Lots of people are receiving a purported “customer notice” from eBay. It starts out “Please note that this is a system generated email.” And goes on to state that “eBay has sent you this message to remind you its time to update your account details.
To ensure your account continues to function normally it is recommended you update your details.” It looks very real, but it’s actually a phish originating from Moldova.
Here is the email in three different views, plus a bonus view of the actual phisher’s site! First the full text of the eBay phishing email as the average end-user percieves it. Then a screen shot of the email with all the images loaded, exactly as an end user would see it if they opened the email. Then, finally, the raw source of the email, revealing its true identity.
Here is the full text of the email as the average end user perceives it. Note that all links except the one that you click on to “update your account” actually go to an eBay link, ehancing the illusion that this is a legitimate eBay email. Of course, the “update your account” link actually goes to the phisher’s site (more on that later):
Please note that this is a system generated email. Please do not reply to this email. If you have questions, please visit www.ebay.com
The Internet Patrol is completely free, and reader-supported. Your tips via CashApp, Venmo, or Paypal are appreciated! Receipts will come from ISIPP.
CashApp us
Venmo us
Paypal us
eBay has sent you this message to remind you its time to update your account details. To ensure your account continues to function normally it is recommended you update your details [Link to “Learn more”].
Update Your eBay Account Details
Dear eBay User ,
Your account is due to be updated, As stated in our revised User Agreement, eBay.com will not store your credit/debit card details beyond a certain date based on your eBay account activity, This ensures security on our part and helps protect the privacy & safety of our users. [Link to “Privacy Policy”]
eBay also recommends you change your eBay password on a regular basis to prevent unauthorized access to your account, when choosing a new password we suggest not to use the same password as on other personal accounts, such as your email or online banking accounts.
As the threat of identity theft rises eBay.com would like to remind all our users that eBay will NEVER ask you to disclose sensitive personal information about yourself, such as your Social Security or Drivers Licence number.
To Proceed to account update click the “Proceed to Account Update” link below.
Otherwise you may visit eBay.com to sign in and follow the account update prompts.
[Link to “Proceed to Account Update” (this is the one that goes to the phisher’s site]
If you need additional help, contact eBay’s Customer Support
Learn how you can protect yourself from spoof (fake) emails at:
http://pages.ebay.com/education/spooftutorial
This eBay notice was sent to from eBay based on your account preferences. Your account is registered on www.ebay.com. As outlined in our User Agreement, eBay will periodically send you information about site changes and enhancements. To unsubscribe from this notice, change your notification preferences. Please note that it may take up to 5 days to process your request. If you would like to receive this email in text format, change your notification preferences.
To contact eBay, please go to: http://pages.ebay.com/help/contact_inline/index.html.
On the Contact Us page, select the details of your inquiry and click the “Continue” button. Under the heading Contact Support, click the “Email” link and you will be prompted to fill out and send an email.
See our Privacy Policy and User Agreement if you have questions about eBay’s communication policies.
Privacy Policy: http://pages.ebay.com/help/policies/privacy-policy.html
User Agreement: http://pages.ebay.com/help/policies/user-agreement.html
Copyright © 2007 eBay, Inc. All Rights Reserved.
Designated trademarks and brands are the property of their respective owners.
eBay and the eBay logo are registered trademarks or trademarks of eBay, Inc.
————
Ok, that’s what you see in your inbox. Here is how it looks if you actually open it and load the images:
Here is what we in the biz call the “raw source”… it is the *actual* code in the email. Even if this looks mostly like greek to you, what you see in the beginning, in the headers, should alert you that this did not really come from eBay:
Return-Path: wshh@worldstarhiphop.com
Mon, 30 Apr 2007 07:04:46 -0700 (PDT)
Received: from hhs4.hiphopservers.com (unknown [38.101.72.8])
received: from apache by hhs4.hiphopservers.com with local (Exim 4.60)
(envelope-from wshh @worldstarhiphop.com)
