« On the Internet, Nobody Knows You're a Liar | Main | Phishers Will Try Anything, Part Deux »

July 08, 2006

The PSYOPS (Psychological Operations) Department at Phishing Crooks Central is working overtime to come up with what appear to be credible missives from eBay. Their goal is to get the unsuspecting eBay member to click on a link that leads to a bogus eBay login page. Once they capture your username and password, your account will likely be hijacked and used for fraudulent purposes. The password will be changed so you can't even get in there to fix it. If you've built up, say, double-digit reputation points, they'll be used by the scammer to flog non-existent goods.

Here is a scam message I saw today. It purports to be a response to a query that I supposedly sent to request payment for a computer. The message has many (but not all) the trappings of being from eBay's message system, which eBay rightfully encourages its members to use to communicate with other members.

Experienced eBayers would, I hope, recognize this as being suspect for one important reason: the message doesn't address the recipient by eBay ID name. That should be alarm bell Number 1. Of course the real alarm bells, as I've stated many times, are in the source code of the message. For instance, when you'd expect the message to originate from an eBay server, it comes instead from a Tampa, Florida Verizon DSL customer's hijacked computer.

But even if you're not willing to take the ten minutes to learn how to perform that kind of fraud detection, there are plenty of other harmless things a recipient could do to investigate this matter.

Start with the auction number. NOT the link in the message, but the raw number, which is easy to search in the real eBay site by placing it in any Search box. Unlike some earlier scams, this one leads to a real auction. The "item details" at the bottom of the message are all accurate, except for the end date. The real auction ended on May 22nd, not June 7th.

The phisher must also be very confused (or doesn't have a complete grasp of English). The message says, "This message was sent while the listing was active. amritpal2004 is the seller. Which leads to a kinda obvious question: Why would the seller send me money and expect a package from me?

Phisher's grade in Logic 101: F

(Looking deeper into that auction is also enlightening. The seller, jalaya69, is listed as "Not a registered user." The membership started on November 9, 2004, and for a year-and-a-half, this member was only a buyer of other peoples' stuff, and had built up a 100% positive feedback rating. Suddenly, in May of this year, the member became a seller of computer and cell phone stuff. In June, negative feedback started coming in. I believe that this account had been hijacked by a phisher and taken over by a crook [albeit a small-time one]. eBay eventually shut down the account, but the original member, if he or she is still involved with eBay, had to start over.)

eBay also lets you look up a member by name (in the Advanced Search page). Entering the sender's name from the email message, you'd find that there is no member by that ID. There are some close ones, but not this specific one. And, talk about coincidence (not!), the phishing message claims that amritpal2004 has been a member since November 9, 2004—the same day that the auction's seller of record joined eBay. Even more evidence in my eyes that the actual auction seller's account had been hijacked.

I receive so many phishing messages claiming to be from PayPal and eBay (I belong to both) that I'm ultra-suspicious of any message with those dot-com names in the From address. I have separate and unique email addresses that are associated with my accounts, and the phishing messages are always addressed to my long-time, now-completely-hosed, standard email address. That also helps me weed out the phony from the real. But even when a real one comes, I take the time to validate it myself. And then I never, never, never click on any link or URL in one of those messages. Instead I manually enter the site (or use a bookmark from a previous manual visit) and check my account.

It's all a horrible pain in the ass, but crooks have largely destroyed email as a viable communications medium between financial sites and their customers.