I received the above e mail message purportedly from firstname.lastname@example.org entitled “Ebay Fraud Verification Process.” It is deliciously ironic that an e mail message with this title is itself a fraudulent e mail message. In the trade, this type of message is known as a ‘spoof’ or “phish’ e mail, since it trolls the internet looking for people gullible enough to convey their personal data to perfect strangers. To learn how to counter such behavior, visit Ebay.com’s Security Center and learn how to identify fraudulent correspondence.
My message began:
Dear eBay user,
As part of our continuing commitment to protect your account and to reduce the instance of fraud on our website, we are undertaking a period review of our member accounts.
You are requested to visit our site by following the link given below
Please fill in the required information.
This is required for us to continue to offer you a safe and risk free environment to run your auctions, and maintain the eBay Experience.
The internet header for this fraudulent e mail is:
Received: from server1006.imagelinkusa.net ([18.104.22.168])
by rwcrmxc12.comcast.net (rwcrmxc12) with ESMTP
id <20031223132948r12001lljie>; Tue, 23 Dec 2003 13:29:48 +0000
Received: from nobody by server1006.imagelinkusa.net with local (Exim 4.24)
for email@example.com; Tue, 23 Dec 2003 08:29:47 -0500
Subject: Ebay Fraud Verification Process
Content-type: text/html; charset=iso-8859-1
Date: Tue, 23 Dec 2003 08:29:47 -0500
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname – server1006.imagelinkusa.net
X-AntiAbuse: Original Domain – attbi.com
X-AntiAbuse: Originator/Caller UID/GID – [99 99] / [47 12]
X-AntiAbuse: Sender Address Domain – server1006.imagelinkusa.net
Reviewing this closely, you’ll find that the mail server that originated this message was imagelinkusa.net and not ebay.com as the actual message’s From box read. It appears that this site was innocently hijacked by spammers who used the company’s mail server to distribute their garbage.
If you were so credulous as to actually visit the supposed Ebay.com survey page, you would’ve found a form which requested not only credit card information (as the fraudulent e mail stated), but also banking data and other highly confidential and personal information. I’m sorry to say that I actually began filling out the form, but when I got to the part which requested my bank information I said to myself: “Now, wait a second…I only use my credit card at Ebay.com. Why would they want my bank information?” That’s when I stopped filling the form out and e-mailed Ebay.com’s real customer support department, which informed me that this e mail is indeed a scam. Ebay.com never requests customer information through this type of e mail and you should never take the bait offered by these scammers. I’ve read this advice countless times myself on the web, but this fraudulent e mail was such a clever counterfeit of a real Ebay e mail and the survey site looked so much like a typical ebay page that I was fooled.
Ebay’s customer service rep responded to my message:
These emails are the result of a fraudulent entity who primarily targets members who are using their email address as their eBay User ID or have exposed their email address.
The message linked to the Security Center site which provides great tips on how to verify the authenticity of e mail messages from Ebay.com.
Mike Heath says
As more and more people attempt to capture user information for more than just accounts created on our servers, the links are also masked as to where the link ‘reads’ ebay but if you review the address it goes to – it is an IP address.
We are catching/stopping/terminating about 2 sites a day attempting to perform these actions from our servers to do what we can to ensure no one becomes a victim. I am unable to speak for the other webhosts who are also hosting the senders of these emails but, I can ensure you that we have the tracking in place that normally, within a few hours of the file being in existence, the entire site is locked down. This prevents malicious mail sending to capture funds.
If you come across any email that has our domain name in the server, do not hesitate to send me the exact email ( with headers ) in the exact format you received it ( mailed as an attachment )
I appreciate your assitance and hope this ensures that we are doing all we can to put an end to this before it happens.
Technical Support Manager
Richard Silverstein says
Thanks, Mike for clarifying that imagelinkusa.com does not endorse the activity of these fraudsters and in fact does everything it can to combat them.