FONT></TD>
<TD vAlign=top align=right width=188>
<TABLE cellSpacing=0 cellPadding=0 width="100%" border=0>
<TBODY>
<TR>
<TD>
<TABLE
style="BORDER-RIGHT: #6b7b91 1px solid; BORDER-TOP: #6b7b91 1px solid; BORDER-LEFT: #6b7b91 1px solid; BORDER-BOTTOM: #6b7b91 1px solid"
cellSpacing=0 cellPadding=0 border=0>
<TBODY>
<TR>
<TD>
<TABLE cellSpacing=0 cellPadding=0 border=0>
<TBODY>
<TR>
<TD>
<TABLE cellSpacing=0 cellPadding=0 border=0>
<TBODY>
<TR>
<TD bgColor=#cad2dd><FONT color=#003399><IMG
height=25 alt="Marketplace Safety Tip"
src="http://pics.ebaystatic.com/aw/pics/uk/securityCenter/imgShield_25x25.gif"
width=25 border=0></FONT></TD>
<TD noWrap bgColor=#cad2dd><FON! T
face="Arial, Helvetica, Verdana, sans-serif"
size="-1"><B><A
title=http://pages.ebay.co.uk/safetycentre
style="COLOR: #000000; TEXT-DECORATION: none"
href="http://pages.ebay.co.uk/safetycentre"
target=_blank>Marketplace Safety
Tip</A></B></FONT> </TD>
<TD bgColor=#cad2dd><IMG title="" height=25
alt=" "
src="http://pics.ebaystatic.com/aw/pics/securityCenter/imgTabCorner_25x25.gif"
width=25
border=0></TD></TR></TBODY></TABLE></TD></TR>
<TR>
<TD>
<TABLE cellSpacing=0 cellPadding=5 border=0>
<TBODY>
<TR>
<TD><FONT face="Arial, Verdana" size=2><B>Always
remember to complete your transactions on eBay -
it's the safer way to trade.</B><BR><BR>Is this
message an offer to buy your item directly
through email without winning the item on eBay?
If so, please help make the eBay marketplace
safer by reporting it to us. These external
transactions may be unsafe and are against eBay
policy. <A
title=http://pages.ebay.co.uk/safetycentre/selling_safely.html
href="http://pages.ebay.co.uk/safetycentre/selling_safely!.html"
target=_blank><FONT color=#003399>Learn more
about trading safely</FONT></A>.
</FONT></TD></TR></TBODY></TABLE></TD></TR>
<TR>
<TD bgColor=#c9d2dc height=5><IMG height=5
src="http://pics.ebaystatic.com/aw/pics/s.gif"
width=1></TD></TR></TBODY></TABLE></TD></TR></TBODY></TABLE></TD></TR>
<TR>
<TD><IMG height=10
src="http://pics.ebaystatic.com/aw/pics/s.gif"
width=1></TD></TR>
<TR>
<TD>
<TABLE
style="BORDER-RIGHT: #c6c6c6 1px solid; BORDER-TOP: #c6c6c6 1px solid; BORDER-LEFT: #c6c6c6 1px solid; BORDER-BOTTOM: #c6c6c6 1px solid"
cellSpacing=0 cellPadding=5 width="100%" border=0>
<TBODY>
<TR>
<TD><FONT face="Arial, Verdana" size=2>Is this
email inappropriate? Does it breach <A
title=http://pages.ebay.co.uk/help/policies/rfe-unwelcome-email-misuse.html
href="http://pages.ebay.co.uk/help/policies/rfe-unwelcome-email-misuse.html"
target=_blank><FONT color=#003399>eBay
policy</FONT></A>? Help protect the community by
<A
title=http://cgi1.ebay.co.uk/aw-cgi/eBayISAPI.dll?ReportEmailAbuseshow&reporteruserid=kevinm8205&!
href="http://cgi1.ebay.co.uk/aw-cgi/eBayISAPI.dll?ReportEmailAbuseshow&reporteruserid=kevinm8205&reporteduserid=yamama_r6&emaildate=2005/11/10:09:49:34&emailtype=0&emailtext=Hi+is+the+bike+hpi+clear%3F+do+you+have+any+better+pics+of+it%3F+is+this+the+original+paint+colour%3F&trackId=1470018712"
target=_blank
reporteduserid="yamama_r6&emaildate=2005/11/10:09:49:34&emailtype=0&emailtext=Hi+is+the+bike+hpi+clear?+do+you+have+any+better+pics+of+it?+is+this+the+original+paint+colour?&trackId=1470018712"><FONT
color=#003399>reporting it</FONT></A>.
