Heads up all on a scam that points back to a Digital Press site visitor!

Got my first Ebay "Phishing" scam email today and knew it was fake right away. Started tracing the email and the fake page it directed to and found that it was a Road Runner user in New York State. Contacted Road Runner countless times via phone and email to no avail. Then contacted Ebay through some work contacts and got them to shut it down. Too make a long story short the Ebay logo used in the email were linked to Digitpress.com........how odd? Clearly I was targeted by somebody in the classic community from just outside New York.

Address : 24.59.248.67
Name : syr-24-59-248-67.twcny.rr.com (.COM | US Commercial)

Here is the complete email source for your enjoyment or to investigate.

Received: from 64.70.191.167 (24.59.248.67) by DEDICATED (MailMax 4. 8. 3. 0) with ESMTP id 86811920 for jerry@jessopland.com; Wed, 14 Apr 2004 00:44:41 -0700 PDT
Received: from [181.137.163.223]
by 64.70.191.167 id Ewh6u6uEa1gw
for <jerry@jessopland.com>; Wed, 14 Apr 2004 06:02:32 -0300
Message-ID: <7$-i-$--$bsha86aq76-$6dfrk$attq@p1r.0o>
From: "eBay" <security@ebay.com>
Reply-To: "eBay" <security@ebay.com>
To: <jerry@jessopland.com>
Subject: Please Update Your eBay Account
Date: Wed, 14 Apr 2004 06:02:32 -0300
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="60E6DA4__D"
X-Priority: 3


--60E6DA4__D
Content-Type: text/html;
Content-Transfer-Encoding: quoted-printable

<HTML>
<HEAD>
</HEAD>

<BODY>
<IMG SRC=3D"http://www.digitpress.com/images/logo_ebay.gif">










Dear eBay Customer
For security reasons eBay conducts monthly tests to =
insure your profile information is valid.

It has come to our attention your creditcard information on file is invali=
d. We ask that you please update your eBay profile

to contain up-to-date information, you may follow the link below to update=
your eBay profile.

<a href=3D"http://24.59.248.67">http://cgi.ebay=
com/update</A>


Sincerely, eBay
</BODY>
</HTML>

--60E6DA4__D--

I'VE BEEN FOUND OUT! :O

Alright. I see you got all the information, but is it inconcievable to think that the Roundtabler was simply the unlucky target of a complex attempt to hide the origin? I wouldn't doubt it. It's always possible that this is just a coverup attempt. All the same I don't mind that you posted that guy's info; if he's not at fault he'd better let us all know :P

It's also entirely possible that they were looking for ebay icons to mooch off of, and did a search on Google images for it - and happened to like the one that Digitpress.com had.

Their relation to Digitpress may be entirely coincidental.

Just so that doesn't look totally retarded, what I mean to say is that it's possible somebody has figured out a Roundtabler's IP (an IP of what? Their email address? Home site listed on an eBay auction), managed to get an IP from that ISP and then sent out the fake email. Or something quite different; I have no clue.

If this was Forumplanet I'd start checking out IPs like crazy, though, just to make sure.

I just have a hard time believing any phisher (hate that term...) would be so dumb.

Gosh I hate how long it takes to edit here.

Anyhow, I didn't look at that closely enough. I think the Bard's quite right; the email's obviously fake and the Digitpress logo was obviously lifted. If I were to Go Phishing I sure as heck wouldn't put a clue as to where I'm from in there.

It was put in there to give somebody a straw to grasp at. You've been had...don't let this phisher turn you against your fellow forumers without good proof!

i would say that since you didnt get ripped off or anything like that, then just use this as an experience that you now know how to protect yourself and just ignore it and let it go

Ooh, it sounds like tholly did it.

Joking! I don't even know what phishing is...

I have had collectors (make that "a" collector) spoof and forge my emails along as usenet posts in the past so I take this stuff very seriously.

Funny.....that person was also just outside NYC as well.........ummm

This was no accident.

