eBay Customers Targetted by Credit Card Scam

hether writes "Customers of the auction site eBay have been targeted by a site called ebayupdates.com. The site attempts to steal credit card details from eBay's 55 million customers. The SANS Institute Internet Storm Center issued the warning on this one. Info about the scam can be found on the BBC site, CNN, CNet, vnunet, and more. Funny enough there's no mention of this on the eBay site..."

Surprise!

[tigress]

eBay credit card scams are not new. I've received half a dozen of them in my spambox. Strangely enough, they were all addressed to the email-address I only use for eBay. What a strange coincidence.

Re:Surprise!

[tigress]

Does this happen to your Paypal email-address, that you only use for Paypal and don't disclose to anyone outside of Paypal? =)

The funny thing is that the eBay scams thing happens to the email-address that I used for eBay, never disclosed to anyone outside of eBay, except for two people that I purchased items from. Funny thing that. I suppose they must've guessed my address. =)

(In plain text, I'm getting eBay scam email from an email-address that, if I didn't absolutely trust eBay's integrity, I might suspect that eBay sold to the scammers)

What?

[neksys]

Representatives of eBay were not immediately available for comment, but the company has issued a general warning on its Web site, urging caution over e-mails seeking passwords or credit card numbers.

Sounds like they've mentioned it on the website to me.....

Re:What?

[gvonk]

It's tough to find, but here's the warning:

Some members have reported attempts to gain access to their personal information through email solicitations that are falsely made to appear as having come from eBay. These solicitations will often contain links to Web pages that will request that you sign in and submit information. At eBay, we identify these as 'spoofed' emails or Web sites.

We encourage you to be very cautious of emails that ask you to submit personal information such as your credit card number or your eBay password.

To be sure that you are signing into a genuine eBay Web site, look at the Address/Location area of your browser. At an eBay.com sign-in or log-in page, the URL (link) that appears in the Address/Location area of your browser will begin with "http://cgi.ebay.com/" or "http://scgi.ebay.com". Please pay close attention to all characters in the address, including the forward slash (/) that follows "ebay.com". Even if the Address/Location includes the word "ebay", it may not be a genuine eBay Web site. If you receive or suspect you have received such an email, do not respond to it or click the links. Immediately send a copy of it to spam@ebay.com.

If you have any doubt as to whether or not the website you are on is an official eBay web page, please visit our Account Security page for more complete information on the URLs used on eBay web pages.

For more information on how to protect your eBay password and your account, click here.

Regards,
eBay

strange.. seems to be down.. =)

WHOIS Record:

Domain Name.......... ebayupdates.com
Creation Date........ 2002-12-06
Registration Date.... 2002-12-06
Expiry Date.......... 2003-12-06
Organisation Name.... Tred
Organisation Address. 1742 BOLTON VILLAGE LANE
Organisation Address.
Organisation Address. NICEVILLE
Organisation Address. 32578
Organisation Address. FL
Organisation Address. UNITED STATES

Admin Name........... Eulalia Bergenthal
Admin Address........ 1742 BOLTON VILLAGE LANE
Admin Address........
Admin Address........ NICEVILLE
Admin Address........ 32578
Admin Address........ FL
Admin Address........ UNITED STATES
Admin Email.......... qspam52@aol.com
Admin Phone.......... 713-552-6332
Admin Fax............

Tech Name............ YahooDomains Techcontact
Tech Address......... 701 First Ave.
Tech Address.........
Tech Address......... Sunnyvale
Tech Address......... 94089
Tech Address......... CA
Tech Address......... UNITED STATES
Tech Email........... domain.tech@YAHOO-INC.COM
Tech Phone........... +1.6198813096
Tech Fax.............
Name Server.......... yns1.yahoo.com
Name Server.......... yns2.yahoo.com

Re:strange.. seems to be down.. =)

[korny69]

Tech Name............ YahooDomains Techcontact

Yahoodomains.com: Get your own eBay-like domainname & web-card from $35/Year!
Package includes:

• Domain name (i.e. www.ebayaccounts.com)
• Web Card or Web Address Forwarding
• Email Account (to fool the best of 'em)
• Online access to your ebay-accounts database!

Re:strange.. seems to be down.. =)

[robson]

Organisation Address.1742 BOLTON VILLAGE LANE
Organisation Address.
Organisation Address. NICEVILLE
Organisation Address. 32578
Organisation Address. FL
Organisation Address. UNITED STATES

...and, of course, it's straight out of America's wang... er, I mean, Florida.

Re:strange.. seems to be down.. =)

[b0r1s]

To be fair, Yahoo did a good job of taking these jackasses offline quickly.

