Most realistic EBAY SPOOF I've ever seen!

[Shield]

Account Investigation Important Notice

 

 

 

 

Dear archiecomics4me (shawn@goldcomics.com ),

 

You have received this email because we have strong reason to believe that your eBay account had been recently compromised used by a third party without your authorization. In order to prevent any fraudulent activity from occurring we are required to open an investigation into this matter. To speed up this process, you are required to verify your eBay infos by following the link below.

 

http://signin.ebay.com/eBayISAPI.dll?Signln&UserID=archiecomics4me

 

(To complete the verification process you must fill in all the required fields)

 

Please Note - If your account informations are not updated within the next 72 hours, then we will assume this account is fraudulent and will be suspended. We apologize for this inconvenience, but the purpose of this verification is to ensure that your eBay account has not been fraudulently used and to combat fraud.

 

We appreciate your support and understanding, as we work together to keep eBay a safe place to trade.

 

Thank you for your patience and attention in this important matter.

 

Regards,

 

Atticus,

Account Investigation Group

 

Do not respond to this e-mail, as your reply will not be received.

 

Copyright 2004 eBay Inc. All Rights Reserved.

Designated trademarks and brands are the property of their respective owners.

eBay and the eBay logo are trademarks of eBay Inc. is located at Hamilton Avenue, San Jose, CA 95125

[Shield]

Too bad he's an insufficiently_thoughtful_person! This guy is GOING TO JAIL!

 

HA HA John Holbrook!

 

 

 

Whois Search Results for user-account.info

 

Domain ID:D6116323-LRMS

Domain Name:USER-ACCOUNT.INFO

Created On:06-Aug-2004 18:30:55 UTC

Expiration Date:06-Aug-2005 18:30:55 UTC

Sponsoring Registrar:R141-LRMS

Status:ACTIVE

Status:OK

Registrant ID:C5056234-LRMS

Registrant Name:John Holbrook

Registrant Organization:John Holbrook

Registrant Street1:721B Desoto St SW

Registrant City:Olympia

Registrant State/Province:WA

Registrant Postal Code:98512

Registrant Country:US

Registrant Phone:+1.2125533950

Registrant Email:johnholbrook21@juno.com

Admin ID:C5056231-LRMS

Admin Name:John Holbrook

Admin Organization:John Holbrook

Admin Street1:721B Desoto St SW

Admin City:Olympia

Admin State/Province:WA

Admin Postal Code:98512

Admin Country:US

Admin Phone:+1.2125533950

Admin Email:johnholbrook21@juno.com

Billing ID:C5056232-LRMS

Billing Name:YahooDomains BillingContact

Billing Organization:Yahoo! Inc

Billing Street1:701 First Ave.

Billing City:Sunnyvale

Billing State/Province:CA

Billing Postal Code:94089

Billing Country:US

Billing Phone:+1.6198813096

Billing Email:domain.billing@YAHOO-INC.COM

Tech ID:C5056233-LRMS

Tech Name:YahooDomains TechContact

Tech Organization:Yahoo! Inc

Tech Street1:701 First Ave.

Tech City:Sunnyvale

Tech State/Province:CA

Tech Postal Code:94089

Tech Country:US

Tech Phone:+1.6198813096

Tech Email:domain.tech@YAHOO-INC.COM

Name Server:YNS1.YAHOO.COM

Name Server:YNS2.YAHOO.COM

[BachelorOfComix]

 

Can you tell BOC how you got his info?

[Calamerica]

The eMails are getting better and better - trickier and trickier - I delete them all

 

if they pop up magain and it is legit I wouod recognize it.

 

I already had viruses of all kinds because of spoofs and false emails.

 

CAL

[JohnBull]

Too bad he's an insufficiently_thoughtful_person! This guy is GOING TO JAIL!

 

HA HA John Holbrook!

 

 

 

Whois Search Results for user-account.info

 

Domain ID:D6116323-LRMS

Domain Name:USER-ACCOUNT.INFO

Created On:06-Aug-2004 18:30:55 UTC

Expiration Date:06-Aug-2005 18:30:55 UTC

Sponsoring Registrar:R141-LRMS

Status:ACTIVE

Status:OK

Registrant ID:C5056234-LRMS

Registrant Name:John Holbrook

Registrant Organization:John Holbrook

Registrant Street1:721B Desoto St SW

Registrant City:Olympia

Registrant State/Province:WA

Registrant Postal Code:98512

Registrant Country:US

Registrant Phone:+1.2125533950

Registrant Email:johnholbrook21@juno.com

Admin ID:C5056231-LRMS

Admin Name:John Holbrook

Admin Organization:John Holbrook

Admin Street1:721B Desoto St SW

Admin City:Olympia

Admin State/Province:WA

Admin Postal Code:98512

Admin Country:US

Admin Phone:+1.2125533950

Admin Email:johnholbrook21@juno.com

Billing ID:C5056232-LRMS

Billing Name:YahooDomains BillingContact

Billing Organization:Yahoo! Inc

Billing Street1:701 First Ave.