Jerry



i would say that since you didnt get ripped off or anything like that, then just use this as an experience that you now know how to protect yourself and just ignore it and let it go

i hope digitpress is on this and text-searching the logs for matching an IP address....

i'm sure it's nothing though

but always remember:

"Just because you're paranoid
Don't mean they're not after you."
--Kurt Cobain

ok...i would never quote kurt cobain, but this one's a keeper.

Funny.....that person was also just outside NYC as well.........ummm
At this very moment I am having an AIM conversation with somebody who is INSIDE New York City! Explain why the "location" is so significant?

Hmmm. I don't want so sound naive, but I'm in the same boat as gideon.

Can someone tell me what "phishing" is so I don't fall prey to it? I'm going to assume it's when someone sends you an email under an ebay account saying "i sel gmes email me 4 lst" and then you proptly ignore it, but I'd like to make sure.

I'm sure Joe will give this a look-see in the morning. We put the little guy to bed pretty early, actually. He's still a growing boy.

I think the most likely answer here is that some clever jerk Googled for an eBay logo that isn't on eBay's servers, and found one here. They're smart enough that they don't want to attract eBay's attention by sucking bandwidth from them, but dumb enough to think that no one else will be trying to figure it out.

So really, Jerry, I understand you getting your back up about it, but I doubt it was personal - more likely a coincidence that a scammer who targeted quite a few people, including you, is filching a logo from the DP server.

Funkenstein: "Phishing" is where someone falsifies an official notice from eBay, a credit card company like Citibank, Paypal, etc., trying to get unsuspecting users to enter their personal information, usually supposedly to "re-verify" their account or somesuch. That the unsuspecting users don't realize is that the information is actually sent to someone else's server, and that someone else handily goes about stealing the identity of those who fell for the okeydoke. It's fairly common, and if you look at the source code of the messages there are almost always gaping huge dead giveaways (i.e. the web link in the source code of the message Jerry received tries to make it look like the info will be sent to eBay's server, when in fact it'll send the info to someone waiting at a numeric IP address.)

We'll see what the experts have to say tomorrow.

I did receive an e-mail earlier this evening alerting me to this.

Whoever it is probalby typed "ebay logo" into their google box, clicked on "images" and BAM - there was OUR eBay logo, of all things! It wasn't even being used by any of our pages, it's in place for the home page news stories, should an interesting auction ever make news.

Anyway, I've already changed the logo:
http://www.digitpress.com/images/logo_ebay.gif

I have all of the logs for the past few months, what should I be looking for - Just IP's that have hit that particular file?

I investigated a little ... if you search (http://images.google.de/images?q=ebay+logo&hl=de&lr=&ie=UTF-8&oe=UTF-8) Google for ebay logo, the first _isolated_ ebay logo that comes up is the one on digitpress.com. So that's where that guy got the logo from, he is 100% not related to the community here. Digitalpress should rename the ebay logo file so that it can't be found anymore via Google search and to avoid future irritations :)

Damn, Digitalpress you bet me to it by a minute ;P

Now both of you get back to bed before you wake your mother up! LOL

I have all of the logs for the past few months, what should I be looking for - Just IP's that have hit that particular file?

No, b/c anyone that recieved the email would've have their IP's logged. Also, unless you've got a magical script, you can't log an IP when it hits a JPG.

The best way to find out where he is:
Find the X-Originating-IP in the email header.
Then use "whois" on it.

We got an email recently that was shady at best. The guy was posing as an brit, using a lycos.co.uk account. When I ran whois on the X-Originating-IP, I found out he was logged in through AOL in Dulles, Virginia. :)

I have had collectors (make that "a" collector) spoof and forge my emails along as usenet posts in the past so I take this stuff very seriously.

Funny.....that person was also just outside NYC as well.........ummm

This was no accident.

Jerry



i would say that since you didnt get ripped off or anything like that, then just use this as an experience that you now know how to protect yourself and just ignore it and let it go

You seem to have a specific person in mind. Care to share?