This really isn't that new: it's been discussed on incidents@securiyfocus.com for the past few days. From that list:


The form posts to

http://www.cutandpastescripts.com/cgi-bin/formpr oc essing/forms.pl

It has the following hidden fields, with the following values

activenumber 428283597791
username xacxac
MfcISAPICommand SingInWelcome
siteid 0
co_partnerId 2
UsingSSL 0
ru
pp
pa1
pa2
pa3
i1 -1
pageType -1

and the following field names, that are entered by the user on the form

name
address
City
State
Zip
Phone
cc
expi re
Cvv2
Bank Name
Bank #
checking_account_number
Routing_number
ssn
m mn
dob
dl#
userid
pass (password)
submit (value=Sign In)
keepMeSignInOption (checkbox, checked value=1)

ebay scam repayments

[Toasty16]

I have created a database of people ripped off by these ebay scams. if you think you are one of them, please send your name, address, and credit card number with expiration date to ebayscam@scamalert.com Let's get to the bottom of this scam!

Re:ebay scam repayments

[Caractacus+Potts]

You should sell your database on eBay!

Re:Yet another example of bad security

[neksys]

Perhaps if you'd read the article instead of trying to get an early post, you'd know that the numbers aren't stolen - the site, ebayupdates.com, fools people into thinking that they are affiliated with the real ebay.com, and asks them to re-enter their financial information. It has nothing to do with credit card databases or encryption - just new take on a tried and true con that has been around for probably centuries.

Re:Yet another example of bad security

[tigress]

Does nobody read the articles anymore? =)

This is not about eBay's security. It's about a spam scammer that tricks users into going to a third party website and reenter their credit card details.

Though, I'm sure the scammer encrypts all credit card details, in order to protect the customers. =)

I helped shut one of these guys down

[greenshift]

A couple months ago I received an email notifying me that eBay was updating its records and needed me to re-enter my user and credit card information.

The site was at http://www.cgi5-ebay.cc/eBayISAPIdll/signin.html. Obvious to any experienced computer user as a scam.

But since I was sure unsuspecting users may be duped, I decided to do something about it. I contacted the service provider, A Plus (aka Abacus), informed them of the scam, and requested that they shut it down. Within an hour the site was offline.

Too bad I didn't submit this to news wire services. Oh well.

Re:I helped shut one of these guys down

[neksys]

A commendable action! I'm sure you saved a few people some headaches. However, next time anyone is in a situation like this, I might suggest that the second place you contact (after the service provider) are whatever law enforcement agency has jurisdiction over fraud cases such as these. Shutting them down is one thing, but getting them put behind bars guarantees that they'll have to wait a while before starting up a new scam.

Re:I helped shut one of these guys down

[tigress]

I've reported scammers before, to the service providers. I'd love to report them to the legal authorities, except I'm in Sweden and I doubt me contacting Russian or Chinese legal authorities will do much about the fake French address that the UK scammer used in order to defraud German customers of a US company.

Re:I helped shut one of these guys down

[Sycraft-fu]

I recieved something similar. I didn't look at it to see if it was really form eBay or not since it didn't matter, and I didn't know scams were going around. I popped open my browser, logged into eBay and lo and behold, my account is all up to date. Hmmm. So I look at the message again, yep, a scam.

The easiest way to avoid getting duped is simply to always interact with the site through normal channels. Even the message looks totally legit, still login as you do normally. This eliminates the possability that you are entering a 3rd party site by accident.

Slashdot Brings Justice to the People!

[JayBees]

Problem: Credit card theft by a scam artist web site.

Solution: /.ing the slimey bastards til their servers cry out for mercy.

Kudos to /. for using their powers for good instead of evil (this time). Hey, someone start submitting stories with links to riaa.org.

Re:Slashdot Brings Justice to the People!

[Flounder]

Hey, someone start submitting stories with links to riaa.org.

Why the automatic assumption that the riaa is a scam? They support the development and careers of many talented musicians. All they are doing is rightfully protecting their own copyrighted interests, in the name of protecting the earnings of the hard working artists and musicians. The RIAA and MPAA's only goal is the advancement of the arts.

Oh, wait.

[engage Slashdot filter]
KILL THEM ALL!! MAKE THEIR SCSI DRIVES BLEED!! THE RIAA AND MPAA ARE AS EVIL AS MICROSOFT AND CONGRESS!! ALL INFORMATION WANTS TO BE FREE!!
[disengage Slashdot filter]

There, that makes sense now.

Amazon.com sues ebayupdates.com

[raehl]

Citing intellectual property violations, Amazon.com quickly filed a lawsuit in reaction to ebayupdate.com's new website.

