eBay Customers Targetted by Credit Card Scam

← Back to Stories (view on slashdot.org)

eBay Customers Targetted by Credit Card Scam

Posted by ryuzaki0 on Thursday December 12, 2002 @09:37PM from the pulling-a-fast-one dept.

hether writes "Customers of the auction site eBay have been targeted by a site called ebayupdates.com. The site attempts to steal credit card details from eBay's 55 million customers. The SANS Institute Internet Storm Center issued the warning on this one. Info about the scam can be found on the BBC site, CNN, CNet, vnunet, and more. Funny enough there's no mention of this on the eBay site..."

8 of 237 comments (clear)

Min score:

Reason:

Sort:

Surprise! by tigress · 2002-12-12 21:39 · Score: 4, Interesting

eBay credit card scams are not new. I've received half a dozen of them in my spambox. Strangely enough, they were all addressed to the email-address I only use for eBay. What a strange coincidence.
1. Re:Surprise! by tigress · 2002-12-13 03:51 · Score: 3, Interesting
  
  Does this happen to your Paypal email-address, that you only use for Paypal and don't disclose to anyone outside of Paypal? =)
  
  The funny thing is that the eBay scams thing happens to the email-address that I used for eBay, never disclosed to anyone outside of eBay, except for two people that I purchased items from. Funny thing that. I suppose they must've guessed my address. =)
  
  (In plain text, I'm getting eBay scam email from an email-address that, if I didn't absolutely trust eBay's integrity, I might suspect that eBay sold to the scammers)
I helped shut one of these guys down by greenshift · 2002-12-12 21:48 · Score: 4, Interesting

A couple months ago I received an email notifying me that eBay was updating its records and needed me to re-enter my user and credit card information.

The site was at http://www.cgi5-ebay.cc/eBayISAPIdll/signin.html. Obvious to any experienced computer user as a scam.

But since I was sure unsuspecting users may be duped, I decided to do something about it. I contacted the service provider, A Plus (aka Abacus), informed them of the scam, and requested that they shut it down. Within an hour the site was offline.

Too bad I didn't submit this to news wire services. Oh well.
1. Re:I helped shut one of these guys down by Sycraft-fu · 2002-12-12 23:07 · Score: 3, Interesting
  
  I recieved something similar. I didn't look at it to see if it was really form eBay or not since it didn't matter, and I didn't know scams were going around. I popped open my browser, logged into eBay and lo and behold, my account is all up to date. Hmmm. So I look at the message again, yep, a scam.
  
  The easiest way to avoid getting duped is simply to always interact with the site through normal channels. Even the message looks totally legit, still login as you do normally. This eliminates the possability that you are entering a 3rd party site by accident.
Re:Uh..did we not see this earlier? by adrianhensler · 2002-12-12 22:04 · Score: 2, Interesting

Maybe you are thinking of the paypal scam that was exactly the same deal; very legitimate looking pages:

http://www.msnbc.com/news/837882.asp
I was targetted about 5 weeks ago by tacocat · 2002-12-12 23:17 · Score: 2, Interesting

I got one of these emails in which they claimed that eBay has lost some information and needed me to go to some website and fill in some information about my self.

I never got that far, SpamAssassin stripped out the HTML and exposed all the real URL's.

I forwarded the email to eBay.com but I've never heard anything about it. That was before Thanksgiving or earlier. I didn't keep the original email, it served no purpose to me anymore.
These scams happen constantly. by aussersterne · 2002-12-13 04:25 · Score: 3, Interesting

Since the beginning of December alone, I have received four e-mail messages claiming to be from eBay, pointing to various Web sites which ask for credit card or membership information. They all have the following in common:

1. Partially (but not expertly) forged mail headers.
2. Web site which looks pretty authentic but isn't hosted at eBay (imagine that!)
3. A threat of some sort -- "If you fail to verify your information within four days, your account will be suspended."
4. Grammar or spelling mistakes if you look closely.

When I got my first couple of these a year ago or so, I dutifully reported the messages to eBay and the abuse@ addresses for the mail server and Web host used in the transactions. But now I receive so many of them, I just ignore them.

I nope not too many people are dumb enough to fall for this, but sadly, I suspect that some are...

--
STOP . AMERICA . NOW
An identity-theft scam, with DMCA protection! by jms · 2002-12-13 07:09 · Score: 5, Interesting

The topic here is a "credit-card theft" scam, which turns out to be much more than that. It's a shining example of the evils of the DMCA!

