Jun 20 2003

ebay “Account Verification” scam / yernadop

This morning my inbox contained an email that claimed it was from ebay (http://www.ebay.com/) and had the subject “EBay Verification”. When I opened the message, it really looked like an ebay email, but when I clicked on the link in the message, I knew that somebody out there was hunting for credit card information.

I decided to collect the information and make sure that everybody who comes here will detect the same scam in the future …

So here comes the first piece of evidence. This email (screenshot) arrived at 10:59pm last night in my inbox. I downloaded it this morning at 6:00am

ebay account verification email

This all looks very official: it has common ebay links, the logo, the little “TRUST-e” logo, etc. The embedded link also looks like something you’ve seem to have seen on ebay’s site already. Well, so let’s click on it:

ebay account verification scam

Again, something that looks very much like an original ebay-page. Logo, common links, design, everything looks like it is the real thing. However there are three things that should make you suspicious:

1) ebay would never ask for account verification through an email
2) ebay would not use unsecured pages (non SSL, not showing “https:”) for this kind of information

and, most importantly

3) there is no ebay server at 62.94.123.19

Look carefully at the URL for the page (marked with red ellipse). You can see that it starts of with “http://www.ebay.com” however it continues with “@62.94.123.19”. This “@[number]” means that the page is really coming from the server with the address “62.94.123.19” and not from “www.ebay.com”. This is a common trick by scammers to make people believe that they are looking at the page of a particular service when in fact they are looking at the page of some other system.

Be very, very careful whenever you see the “@” sign in the host portion of your a URL

And just for the heck of it, let’s dive a bit deeped into this particular scam.

1) Email headers.
Most Email programs have the ability to look at “Email Headers” (Outlook Express for example does it via “CTRL-F3”, Outlook does it via “View->Options” and Eudora shows you the headers when you press the “Blah Blah Blah” icon when viewing a particular message).

Here is a section from the headers that made me suspicious:

Received: from 10.0.0.4 ([62.139.244.252])
	by smtp-relay-2.adobe.com (8.12.9/8.12.9) with SMTP id h5K4wXpK027898
	for ; Thu, 19 Jun 2003 21:58:35 -0700 (PDT)
Message-Id: <200306200458.h5K4wXpK027898@smtp-relay-2.adobe.com>

This basically says that the first system inside Adobe (smtp-relay-2.adobe.com) which saw this message received it from a system with the ip-address “62.139.244.252”, however the contacting system claimed that it’s ip-address was “10.0.0.4”. Hmm, that’s a small mismatch, isn’t it?
So, let’s see who and where “62.139.244.252”.

There is an excellent little tool at http://visualroute.visualware.com/ which I can only highly recommend. This tool allows you to enter an ip-address (or the name of computer on the internet) and then trace the packets from the visualware-servers to the address/name you entered. Similar tools are available on Unix (traceroute) and on Windows (tracert).
However the “Visual Route” server adds a little spice to it. It has location information for lots and lots ip-address and ip-blocks. So whenever a packet goes through a place where it has location information for, it will plot it on the world map below. This is quite entertaining, but not always 100% accurate.

After entering “62.139.244.252” I see this:

Visual trace for 62.139.244.252

Egypt? ebay is sending email via a system in Egypt? Don’t think so.

This seems to indicate that some poor guy had an “open email system” in Egypt which allowed spammers and scammers to abuse his server for mass distribution of email. By the time I check, the system is down. Most likely somebody noticed the abuse and shutdown the server.

2) Who, Where, What is “62.94.123.19”?

So let’s examine the address we found in the ebay verification email a little bit closer. First, plug it into the “Visual Route” server again:

Visual trace for 62.94.123.19

Whoa – ebay is clearly a global company, sending emails from Egypt and doing address verification in Italy. Again, don’t think so.

