« YAES* | Main | Back to 419 School, Pal »

May 10, 2005

A rather sloppy eBay phishing message arrived that, despite several clues to its bogusity, will probably grab some eBay users.

I say it's sloppy because there is no eBay art embedded in the message, and the signature says:

Thank you for using eBay!
The PayPal Team

The crook also didn't do a good job of authoring the HTML in the message. In my email client, the real URLs (with plain-as-day numeric IP addresses) are clearly visible alongside the phony eBay links. Maybe the IP address URLs are hidden in clients such as Outlook Express.

But the trick of this message is the social engineering it employs. The message claims to be a confirmation of having changed the eBay account address to a new address (an @yahoo.com address). I guess I'm supposed to believe that somebody hijacked my account and changed the email address without my knowledge or permission. If I were to believe that, of course I'd be outraged and follow the instructions to "click here" and supply all my information again.

And then I'd really be hijacked and hosed.

My question is, Does eBay really send out a confirmation like this? I can't believe they'd bother sending a message to an old address. If you've changed your address, you've changed your address. I did change my eBay address a few years ago to a unique username (and have not had one—not one—spam message sent to that address), but I don't recall if eBay sent a confirmation like that to my old address (which was still active).

Logical or not, professional-looking or not, this phishing message will probably grab several unsuspecting users before theplanet.com gets around to shutting down the hijacked server in its block (the site is still running 6 hours after the message arrived here, so most of the damage is already done).