[LINK] eBay Security Advice

Craig Sanders cas at taz.net.au
Thu Sep 27 18:48:52 AEST 2007 

On Thu, Sep 27, 2007 at 09:08:51AM +0200, Kim Holburn wrote:
> Just today I got an interesting ebay phish.
>
> Looking carefully in the received headers (Surely there is some way this 
> could be made easy for unsophisticated users) 

dunno if it's suitable for "unsophisticated users", but i have dedicated
email addresses for my ebay and my paypal accounts, that aren't used for
*ANYTHING* else (one of the advantages of running my own mail server).

if an ebay or paypal phish comes in, the first thing i look at is the
address it was sent to. if it's not to the correct address, then i know
automatically that it's a phish - no further investigation required.

so far (since the accounts were created in 2002), not one phish (or
other spam) has been sent to my dedicated email or paypal addresses, but
i still closely examine the headers of any messages

almost all (99.99+%) ebay/paypal/bank phishes get caught by my
spamassassin and other anti-spam rules, anyway. very few ever get
delivered to a mailbox...i can't remember the last time that happened.

in fact, the only spam that was ever sent to my ebay address was from
an ebay trader that i bought something from once - and he thought that
entitled him to subscribe me to his mailing list. he was wrong. spamming
me gets him on my boycott list. he was also stupid enough not to set
up his list so that only he could post to it, so when my complaint was
CC-ed to his list, it started a mini-flamewar on his list about why
spamming is evil.




BTW, one other advantage of using dedicated addresses for particular
sites is so you know if the site has sold your personal details....and,
if they have, the email address can easily be deleted.

sometimes i use "plussed" addresses, e.g. cas+SITENAME at taz.net.au, but
some cretinous web site developers mistakenly think that "+" isn't a
valid character in email addresses and refuse to accept it. in that
case, i just edit /etc/aliases and create a new alias. an alias is
slightly more work, but it's better than a plussed address anyway -
anyone can strip off the plussed portion of the address to get my normal
address.

i use plussed addresses when i'm pretty sure the site isn't going to
spam me, and aliases when i'm not so sure.  

sites that i'm pretty sure ARE going to spam me, i just ignore.


> I found it was from a domain called emailebay.com.

are you sure it was a phish? according to whois, this domain appears to
be owned by ebay, and has been registered since 2001. the NS records
for the domain point to the same name-servers as ebay.com (i.e. ebay's
name-servers).



> The links to click look like this:
>> Your registered name is included to show this message originated from 
>> eBay. Learn more.
>> => 
>> http://rover.ebay.com/rover/2/0/8?loc=http://click3.ebay.com/576136089.70853.0.65847

both hostnames (rover and click3) in that url are valid ebay hostnames.


> The page is real but my noscript says there are scripts from a site called: 
> ebatstatic.com.

was that a typo? i.e. ebaTstatic or ebaYstatic? ebay uses ebaystatic.com
to server static page elements (i.e. non-dynamically generated - images,
javascript, etc).


> It looks so legit.  Have ebay servers been compromised?  I can't see how 
> they could add anything that wasn't from ebay, yet clearly they did 
> somehow.

dunno. it's theoretically possible that their entire DNS *AND* the whois
server for .com domains has been hijacked but it's unlikely - it would
require more effort, skill, co-ordination and timing than is usual for
net scammers (it doesn't take much skill to screw things up, but it
takes a lot to do it without leaving any trace).



but, as ever, *NEVER* under any circumstances click on a link in email
no matter how legitimate it looks, even if you're 100% certain that it
is legit.

especially if it is to a banking or trading site. 

instead, type in the URL in the location bar of your browser.


oh, and set your ebay preferences to send you plain text only, not
HTML-mail. that's another good way of auto-detecting ebay phishes - they
*always* come as HTML mail.  HTML in email is wrong, anyway.


craig

-- 
craig sanders <cas at taz.net.au>

More information about the Link mailing list