Using a second tool at http://grove.ufl.edu/~bro/cgi-bin/wp.cgi, the WHOIS proxy, I look up who owns this IP-address (who registered it). Here’s the output:

 inetnum:      62.94.123.16 - 62.94.123.31
 netname:      MEDAINFORMATICA-EDT
 descr:        Meda Informatica
 country:      IT
 admin-c:       DM1720-RIPE
 tech-c:        DM1720-RIPE
 status:       ASSIGNED PA
 mnt-by:        EDISONTEL-MNT
 changed:      ipadmin@edisontel.it 20030216
 source:       RIPE
 route:        62.94.64.0/18
 descr:        EDISONTEL
 origin:       AS15589
 remarks:      Milan Core
 notify:       ipadmin@edisontel.it
 mnt-by:        EDISONTEL-MNT
 changed:      ipadmin@edisontel.it 20010129
 source:       RIPE
 person:       Daniele Metelli
 address:      Meda Informatica
 address:      Via Cortevazzo  13
 address:      I-25136 Palazzolo Sull'Oglio (BS)
 address:      Italy
 phone:        39 030 7403184
 nic-hdl:       DM1720-RIPE
 changed:      ipadmin@edisontel.it 20030216
 source:       RIPE

So – this looks like it’s owned by a small company in Palazzolo Sull’Oglio in Italy’s Lombardia region.

3) What does the web page do?

The web page above asks for “account verification” information. This includes your ebay userid/password, your credit card information, address information and even Social Security numbers, drivers license information.

Think about it: With this information at hand somebody could not only empty your bank account pretty quickly, but even steal your identity and “become you”. Or sell the information to parties that would be interested to assume somebody else’s identity.

After entering the information on the web-page and clicking the “Continue …” button at the end of the page, your data will be sent to a script called “form2mail.php” on the same server. “form2mail.php” will take all the information you entered and send it off to some other party on the internet via email.

And this is where the bad guy really hides. Looking through the web-pages I can see one piece of evidence that points to this guy. In the form definition it says:

    <INPUT type=hidden value=yernadop name=userid>

The “form2mail.php” script will use this value to determine where to send the data you just entered to. However this is not a full email address and the full address is most likely hidden somewhere else. Most likely it will point to some @yahoo.com or @hotmail.com email address where the bad guy just waits for information to come in.

Also turns out that “yernadop” is not unknown out there. Take a look at those links on Google: http://groups.google.com/groups?q=yernadop. Scary …

To sum up the story:

* Those guys in Egypt started the mess with an open SMTP server that allowed unindentified parties to send email to the world through their server.
* Poor guys in Italy got their server hijacked and bad guys installed all the necessary stuff to make the system work. Most likely poor system security has to be blamed.
* Bad guy has received hundreds of responses by now and is using the credit card information to purchase whatever he wants. He’s probably also looking for a buyer for all those SSNs.
* And the sadest thing: I tried to be a good citizen and report it to ebay to make sure that at least the “account verification” page is turned off as quickly as possible. After searching for an hour on their web site, I still have not found a place where I can report this kind of issue.

Well, I hope at least you who read this story will not fall for a similar scam any more!

14 Responses to “ebay “Account Verification” scam / yernadop”

  • Marcus Says:

    Hi Hiasi,

    merci fuer diese interessante Info. Ich werd das mal meinen Bekannten weiterleiten, weil da doch einige sehr gutglaeubig mit eBay umgehen.

    Schoene Gruesse aus Muenchen

    Marcus

  • michael Says:

    Thanks ever so much for the info!I was immediately suspicious and did not react naturally(Since when is ebay collecting CC details not through a secure server?)
    I have a suspicion it is somebody from Yahoo groups called slave2britney2003.The reason I believe this is that this spammer wanted to join Yahoo groups to get rid of his spam,and he wanted to join one of my restricted clubs.I turned him down,stupidly enough with an email from my main emailadress,and ,what a coincidence,a few hours later I get the ebay info.This is only a suspicion,but I will report this Yahoo ID now to the authorities,as spammers are a nuisance anyway.
    Again ,thanks for the vigilance
    Michael from GB

  • Kerri Says:

    Thanks for this posting! I found 4 emails from supposedly EBAY caught in my spam filter. 3 were “account verifications” and 1 was “notice your ebay account has been susupended” Interesting that they went right into my SPAM guardian and I didn’t receive them in my regular emails.

    Nice eh?

  • sheila Says:

    http://pages.ebay.com/help/confidence/isgw-account-theft-spoof.html This URL is ebay’s “help” page regarding email and website impersonation of eBay.

    Suspicious emails (with full headers) can be sent to spoof@ebay.com

  • alan Says:

    Hi, thanks for the info, I had the e-mail and thought it suspect, so have sent details to e-bay, they should send out warnings now they should be aware.

