Sunday, March 26, 2006

I got "Pished" and took the hook.

I got "Pished" and took the hook. Boy do I feel dumb.

I work as computer consultant. I should know better.

Something happened to me here yesterday that reminded me even computer gurus make mistakes.

Someone posing as a eBay customer sent me a email asking about something for sale.

It was 8 am and as I was rolling out of bed, I clicked on reply.

A ebay username and password page came up and I typed in my username and password.

As soon as I hit enter, I realized I had just done what I tell everyone not to do.

I looked at the URL in the toolbar. http://1050513031/styles/ws/ebay/index.html

That's not even an IP address. Where the hell was this?

A sinking feeling come over me. I had just given someone my eBay username and password.

Dumb as a rock I am. DOH! Homer Simson reference intended for dramatic effect.

It's not like I have a big eBay business. I have sold 1 items and bought 1 item.



Original Message Follows:
------------------------
To: mrlinuxhead@yahoo.com
Subject: Message from eBay Member regarding Item #5876677535
From: "eBay Member precisionlaptops4u"
aw-confirm@ebay.com Add to Address Book
Date: Sat, 25 Mar 2006 07:10:40 -0800 (PST)
Email Body:

� Question from capitalmal

Item: (5876677535) (I checked this one out. This is a Dell Plasma TV W4200 Speakers & Floor Stands H7218. NOT MINE!)


This message was sent while the listing was active.
precisionlaptops4u is a potential buyer.
What would the shipping cost be to West Virginia zip code 25511?

Respond to this question in My Messages.
Respond Now

Item Details
Item number: 5876677535
End date: Mar-09-06 12:50:17 PST
View item description:


Another URL they pulled out of their ass:

http://cgi.ebay.com/ws/eBayISAPI.dll?ViewItem&item=7387869660&sspagename=ADME:B:AAQ:US:1
(And on checking, this is NOT one of my items. It's a Home Interiors Print!)

Thank you for using eBay!

http://www.ebay.com/

(This was the URL that I clicked on that said "Click here to reply")
Message: http://1050513031/styles/ws/ebay/index.html


So I spent the next few hours changing ALL of my passwords on every Web site I maintain.

I just thought evry one out there would get a good laugh out of it and maybe Learn From My Mistakes.

So I shot eBay a email (not using my yahoo account).


Account Security Fake or suspicious eBay email
Report an email from
eBay that may be fake
Email Header:



I won't put in here what I sent to eBay but here is the reply I got sortly thereafter:



Hello,

Thank you for writing to eBay regarding the email you received.

Emails such as this, commonly referred to as "spoof" or "phished"
messages, are sent in an attempt to collect sensitive personal or
financial information from the recipients.

The email you reported was not sent by eBay. We have reported this email
to the appropriate authorities.

Yada Yada Yada . . . .

Once again, thank you for alerting us to the spoof email you received.
Your efforts help keep eBay a safe and fair place to trade.

Regards,

eBay SafeHarbor
Investigations Team


I do network security and web servers, email server and stuff, so I thought I would do a little snooping around.

With a few Google queries and a little WHOIS lookups, I had a little information I thought I would share with eBay.
And now I think I will share it with you as well.
Here is my email to eBay last night. Enjoy!


Hi eBay,

I did a Google search on the eBay member that sent me the phishing email today.
I thought you may be interested in what came back.

It looks like his store account on eBay is closed but I get a hit on the eBay
member "precisionlaptops4u" in Google:

precisionlaptops4u
Ships to: United States
Item location: Saint Paul, Minnesota United States

Also is the same as:

precisionpcgeeks (338Feedback score is 100 to 499)
Ships to: United States
Item location: Saint Paul, Minnesota United States

This is the same eBay seller i assume.
I do not know if he is the one that sent me the phishing email but
I also got the following hits from Google:

http://rss.groups.yahoo.com/group/luckywang168/rss
This is a RSS feed and is full of abuse comments.

One that caght my eye was:
eBay Safeharbor Department Notice Fraud Alert ID :
00626654 Dear eBay member,

A Google for "luckywang168" got me a few hits. One led to a Chinese company called
"Thai-Oh (Tangshan) Trading Co., Ltd" ran by a man called
"Mr. Lucky Wang Manager, Export Dept."

His contact info is:
# Tel : 86-315-2106-244 / 86-315-2552-848
# Fax : 86-315-3287-669

at the URL

http://luckywang168.en.ecplaza.net/

and also

http://www.thai-oh.net/


WHOIS contact info is:

Registrant:
tangshan unicom fanhua network CO.,LTD
18 beixinxidao lubeiqu tangshan
qinhuangdao city
tangshan, Hebei 063000
CN

Domain Name: THAI-OH.NET

Administrative Contact, Technical Contact:
Lucky, Wang
RM420.Zhongmei,No.132,Xinhua West Road,Tangshan, Hebei, China
tangshan, Hebei 063000
CN
0315-2106244 fax: 0315-3287669

Record expires on 01-Mar-2007.
Record created on 01-Mar-2004.

Domain servers in listed order:

NS1.CNOLNIC.COM 211.99.204.77
NS2.CNOLNIC.COM 211.152.51.15


P.S.
Also shows up on http://finechina.blog.163.com.

163.com is a known open relay for spammers.


Check this guy out for me, ok?


I hope this helps with your investigation.

Mr. LinuxHead




P.S. Here is a little known fact.
The goverment in China is a BIG ISP! And thay run Windows.

BRUUHAA! Game On, Boys.

Youre messing with the wrong people over here.

http://www.thai-oh.net/

Netcraft resolves that to:

OS Windows Server 2003
Server Microsoft-IIS/6.0
Last changed 26-Mar-2006
IP address 220.194.211.38
Netblock Owner China United Telecommunications Corporation


0 Comments:

Post a Comment

<< Home