"The one-click credit card number stealing algorithm employed by ebayupdates.com is a clear violation of amazon.com's one click transaction patent," said amazon.com CEO Jeff Bezos in a statement. "Let this be a message to other sites like ebayupdates.com: Amazon.com will not tolerate one-click theft."

When reached for comment, an amazon.com spokeswoman clarified that amazon.com would not take action against a process that used at least two mouse clicks.

Re:Yet another example of DUMBASS NOT READING ARTI

[mbogosian]

The information was stolen by getting users to go to a site that LOOKED like an eBay site and get them to give that site the information directly.

CNN is reporting: "HUNDREDS FOOLED AS EBAY SCAM STORY IS POSTED TO FAKE SLASHDOT SITE". The article goes on to say, "Many SlashDot regulars looking for easy karma were duped into posting their carefully crafted trolls and comments to a fraudulent site set up at http://brak.slashdot.org/ officials said early Friday morning. CmdrTaco has been unavailable for comment."

This is not a unique happening....

[solostring]

If you check out the safeharbour forums on Ebay, this is not a rare occurance. There are many scam sites and spam emails which try to socially engineer credit card info and passwords from Ebay users.

I really don't know why this particular instance was picked up by the big news corporations....

Similar PayPal scam

[pixelbeat]

I just got an identical scam pertaining to PayPal. I was directed to enter info into PayPal scam site

Social engineering

[The+Tyro]

These are one of the oldest social engineering scams in existence...

They've been used on AOL subscribers (we are updated our database! Email your login/password to this address to ensure uninterrupted service), and even (legitimately) by sysadmins to check on the cluefulness of their own users... see how many ppl will Email you their login/passwords.

That mantle of authority/legitimacy is a powerful psychological tool... provides a lot of social control in some arenas. But I'm not saying it's always good... when people are trained/socialized to listen and not ask questions at all... well... you get victimized by stuff like this. Not to sound like a bumper sticker, but "question authority" is pretty good advice sometimes.

A little bit of cynicism and skepticism go a long way, particularly on the 'Net.

Offtopic, Yes, But...

[E-Rock-23]

I don't think I've ever seen a discussion here on /. that has spawned so many AC posts. I was going to try and moderate here, but DAMN!

Now to get myself back on topic. If you use a credit card on ebay, you're insane. Every time I deal on ebay, I only use postal money orders. Period. It's no big thing to go to your local post office to get/cash one. Unless some idiot is counterfitting things, it's the most secure way I can find to do business on an auction site. And it's not like it's a big pain in the ass, either. Every town has a post office. If it doesn't, the next town over probably does.

It basically boils down to the fact that these are issued by the government. You'ld have to be insane to want to commit fraud when dealing with PMOs. You either have balls the size of Alaska or a brain the size of the period at the end of this sentance. Using a credit card on ebay is like saying "Hey. Take my valuable information, please!"

Sites like ebay should also provide an easy-to-access list of 100% trusted partner sites. Just because an URL contains the name "ebay" in it doesn't mean it's alright. Let's face it: apart from we ubergeeks and a small percentage of the non-geek population, most people are just dumb as rocks when it comes to dealing with anything on the net, let alone any form of e-commerce. It should fall upon sites like ebay to educate their users, even just a little bit.

Re:Offtopic, Yes, But...

[Judg3]

You have no choice but to use a credit card if your going to sell something on Ebay. They started forcing people to attach a credit card number to their account as a means of reducing the amount of fraudulent accounts people would set up to scam other Ebay users out of money.
You don't have to submit the ole CC to buy something, only to sell.

this really is an old story

[night_flyer]

in fact this is the second such site in two weeks, MSNBC and the BBC both carried these earlier (MSNBC last weekand the BBC early this week)

If Slashdot is just now getting to this, why bother? I would hope that the users are informed enough already to catch this kind of thing for one as well as reading the mainstream news.

These scams happen constantly.

[aussersterne]

Since the beginning of December alone, I have received four e-mail messages claiming to be from eBay, pointing to various Web sites which ask for credit card or membership information. They all have the following in common:

1. Partially (but not expertly) forged mail headers.
2. Web site which looks pretty authentic but isn't hosted at eBay (imagine that!)
3. A threat of some sort -- "If you fail to verify your information within four days, your account will be suspended."
4. Grammar or spelling mistakes if you look closely.

When I got my first couple of these a year ago or so, I dutifully reported the messages to eBay and the abuse@ addresses for the mail server and Web host used in the transactions. But now I receive so many of them, I just ignore them.

I nope not too many people are dumb enough to fall for this, but sadly, I suspect that some are...

An identity-theft scam, with DMCA protection!

[jms]

The topic here is a "credit-card theft" scam, which turns out to be much more than that. It's a shining example of the evils of the DMCA!