Billing City:Sunnyvale

Billing State/Province:CA

Billing Postal Code:94089

Billing Country:US

Billing Phone:+1.6198813096

Billing Email:domain.billing@YAHOO-INC.COM

Tech ID:C5056233-LRMS

Tech Name:YahooDomains TechContact

Tech Organization:Yahoo! Inc

Tech Street1:701 First Ave.

Tech City:Sunnyvale

Tech State/Province:CA

Tech Postal Code:94089

Tech Country:US

Tech Phone:+1.6198813096

Tech Email:domain.tech@YAHOO-INC.COM

Name Server:YNS1.YAHOO.COM

Name Server:YNS2.YAHOO.COM

 

How did you find all this out? Big Brother is definitely watching.

[osborn_fr]

 

Can you tell BOC how you got his info?

 

Like that:

 

http://www.whois.com/nonssl/WhoisLookup.aspx?dnl=user-account.info

 

This guy should have play in "Dumb & Dumber"

[Red Hook]

And that's why they call you THE SHIELD!

[Shield]

And that's why they call you THE SHIELD!

 

Thanks! I'm not all hot air either baby - I forwarded that to "spoof@ebay.com".

 

Thing was, I'm a pretty sharp PC person, and normally these spoofed emails point you to an IP address and not a fully registered DNS name, for the obvious reason up above ( If you register a name, they can find you easier!).

 

Any rate, Click on that link up above - It's HILARIOUS, you can just make up a username and password

 

I used "Heywood" as the username, and "Jablome" as the password. Of course, it let me log right in!

 

Hey GUYS - I just tried the site again, and it still works! This is scary - it's very realistic until you get to the "Update Information" Page...then it looks like this:

 

 

I CANNOT BELIEVE THIS IS STILL FUNCTIONAL! Here's what you get (9:41 A.M. E.S.T. that STILL WORKS!!!)

 

 

[Mr. Zipper]

Too bad he's an insufficiently_thoughtful_person! This guy is GOING TO JAIL!

 

HA HA John Holbrook!

 

 

 

Whois Search Results for user-account.info

 

Domain ID:D6116323-LRMS

Domain Name:USER-ACCOUNT.INFO

Created On:06-Aug-2004 18:30:55 UTC

Expiration Date:06-Aug-2005 18:30:55 UTC

Sponsoring Registrar:R141-LRMS

Status:ACTIVE

Status:OK

Registrant ID:C5056234-LRMS

Registrant Name:John Holbrook

Registrant Organization:John Holbrook

Registrant Street1:721B Desoto St SW

Registrant City:Olympia

Registrant State/Province:WA

Registrant Postal Code:98512

 

What is it with the state of Washington and shady online hijinx ?!?

 

[Shield]

So, I actually called EBAY. Lot of good THAT did. They won't let me speak to anyone in the department that receives "spoof@ebay.com" email.

 

I'm VERY CONCERNED about this one, guys...for fun, I plugged in a fake 16 digit credit card number and it wouldn't proceed unless I entered a valid expiration date for the card! Then, it told me it wasn't a valid CC number (obviously- why not try to get people to enter in multiple CC's?).

 

Anyway, please be careful out there folks!

[Shield]

 

Can you tell BOC how you got his info?

 

Sure. As with anything on the internet, you just need to do a "WHOIS" on the domain + suffix.

 

Example - In this case, he's using this URL as a link to sign in on:

 

(This is the fraudulent website)

http://signin.ebay.com.user-account.info/eBayISAPI.dll?VerifyID&PlaceInfo&LogUID=archiecomics

 

So, the actual domain here is "user-account" with "info" as the suffix. He registered "user-account.info" as a domain name with the Yahoo registrar. Anything preceding the "user-account.info" is either a valid sub domain or domain alias - meaning in the real world when you "ping" "signin.ebay.com.user-account.info", it'll come back as a valid host because there is a DNS entry.

 

Example:

 

 

So, this 66.218.79.166 is probably the IP address in this guy's house or place of employment, all of which I highly doubt will be working by this afternoon.

 

A PORT SCAN on 66.218.79.166 reveals:

 

Port 80: HTTP Error 400 - Bad request. The server has the standard port 80 open, but it is not receiving requests.

 

Port 443: SSL - Has an invalid SSL certificate, registered to:

"s.p2.hostingprod.com"

 

However, this was just for my own enjoyment. To get the information that I did above, just go to this site to do a "WHOIS", which simply looks up domain names to their matching registrar's (Just like an automobile registrar, but to a website)

 

http://www.internic.net/whois.html

 

And plug in the domain + suffix, in this case the "user-account.info"

 

Very basic stuff here, really..

[Shield]

Also, a fun little command from your dos window is "tracert". This will allow you to "trace" a packet from your IP to the destination, and it will tell you every router it passes through. Each "stop" is called a "Hop".

