« Inside a Spammer's Template | Main | Address Database: Not Good Enough »

November 29, 2005

Last June I talked about brand name survey scams, and how I get very suspicious whenever one of these things lands in my inbox. On rare occasions (as noted in my Wall Street Journal experience), the messages are legit. One arrived today that didn't smell right, and could certainly lead plenty of eBay users to giving up valuable personal information.

Today's message, titled "Reward Survey," purported to be driven by eBay. The incentive was no less than a credit to my account. Here's the text of the message (actual URL disguised):

Dear Valued Member,

You have been chosen by the eBay online department to take part in our quick and easy 6 question survey. In return we will credit $20 to your account - Just for your time!

Helping us better understand how our customers feel benefits everyone. With the information collected we can decide to direct a number of changes to improve an expand our online service.

The information you provide us is all non-sensitive and anonymous - No part of it is handed down to any third party groups.
it will be stored in our secure database for maximum of 7 days while we process the results of this nationwide survey.
We kindly ask you to please spare two minutes of your time in taking part with this unique offer!

To Continue click on the link below:

http://www.[not_on_your_nellie].net/[more_blah_blah]

Many Thanks and Kind Regards -
eBay Customer Department

In checking the header details of the message, it was clear that eBay, itself, did not originate the message. As I discovered with my WSJ experience, however, this isn't uncommon, particularly when the survey job has been farmed out to an outside survey firm.

But a check of the domain registration of the active link destroyed any hint of legitimacy.

The domain was registered (literally) yesterday. The domain registration record didn't provide anything looking like a company name. The street address was in a form more suited to Europe or Russia. While the city was listed as "Denver," there were two country lines: one "Australia Capital"; the other "United States of America." The contact email address used the domain "beer.com."

Bottom line: There's no way on Earth that a company like eBay would have hired anyone with this kind of domain registration to operate on its behalf. And certainly not for a campaign designed in one day. These things take weeks to hammer out, get legal clearance, and so on.

Unfortunately, the world's eBay users have not yet read Spam Wars and may not be sufficiently suspicious about this stuff and know how to do the kind of modest, yet revealing, research I just described above. So, what would Joe/Jane EBay find if he/she were to click on the link?

I did this (safely) and captured the pages for you to see in Adobe Acrobat (PDF) format. You can view the screens at your leisure.

The first screen looks like a typical survey form. It asks various questions about the eBay service, and provides selections you can make to express your opinions. Then click "Continue." (Even if you leave all choices empty, the form is accepted—another giveaway that this form is merely window dressing.)

On the second page is the real payload of this scam. The form contains fields for you to enter your eBay username (but not password) and credit card info, including the security number on the back and PIN number if your card needs it. If you try to submit an empty form, the validation routine ignores the empty username field, but squawks about the empty credit card number field.

So, you see, this is not an eBay scam. It's the old credit card scam in eBay clothing. While the Web site plays a little more elaborate charade than others, it's to be expected. Phishers are desperate to reach even "phishing-savvy" recipients. This two-stage form (with the non-personal stuff in the first stage) might fool more recipients into thinking that eBay really wants their opinions—and will pay twenty simoleans for them.

Phishing still pays. Another phishing message I received this morning was one going after eBay account names and passwords. In tracking down the phony Web site, I discovered to my horror that not only had other recipients fallen for the ruse, but the idiot phisher set up the site to capture the data in an unencrypted text file. There, in all-too-plain view, was a list of victim IDs and passwords. Fortunately, the hosting service took down the site very quickly, so I can only hope that the phisher had not yet retrieved his booty.

Please, please, please...be careful out there. And tell your family and neighbors.