The spam I got was more then just credit card theft, it was an attempt at full-bore identity theft! The spam directed the user to a web page that asked for, among other things, my social security number, mother's maiden name, and drivers license number. (see Appendix A at the end of this post)

On top of that, the spam was encrypted! I tried to look at the source code, but instead found a javascript program, containing a decryption algorithm, and pages and pages of encrypted data. (See Appendix B at the end of this post) The function of this program is obvious. The program overlays itself with the decrypted identity-theft program, then runs it.

Naturally I didn't fill out the form or click submit once I saw what the web page was, but I did execute the encrypted program by following the link in the email, and I was able to use "View Page Source" to locate and capture the complete decryption algorithm and encrypted identity-theft program.

This is an interesting situation.

Here we have a piece of spam containing a Javascript program, which comprises a technological measure that controls access to another piece of either HTML or possibly Javascript (the copyright-protected identity-theft program), which in turn may or may not exploit some netscape or IE bug to steal my personal information.

Or it might operate at face-value, generating a simple HTML form, collecting field information, and sending the information off to a remote identity-theft collection computer.

I can't tell without (trivially) bypassing the technological measure, by altering the program to display the plaintext of the identity-theft program
instead of executing it.

This technological measure (the javascript program) is obviously designed to prevent me (the intended identity-theft victim) from gaining access to the copyrighted identity-theft program to examine it.

Therefore, this whole identity theft scam is fully DMCA-protected! It would be a violation of 17 USC 1201(a) for me to alter the decryption program in such a way as to display the identity-theft program (and learn if I was an actual victim or just a potential victim.) It would be a violation of 17 USC 1201(b) for you to post a followup message explaining how to do it. The DMCA provides no exception for potential or actual victims of this sort of spam fraud, or for individuals attempting to aid potential or actual victims of this sort of spam fraud, or for individuals attempting to research this type of fraud.

So what if I were just to ignore the DMCA, decrypt the identity-theft program and reveal its contents? Obviously, the identity-theft ring isn't going to step forward and sue me, because presumably they are trying to conceal their identities and activities. That doesn't mean that I'm safe though. The problem is that under the DMCA, I would be risking Federal prosecution, even if all I was trying to do was determine whether I was an actual victim of identity theft!

In reality, I suspect that I would not be prosecuted by the Federal Government in this particular instance, but then who knows these days. The law is supposed to provide equal protection. In this case, not prosecuting me (for discovering for myself whether I was the victim of identity theft) would illustrate the selective enforcement of the DMCA. Dmitry Sklyarov faced prosecution by the Federal Government for bypassing a technological measure controlling access to ebooks, even after Adobe backed away from the lawsuit.
How am I supposed to know whether or not I would face prosecution for exposing an identity-theft scam? Why should I, or anyone else, take the risk?

APPENDIX A: Information requested by the identity-theft program.

Full Name (Include your full middle name)
Address
City
State
Zip Code
Phone Number
Credit Card Number
Expiration Date
Cvv2 (Last 3 digits located behind your credit card or (4 digits for AMEX located on the front above your credit card number)
Bank Name
Bank Phone Number (Located on the back of the credit card)
Social Security Number
Mothers Maiden Name
Date Of Birth
Drivers License Number
eBay User ID
You can also use your registered email.
eBay Password

APPENDIX B: The javascript program itself.

function process(ar)
{
var Stri=''

var y, z, sum, n, n1, number, j=0
var key = new Array(25960,31077,121,104)

n1=4
for (j=0; j0)
{
z-=(y>5)+key[3]
y-=(z>5)+key[1]
sum-=0x9E3779B9
}

Stri+=String.fromCharCode(y&0xFF)+String.fromCha rC ode((y>>8)&0xFF)+
String.fromCharCode((y>>16)&0xF F)+String.fromCharC ode((y>>24)&0xFF)
Stri+=String.fromCharCode(z&0xF F)+String.fromCharC ode((z>>8)&0xFF)+
String.fromCharCode((z>>16)&0xF F)+String.fromCharC ode((z>>24)&0xFF)
}
document.write(Stri)
Stri=''
}
}

function start() {
var ar=new Array()
ar[0]=new Array(-476521852,-2058851006,-25665082, ... ,29762809)

... (the encrypted data stream is very, very long) ...

ar[13]=new Array(-575491891,665716493, ... ,1125967000)
process(ar)
}
start()

(I had to alter the spacing of the "Stri+=" lines because of the lameness filter:
Your comment violated the "postercomment" compression filter. Try less whitespace and/or less repetition. Comment aborted.
Also, slash appears to have inserted a space in the second "fromCharCode" in each line that isn't really there. Whatever.)