</FONT></TD></TR></TBODY></TABLE></TD></TR></TBODY></TABLE></TD></TR>
<TR>
<TD colSpan=3><IMG height=10
src="http://pics.ebaystatic.com/aw/pics/s.gif"
width=1></TD></TR></TBODY></TABLE>
<TABLE cellSpacing=0 cellPadding=0 width="100%" bgColor=#cccccc>
<TBODY>
<TR>
<TD height=1></TD></TR></TBODY></TABLE>
<TABLE cellSpacing=0 cellPadding=0 width="100%" border=0>
<TBODY>
<TR>
<TD><IMG height=5
src="http://pics.ebaystatic.com/aw/pics/s.gif" width=1></TD></TR>
<TR>
<TD><FONT face="Arial, Verdana" size=1 colo! r="#666666">Learn
how you can protect yourself from spoof (fake) emails
at:<BR><A
title=http://pages.ebay.co.uk/education/spooftutorial
href="http://pages.ebay.com/education/spooftutorial"
target=_blank><FONT
color=#003399>http://pages.ebay.com/education/spooftutorial</FONT></A>
</FONT></TD></TR>
<TR>
<TD><IMG height=5
src="http://pics.ebaystatic.com/aw/pics/s.gif" width=1></TD></TR>
<TR>
<TD><FONT face="Arial, Verdana" color=#666666 size=1>This eBay
notice was sent to kvnmtchll200 at aol.com on behalf of another
eBay member through the eBay platform and in accordance with
our Privacy Policy. If you would like to receive this email in
text format, change your <A
title=http://cgi4.ebay.co.uk/ws/eBayISAPI.dll?OptinLoginShow
href="http://cgi4.ebay.co.uk/ws/eBayISAPI.dll?OptinLoginShow"
target=_blank
onfiltered="return openNonHelpWindow(this.href);"><FONT
color=#003399>notification preferences</FONT></A>.
</FONT></TD></TR>
<TR>
<TD><IMG height=5
src="http://pics.ebaystatic.com/aw/pi!cs/s.gif" width=1></TD></TR>
<TR>
<TD><FONT face="Arial, Verdana" color=#666666 size=1>See our
Privacy Policy and User Agreement if you have questions about
eBay's communication policies.<BR>Privacy Policy: <A
title=http://pages.ebay.co.uk/help/policies/privacy-policy.html
href="http://pages.ebay.com/help/policies/privacy-policy.html"
target=_blank><FONT
color=#003399>http://pages.ebay.com/help/policies/privacy-policy.html</FONT></A><BR>User
Agreement: <A
title=http://pages.ebay.co.uk/help/policies/user-agreement.html
href="http://pages.ebay.com/help/policies/user-agreement.html"
target=_blank><FONT
color=#003399>http://pages.ebay.com/help/policies/user-agreement.html</FONT></A>
</FONT></TD></TR>
<TR>
<TD><IMG height=5
src="http://pics.ebaystatic.com/aw/pics/s.gif" width=1></TD></TR>
<TR>
<TD><FONT face="Arial, Verdana" color=#666666 size=1>Copyright
? 2005 eBay, Inc. All Rights Reserved.<BR>Designated
trademarks and brands are the property of their respective
owners.<BR>eBay and ! the eBay logo are registered trademarks
or trademarks of eBay,
Inc.<BR></FONT></TD></TR></TBODY></TABLE></TD></TR></TBODY></TABLE></TD></TR></TBODY></TABLE></FONT></DIV></BODY></HTML>
------------------------------------------------------------------------
Take a careful look at that "Submit" button link:
```
<A title=http://contact.ebay.co.uk/ws/eBayISAPI.dll?M2MContact&item=4589070441&requested=yamama_r6&qid=1470018712&redirect=0&sspagename=ADME:B:AAQ:UK:2 onclick="return ShowLinkWarning()" href="http://www.varzavarzarau.go.ro/ws/ws/arribada/issapidll/SignIncopartnerId2pUserIdsiteidpageTypepa1i1bshowgifUsingSSLruwwwebaycomppp2errmsgrunameruparamsruproductsidfavoritenavmigrateVisitor/SignIn.html" target=_blank onfiltered="return ShowLinkWarning()">
'''
So, the button is going to pop up a little label saying it's from
'ebay.co.uk'... but it will link to (and your bottom bar will show it
as) the 'www.varzavarzarau.go.ro' address. Clicking on it takes you to a
look-alike eBay login page... except that there are a couple of those
minor quirks, much like the page above, in it.
Naivete costs money - and these days, it happens at Internet speeds. :)
* Ben Okopnik * Editor-in-Chief, Linux Gazette * http://linuxgazette.net *
More information about the TAG
mailing list