id 1HiWQB-0001ge-R8; Mon, 30 Apr 2007 10:00:07 -0400
Subject: Customer Notice
From: eBay accounts.notices@services.ebay.com
Reply-To: no.reply@services.ebay.com
MIME-Version: 1.0
Content-Type: text/html
Content-Transfer-Encoding: 8bit
Message-Id: e1hiwqb -0001ge-R8@hhs4.hiphopservers.com
Date: Mon, 30 Apr 2007 10:00:07 -0400
<font face=”Arial, Verdana” size=1 >Please note that this is a system generated email. Please do not reply to this email. If you have questions, please visit <a href=”www.ebay.com” >www.ebay.com </a > </font >
<table class=max cellSpacing=0 cellPadding=0 width=”100%” bgColor=white
border=0 >
<tbody >
<tr >
<td > <table cellSpacing=0 cellPadding=2 width=”100%” border=0 >
<tbody >
<tr >
<td noWrap width=”1%” > <a href=”http://87.248.172.11/%7Exsw/gb/secure.ebay.com/ws/” > <img src=”http://pics.ebaystatic.com/aw/pics/au/logos/ebay_95x39.gif”
border=0/ > </a > </td >
<td width=20 > <img height=20 src=”http://pics.ebaystatic.com/aw/pics/s.gif”
width=1/ > </td >
<td vAlign=bottom align=left > <font face=verdana,arial,sans-serif color=#666666
size=1 > <b >eBay has sent you this message to remind you its time to update your account details. </b > </font > <br / >
<font face=verdana,arial,sans-serif color=#666666
size=1 >To ensure your account continues to function normally it is recommended you update your details <a href=”http://87.248.172.11/%7Exsw/gb/secure.ebay.com/ws/” target=”_blank” >Learn more </a >. </font > <br / > </td >
</tr >
</tbody >
</table >
<img height=6
src=”http://pics.ebaystatic.com/aw/pics/s.gif”/ > <br / >
<table cellSpacing=0 cellPadding=0 width=”100%” bgColor=#ffe680 border=0 >
<tbody >
<tr >
<td vAlign=top width=8 > <img height=8
src=”http://pics.ebaystatic.com/aw/pics/globalAssets/ltCurve.gif” width=8/ > </td >
<td width=”339″ vAlign=bottom noWrap > <span style=”FONT: bold 14pt Arial,Helvetica,sans-serif; COLOR: #000000″ >Update Your eBay Account Details </span > </td >
<td vAlign=top align=right width=”417″ > <img height=8
src=”http://pics.ebaystatic.com/aw/pics/globalAssets/rtCurve.gif” width=8
align=top/ > </td >
</tr >
<tr >
<td bgColor=#ffe680 colSpan=3 height=2 > <img height=2
src=”http://pics.ebaystatic.com/aw/pics/s.gif”/ > </td >
</tr >
<tr >
<td bgColor=#ffcc00 colSpan=3 height=4 > <img height=4
src=”http://pics.ebaystatic.com/aw/pics/s.gif”/ > </td >
</tr >
</tbody >
</table > </td >
</tr >
</tbody >
</table >
<table cellSpacing=0 cellPadding=0 width=”100%” border=0 >
<tbody >
<tr >
<td vAlign=top > <img height=20 alt=” ”
src=”http://pics.ebaystatic.com/aw/pics/s.gif”
width=1/ > </td >
</tr >
</tbody >
</table >
<table cellSpacing=3 cellPadding=0 width=”100%” border=0 >
<tbody >
<tr >
<td colSpan=3 > <font face=”Arial, Verdana” size=2 >Dear <b >eBay User </b >, <br / >
<br / >
Your account is due to be updated, As stated in our revised <a href=”http://pages.ebay.com/help/community/png-user.html” target=”_blank” >User Agreement </a >, eBay.com will not store your credit/debit card details beyond a certain date based on your eBay account activity, This ensures security on our part and helps protect the privacy & safety of our users. <a href=”http://pages.ebay.com/help/policies/privacy-policy.html” target=”_blank” >Privacy Policy </a > <br / >
eBay also recommends you change your eBay password on a regular basis to prevent unauthorized access to your account, when choosing a new password we suggest not to use the same password as on other personal accounts, such as your email or online banking accounts. <br / >
As the threat of identity theft rises eBay.com would like to remind all our users that eBay will NEVER ask you to disclose sensitive personal information about yourself, such as your Social Security or Drivers Licence number. <br / >
<br / >
To Proceed to account update
click the “Proceed to Account Update” link below. </font > <br / >
<br / >
<font face=”Arial, Verdana” size=2 >Otherwise you may visit eBay.com to sign in and follow the account update prompts. </font > </td >
</tr >
</tbody >
</table >
<img height=10
src=”http://pics.ebaystatic.com/aw/pics/s.gif”/ > <br / >
<table width=”234″ border=0 cellPadding=4
cellSpacing=0 bgColor=#ffffce
style=”BORDER-RIGHT: #ffcc00 1px solid; BORDER-TOP: #ffcc00 1px solid;
BORDER-LEFT: #ffcc00 1px solid; BORDER-BOTTOM: #ffcc00 1px solid” >
<tbody >
<tr >
<td width=”248″ align=middle vAlign=top noWrap >
<span style=”FONT: bold 13pt Arial,Helvetica,sans-serif; COLOR: #000000″ > <a href=”http://87.248.172.11/%7Exsw/gb/secure.ebay.com/ws/” target=”_blank” >Proceed to Account Update </a > </span > </td >
</tr >
<tr >
<td vAlign=top align=left > </td >
</tr >
</tbody >
</table >
<br / >
<table cellSpacing=0 cellPadding=2 width=”100%” border=0 >
<tbody >
<tr >
