[LINK] eBay Security Advice

Kim Holburn kim at holburn.net
Thu Sep 27 23:09:25 AEST 2007 

On 2007/Sep/27, at 10:48 AM, Craig Sanders wrote:
> On Thu, Sep 27, 2007 at 09:08:51AM +0200, Kim Holburn wrote:
>> Just today I got an interesting ebay phish.
>>
>> Looking carefully in the received headers (Surely there is some  
>> way this
>> could be made easy for unsophisticated users)
>
> dunno if it's suitable for "unsophisticated users", but i have  
> dedicated
> email addresses for my ebay and my paypal accounts, that aren't  
> used for
> *ANYTHING* else (one of the advantages of running my own mail server).
>
> if an ebay or paypal phish comes in, the first thing i look at is the
> address it was sent to. if it's not to the correct address, then i  
> know
> automatically that it's a phish - no further investigation required.
>
> so far (since the accounts were created in 2002), not one phish (or
> other spam) has been sent to my dedicated email or paypal  
> addresses, but
> i still closely examine the headers of any messages
>
> almost all (99.99+%) ebay/paypal/bank phishes get caught by my
> spamassassin and other anti-spam rules, anyway. very few ever get
> delivered to a mailbox...i can't remember the last time that happened.

Most of mine do too.

> in fact, the only spam that was ever sent to my ebay address was from
> an ebay trader that i bought something from once - and he thought that
> entitled him to subscribe me to his mailing list. he was wrong.  
> spamming
> me gets him on my boycott list. he was also stupid enough not to set
> up his list so that only he could post to it, so when my complaint was
> CC-ed to his list, it started a mini-flamewar on his list about why
> spamming is evil.
>
>
>
>
> BTW, one other advantage of using dedicated addresses for particular
> sites is so you know if the site has sold your personal  
> details....and,
> if they have, the email address can easily be deleted.
>
> sometimes i use "plussed" addresses, e.g. cas+SITENAME at taz.net.au, but
> some cretinous web site developers mistakenly think that "+" isn't a
> valid character in email addresses and refuse to accept it. in that
> case, i just edit /etc/aliases and create a new alias. an alias is
> slightly more work, but it's better than a plussed address anyway -
> anyone can strip off the plussed portion of the address to get my  
> normal
> address.
>
> i use plussed addresses when i'm pretty sure the site isn't going to
> spam me, and aliases when i'm not so sure.
>
> sites that i'm pretty sure ARE going to spam me, i just ignore.
>
>
>> I found it was from a domain called emailebay.com.
>
> are you sure it was a phish? according to whois, this domain  
> appears to
> be owned by ebay, and has been registered since 2001. the NS records
> for the domain point to the same name-servers as ebay.com (i.e. ebay's
> name-servers).

Yeah I didn't notice that.  It may be a genuine ebay email.  I wish  
they wouldn't send out crap like this that looks like phishing emails.

>> The links to click look like this:
>>> Your registered name is included to show this message originated  
>>> from
>>> eBay. Learn more.
>>> =>
>>> http://rover.ebay.com/rover/2/0/8?loc=http://click3.ebay.com/ 
>>> 576136089.70853.0.65847
>
> both hostnames (rover and click3) in that url are valid ebay  
> hostnames.
>
>
>> The page is real but my noscript says there are scripts from a  
>> site called:
>> ebatstatic.com.
>
> was that a typo? i.e. ebaTstatic or ebaYstatic? ebay uses  
> ebaystatic.com
> to server static page elements (i.e. non-dynamically generated -  
> images,
> javascript, etc).

typo, it was ebaystatic.com

>> It looks so legit.  Have ebay servers been compromised?  I can't  
>> see how
>> they could add anything that wasn't from ebay, yet clearly they did
>> somehow.
>
> dunno. it's theoretically possible that their entire DNS *AND* the  
> whois
> server for .com domains has been hijacked but it's unlikely - it would
> require more effort, skill, co-ordination and timing than is usual for
> net scammers (it doesn't take much skill to screw things up, but it
> takes a lot to do it without leaving any trace).
>
>
>
> but, as ever, *NEVER* under any circumstances click on a link in email
> no matter how legitimate it looks, even if you're 100% certain that it
> is legit.

I only do that with a locked down version of firefox on a machine I  
don't use for normal work, just to see what happens if I can't figure  
it out by examining the URL.

> especially if it is to a banking or trading site.
>
> instead, type in the URL in the location bar of your browser.
>
>
> oh, and set your ebay preferences to send you plain text only, not
> HTML-mail. that's another good way of auto-detecting ebay phishes -  
> they
> *always* come as HTML mail.  HTML in email is wrong, anyway.

I so rarely use ebay that I didn't notice this option.  Good catch.

>
>
> craig
>
> -- 
> craig sanders <cas at taz.net.au>
> _______________________________________________
> Link mailing list
> Link at mailman.anu.edu.au
> http://mailman.anu.edu.au/mailman/listinfo/link

--
Kim Holburn
IT Network & Security Consultant
Ph: +39 06 855 4294  M: +39 3494957443
mailto:kim at holburn.net  aim://kimholburn
skype://kholburn - PGP Public Key on request

Democracy imposed from without is the severest form of tyranny.
                           -- Lloyd Biggle, Jr. Analog, Apr 1961

More information about the Link mailing list