    Cheers Alan

  • Aletha Says:

    I was so thrilled to find out this was a hoax, I was very nervous about filling it out and consulted a friend who dug around until she found your web site……I plan to send this back to ebay also I think they need to know also………..thanks again.
    Aletha

  • Renee Says:

    I just got this same type of email this morning… the fools didn’t have enough info to know that I don’t use my home e-mail for ebay and they sent the message to that address. Then my virus software prevented me from opening the link properly, which is probably a savior. I realized it was a spoof and sent it over to ebay. Good to see you are keeping people posted about this stuff!! I lucky I couldn’t enter any info into the link… but what are the chances they were able to access my system through that link???

  • Larry Says:

    Got one yesterday from 211.35.244.54. e-bay in Korea? Hmmmm… Let’s all remain vigilant.

  • spoof@ebay.com Says:

    Hi, thanks for posting this valuable information.

    eBay is working hard to help keep your account safe from hacking and unauthorized intrusions. Some community members have reported receiving deceptive emails claiming to come from eBay, PayPal, or other popular Web sites. These emails are also known as “spoof” or “phishing” emails. The people who send these emails hope that unsuspecting recipients will reply or click on a link contained in the email and then provide sensitive personal information (for example, eBay passwords, social security numbers, or credit card numbers).

    We strongly encourage you to be cautious when responding to any email request for sensitive personal information.

    Remember, just because an email looks like it’s from eBay, doesn’t mean it really is. An eBay address in the “From” line of an email (for example, “From: support@ebay.com“, “From: billing@ebay.com“, “From: eBay Account Maintenance”) does not guarantee that the email is from eBay.

    You can also take a few simple steps to protect your account and prevent senders of deceptive emails from doing harm:

    Be sure you are on an eBay page
    Before signing in, check the Web address in your browser. If you click on a link in an email, verify that the web address in your browser is the same as the address shown in the email. The Web address of most eBay sign-in pages begins with http://signin.ebay.com/. Never type your eBay user ID and password into a Web page that doesn’t have “.ebay.com” immediately before the first forward slash (/). the “@” sign in a URL is an indication for spoof!

    Always use a secure server when submitting credit card numbers
    Before submitting credit card numbers over the Internet, ensure that you are using a secure server. The beginning of the web address in your browser window should be “https://” and not “http://“. For secure server pages, you should also see a “lock” icon at the bottom of the browser.

    Do not send sensitive personal information via email
    eBay will never ask you to send your account password or other sensitive personal information such as credit card numbers in an email. Some deceptive emails will ask you to enter your password or sensitive personal information directly into a form within the email in an attempt to defraud you – don’t do it.

    When in doubt, use the eBay Web site
    Any doubt that the email really is from eBay? Simply open a new browser window, type http://www.ebay.com, sign-in, and use the “site map” link to navigate the site. And make sure you sign out when you are finished, especially if you are using a public computer.

    Report suspicious email
    Help us keep our community safe. If you have any doubt whether an email is from eBay, forward the message to spoof@ebay.com immediately. Don’t alter the subject line or forward the message as an attachment – doing so makes it more difficult for us to react quickly.

    Contact your bank or credit card company
    If you have already replied to a fraudulent email with sensitive personal information or entered data through a fake Web page, contact your bank and/or credit card companies immediately to prevent identity theft. eBay also recommends that you check your Account and My eBay preferences periodically to ensure that no one has tampered with your account.

    Educate yourself
    eBay’s Help system provides detailed information about spoof emails, identity theft, and what to do if your eBay account has been compromised.

  • Jennifer Says:

    THANK YOU !!! I got this email today.

    Why isn’t ebay sending out warning?

  • Tobias Hoellrich Says:

    And if somebody read all the way down here, also take a look at the latest “yernadop” incident at http://www.kahunaburger.com/blog/archives/000099.html – thanks.

  • BornElite Says:

    nahH! so u guys found a solution too ! oooohh well wont be long to deface this site ..nvm forget ebay ! i guess this is the time for us hackers to get along with real shits :>
    astalavistaa babbYY !!

  • bren Says:

    my mom just recently got this email and sent in the information.people who do not have computer experience should be warned.so far they had yaken 1500$ from her debit card.

  • nathan Says:

    damn just got this email today also .. bah f’n BS ….thanks for the warning ..

Leave a Reply