<td width=20 > </td >
<td vAlign=top width=580 colSpan=2 > </td >
</tr >
</tbody >
</table >
<table cellSpacing=0 cellPadding=0 width=”100%” border=0 >
<tbody >
<tr >
<td > <hr color=#cccccc SIZE=1/ >
</td >
</tr >
</tbody >
</table >
<table >
<tbody >
<tr >
<td width=600 > <img height=2 src=”http://pics.ebaystatic.com/aw/pics/s.gif”
width=1/ > </td >
</tr >
</tbody >
</table >
<table >
<tbody >
</tbody >
</table >
<table >
<tbody >
<tr >
<td width=600 > <img height=2 src=”http://pics.ebaystatic.com/aw/pics/s.gif”
width=1/ > </td >
</tr >
</tbody >
</table >
<table cellSpacing=0 cellPadding=0 width=”100%” border=0 >
<tbody >
<tr >
<td vAlign=top width=580 > <font face=”Arial, Verdana” size=2
>If you need additional help, contact <a href=”http://pages.ebay.com/help/basics/select-support.html” >eBay’s Customer Support </a > </font > <br / >
<img height=7
src=”http://pics.ebaystatic.com/aw/pics/s.gif”
width=1/ > </td >
</tr >
</tbody >
</table >
<table >
<tbody >
<tr >
<td width=600 > <img height=2
src=”http://pics.ebaystatic.com/aw/pics/s.gif”
width=1/ > </td >
</tr >
</tbody >
</table >
<hr class=FooterSeparator/ >
<table cellSpacing=0 cellPadding=0 width=”100%” border=0 >
<tbody >
<tr >
<td > <font face=Verdana color=#666666 size=1
>Learn how you can protect yourself from spoof (fake) emails at: <br / >
<a href=”http://pages.ebay.com/education/spooftutorial”
target=”_blank” >http://pages.ebay.com/education/spooftutorial </a > <br / >
<br / >
This eBay notice was sent to <a href=”/cgi-bin/compose?mailto=1&msg=HAHGMAMGAHSHSHHAHAHSGAHSSN&start=0&len=16212&src=&type=x&to=
&cc=&bcc=&subject=&body=&curmbox=00000000-0000-0000-0000-000000000001&a=7667c95bbd348145d67b675b86f8a6f369e56c1ea5f82c9d6bcd833055a478f7″ > </a >from eBay based on your account preferences. Your account is registered on <a href=”http://www.ebay.com” target=”_blank” >www.ebay.com </a >. As outlined in our User Agreement, eBay will periodically send you information about site changes and enhancements. To unsubscribe from this notice, change your <a href=”http://cgi4.ebay.com/ws/eBayISAPI.dll” target=”_blank” >notification preferences </a >. Please note that it may take up to 5 days to process your request. If you would like to receive this email in text format, change your <a href=”http://cgi4.ebay.com/ws/eBayISAPI.dll?OptinLoginShow” >notification preferences </a >. <br / >
<br / >
To contact eBay, please go to: <a href=”http://pages.ebay.com/help/contact_inline/index.html” >http://pages.ebay.com/help/contact_inline/index.html </a >. <br / >
On the Contact Us page, select the details of your inquiry and click the “Continue” button. Under the heading Contact Support, click the “Email” link and you will be prompted to fill out and send an email. <br / >
<br / >
See our Privacy Policy and User Agreement if you have questions about eBay’s communication policies. <br / >
Privacy Policy: <a href=”%27http://pages.ebay.com/help/policies/privacy-policy.html” >http://pages.ebay.com/help/policies/privacy-policy.html </a > <br / >
User Agreement: <a href=”http://pages.ebay.com/help/policies/user-agreement.html” >http://pages.ebay.com/help/policies/user-agreement.html </a > <br / >
<br / >
Copyright © 2007 eBay, Inc. All Rights Reserved. <br / >
Designated trademarks and brands are the property of their respective owners. <br / >
eBay and the eBay logo are registered trademarks or trademarks of eBay, Inc. <br / >
</font > </td >
</tr >
</tbody >
</table >
—–
Now, haven’t you always wondered what those phishing sites actually look like? How do they manage to trick so many people??
Check this out. Because we are trained professionals, we know how to connect to a phishing site without getting caught. Don’t try this at home, folks!
If you had clicked on the phishing link, here is what you would have seen. How tricky is this?
Note the actual URL in the address bar… it is exposed because of how we went to the site:
The Internet Patrol is completely free, and reader-supported. Your tips via CashApp, Venmo, or Paypal are appreciated! Receipts will come from ISIPP.
CashApp us
Venmo us
Paypal us
Don’t try it at home? Aww heck, I tried out IE7 phishing filter early on in beta, great fun.
Want even more fun? Remeber those gift cards you got at Christmas with AE, MC or Visa Logos. Assuming you spent the money, they work great at phishing sites if you want to see what happens next…
They also work good that require a credit card for thier free trials.
Heh heh……
Forward such E-mails to Spoof @ebay.com. Let them handle it. When in doubt send it to ebay,
I have been receiving these for a long time. I always forward them, with full header, to spoof@ebay.com and receive a verification that it is indeed a phishing attempt.