Ah… (checks email)… ooh, another email “from eBay”. But of course. From [email protected]? Why naturally! What the hell, I thought, let’s see what they’ve done.
And there it is, even including a Habeas antispam header. Great – something more to report.
Got reading. And they’ve got the breezy style of these things just right.
It’s that time of year again! With 2005 now upon us, we have updated the eBay user agreement.
Uh-huh. Waiting for the other shoe to drop.
As a result of the update, your account will be restricted until you have followed the link below and reconfirmed your contractual agreement with eBay. We apologize for any inconvience as a result of the update, but as a large e-commerce entity we are required to receive an updated agreement at the beginning of each year.
“Beginning” in this case being March 5. Which civilisation would that be? Mayan? Aztec?
So what’s the URL? It looks rather promising, even if you uncover the true URL – in my case by clicking on Eudora’s “blah blah blah” (it’s really called that) button, which shows you the actual URLs that clickable links are sending you to.
The link text says: https://signin.ebay.com/ws/eBayISAPI.dll?UpdateAgreement
The actual URL: https://signin.ebay.com/ws/eBayISAPI.dll?SignIn&UsingSSL=1&pUserId=&co_partnerId=2&siteid=0&ru=http%3A%2F%2Fcgi4.ebay.com%2Fws%2FeBayISAPI.dll?MfcISAPICommand%3dRedirectToDomain%26DomainUrl=http%3A%2F%2F184.108.40.206%2FeBayISAPI.php&pageType=1883 .
Be very careful with this link; I’ve not obscured it at all. See what it does? It starts with the real eBay URL, a secure one, and then near the end redirects you, obscuring it with lots of encoded characters (can you guess what http%3A%2F%2F comes up as? Can ya?).
It gets worse. That URL comes up as a secure page, with the eBay logo in the browser. It appears to load the eBay page. In fact what it does is load the page at http://220.127.116.11/ – yup, go take a look. (Unless it’s been killed now.)
If you ask me, that’s serious. I’ve fired off an email to [email protected] – we’ll have to hope someone is awake there.
The result is the same, though. Phishing scam. Originating from a PC in Korea at 18.104.22.168 since you ask, pointing to one in France at 22.214.171.124 (owned by Amen.fr).
A final thought: eBay could, and should, stop this. It’s SO easy. How: (1) change the images on its website, constantly. (2) block any display of those images outside the eBay site. I do think eBay bears a lot of responsibility for not proactively tackling this.