The spam I got was more then just credit card theft, it was an attempt at full-bore identity theft! The spam directed the user to a web page that asked for, among other things, my social security number, mother's maiden name, and drivers license number. (see Appendix A at the end of this post)

On top of that, the spam was encrypted! I tried to look at the source code, but instead found a javascript program, containing a decryption algorithm, and pages and pages of encrypted data. (See Appendix B at the end of this post) The function of this program is obvious. The program overlays itself with the decrypted identity-theft program, then runs it.

Naturally I didn't fill out the form or click submit once I saw what the web page was, but I did execute the encrypted program by following the link in the email, and I was able to use "View Page Source" to locate and capture the complete decryption algorithm and encrypted identity-theft program.

This is an interesting situation.

Here we have a piece of spam containing a Javascript program, which comprises a technological measure that controls access to another piece of either HTML or possibly Javascript (the copyright-protected identity-theft program), which in turn may or may not exploit some netscape or IE bug to steal my personal information.

Or it might operate at face-value, generating a simple HTML form, collecting field information, and sending the information off to a remote identity-theft collection computer.

I can't tell without (trivially) bypassing the technological measure, by altering the program to display the plaintext of the identity-theft program
instead of executing it.

This technological measure (the javascript program) is obviously designed to prevent me (the intended identity-theft victim) from gaining access to the copyrighted identity-theft program to examine it.

Therefore, this whole identity theft scam is fully DMCA-protected! It would be a violation of 17 USC 1201(a) for me to alter the decryption program in such a way as to display the identity-theft program (and learn if I was an actual victim or just a potential victim.) It would be a violation of 17 USC 1201(b) for you to post a followup message explaining how to do it. The DMCA provides no exception for potential or actual victims of this sort of spam fraud, or for individuals attempting to aid potential or actual victims of this sort of spam fraud, or for individuals attempting to research this type of fraud.

So what if I were just to ignore the DMCA, decrypt the identity-theft program and reveal its contents? Obviously, the identity-theft ring isn't going to step forward and sue me, because presumably they are trying to conceal their identities and activities. That doesn't mean that I'm safe though. The problem is that under the DMCA, I would be risking Federal prosecution, even if all I was trying to do was determine whether I was an actual victim of identity theft!

In reality, I suspect that I would not be prosecuted by the Federal Government in this particular instance, but then who knows these days. The law is supposed to provide equal protection. In this case, not prosecuting me (for discovering for myself whether I was the victim of identity theft) would illustrate the selective enforcement of the DMCA. Dmitry Sklyarov faced prosecution by the Federal Government for bypassing a technological measure controlling access to ebooks, even after Adobe backed away from the lawsuit.
How am I supposed to know whether or not I would face prosecution for exposing an identity-theft scam? Why should I, or anyone else, take the risk?

APPENDIX A: Information requested by the identity-theft program.

Full Name (Include your full middle name)
Address
City
State
Zip Code
Phone Number
Credit Card Number
Expiration Date
Cvv2 (Last 3 digits located behind your credit card or (4 digits for AMEX located on the front above your credit card number)
Bank Name
Bank Phone Number (Located on the back of the credit card)
Social Security Number
Mothers Maiden Name
Date Of Birth
Drivers License Number
eBay User ID
You can also use your registered email.
eBay Password

APPENDIX B: The javascript program itself.
function process(ar) { var Stri='' var y, z, sum, n, n1, number, j=0 var key = new Array(25960,31077,121,104) n1=4 for (j=0; j0) { z-=(y>5)+key[3] y-=(z>5)+key[1] sum-=0x9E3779B9 } Stri+=String.fromCharCode(y&0xFF)+String.fromCha rC ode((y>>8)&0xFF)+ String.fromCharCode((y>>16)&0xF F)+String.fromCharC ode((y>>24)&0xFF) Stri+=String.fromCharCode(z&0xF F)+String.fromCharC ode((z>>8)&0xFF)+ String.fromCharCode((z>>16)&0xF F)+String.fromCharC ode((z>>24)&0xFF) } document.write(Stri) Stri='' } } function start() { var ar=new Array() ar[0]=new Array(-476521852,-2058851006,-25665082, ... ,29762809) ... (the encrypted data stream is very, very long) ... ar[13]=new Array(-575491891,665716493, ... ,1125967000) process(ar) } start()

(I had to alter the spacing of the "Stri+=" lines because of the lameness filter:
Your comment violated the "postercomment" compression filter. Try less whitespace and/or less repetition. Comment aborted.
Also, slash appears to have inserted a space in the second "fromCharCode" in each line that isn't really there. Whatever.)