 

U:\>tracert signin.ebay.com.user-account.info

 

Tracing route to premium2.geo.yahoo.akadns.net [66.218.79.159]

over a maximum of 30 hops:

 

1 16 ms <10 ms <10 ms (EDITED FOR MY PROTECTION).gen.twtelecom.net [*EDIT*]

2 <10 ms <10 ms 16 ms tagg-01-t1-5-1-1-27-0.clmb.twtelecom.net [207.67.110.217]

3 <10 ms <10 ms 16 ms dist-01-so-2-0-0-0.clmb.twtelecom.net [66.192.241.201]

4 <10 ms 16 ms <10 ms dist-02-so-0-0-0-0.clmd.twtelecom.net [66.192.241.21]

5 <10 ms <10 ms 16 ms dist-01-ge-3-3-0-0.clmd.twtelecom.net [66.192.241.226]

6 <10 ms 16 ms <10 ms dist-02-so-0-0-0-0.dytn.twtelecom.net [66.192.241.25]

7 <10 ms 16 ms <10 ms dist-01-ge-3-3-0-0.dytn.twtelecom.net [66.192.241.162]

8 <10 ms 15 ms 16 ms dist-02-so-0-0-0-0.cncn.twtelecom.net [66.192.241.6]

9 <10 ms 16 ms 15 ms dist-01-ge-3-3-0-0.cncn.twtelecom.net [66.192.241.130]

10 <10 ms 16 ms 16 ms dist-02-so-0-0-0-0.iplt.twtelecom.net [66.192.241.5]

11 <10 ms 16 ms 15 ms dist-01-ge-3-3-0-0.iplt.twtelecom.net [66.192.241.98]

12 16 ms 16 ms 15 ms core-02-so-0-1-0-0.chcg.twtelecom.net [66.192.244.100]

13 16 ms 15 ms 16 ms core-01-ge-0-2-1-2.chcg.twtelecom.net [66.192.244.64]

14 16 ms 16 ms 15 ms 66.192.244.36

15 31 ms 47 ms 31 ms exchange-cust1.chi.equinix.net [206.223.119.16]

16 94 ms 93 ms 78 ms ae0-p803.pat1.pao.yahoo.com [216.115.98.13]

17 94 ms 109 ms 78 ms vl28.bas1.scd.yahoo.com [216.115.101.42]

18 78 ms 78 ms 94 ms UNKNOWN-66-218-82-230.yahoo.com [66.218.82.230]

 

19 78 ms 78 ms 94 ms p2w3.geo.scd.yahoo.com [66.218.79.159]

 

 

 

So, here's what we can gather from this. Obviously, I'm on Time Warner Telecom. From my computer to the scammer's PC, my packet traveled

From Columbus (clmb.twtelecom.net) >> to Dayton (dytn.twtelecom.net) to Cincinnati (cncn.twtelecom.net) to Indianapolis (iplt.twtelecom.net) to Chicago (chcg.twtelecom.net) to 66.192.244.36 (Here it is leaving my ISP to go to one of the main "highways" of the internet).

Equinex.net then gets the request, probably performs an additional reverse DNS lookup on the scammer's IP, then realizing it's part of Yahoo's classes, sends it along to one of Yahoo's routers.

 

So, all we know about this scammer is his name, address, who he registered the domain with, his IP address, and his ISP, which is Yahoo DSL (99% sure).

 

Questions?

[qualitycomix]

I've been receiving 2nd chance offer spoofs as well:

 

You expressed interest in an item titled ""Brave & Bold 30 CGC 9.0, NO RSV,

HIGHEST GRADED COPY Item number: 2258396365,by bidding,however the auction

has ended with another member as the high bidder.In compliance with eBay

policy, the seller is making this Second Chance Offer to you at your bid

price of US $2,650.00.The seller has issued this Second Chance Offer because

either the winning bidder was unable to complete the transaction or the

seller has duplicate items for sale. If you accept this offer, you will be

able to exchange Feedback with the seller and will be eligible for eBay

services associated with a transaction, such as fraud protection. This offer

expires, Aug 20, 2004 19:01:36 PST.

To see this item, click on the following page:

http://cgi.ebay.com/ws/eBayISAPI.dll?ViewItem&item=2258396365

To learn more about Second Chance Offer go to:

http://pages.ebay.com/help/sell/personal_offer.html

 

Thank you, eBay, Inc.

 

Email came from - congratulations_luckyday@hotmail.com.

[squidmo2000]

I too was spoofed and somebody started selling under MY name.I received a similar email on monday from ebay telling me to update my account info within 48 hrs or my account would be suspended.I usually don't reply to these things,but I realized my AMEX card on ebay was no longer valid and I never updated(because I haven't sold anything in over 3 years).So I go click on the link and put in my Ebay name & password.The first page asks me to update my CC and I did.This is when things start getting weird.I click continue and it asks me to enter my Bank account,routing #,Social Security#.I'm thinking why the hell do they need this info when all I do is buy?So I close the link and forgot about it.This morning,I couldn't sign on to Ebay.I go to Live chat(they were very helpful)& told them.They said I had an item up for sale and I was stunned.After 2 hours of talking to ebay,cancelling my CC's,and changing all my passwords I finally have things back to normal.But you want to know what was really messed up? My email address was changed to harley_softail@wwwebayelectronics.com. Inside job?Who knows,but please be carefull,there are alot of filthy animals out there.