A while back I started to wonder if my phishing providers really cared about my business. They were getting seriously lazy- using generic “Your Online Bank” instead of a real bank name, no longer personalizing my emails, and using links practically entitled, “stealmyinfo.com”.

Starting last week someone finally started working for my business. It’s nice to see that entrepreneurial spirit finally returning to the land of spam and opportunity.

Here’s what I found in my Inbox (click to enlarge):

Picture 1-1

Since not all of you regularly dissect phishing attacks, let’s have a little fun and pull this puppy apart.

The above is a perfectly-formatted Ebay member-to-member email. Other than the whole “I don’t have an Ebay account on this address” thing, but at least it looks pretty.

So my obvious first clue was the account bit. And the second was that I wasn’t running an auction. But here’s where it got interesting- by clicking on the item number it linked to a real auction! Not too shabby. Every other link, other than one (which we’ll get to) was real.

Since I wondered if this was some hack on Ebay I decided to look at the message headers (View: Message: Long Headers in Apple Mail):

Picture 2

Oh well. It’s really from kgonzalez@mail.ampsa.com.pa, not Ebay. Bummer, just when I was feeling special they barely even spoof their email. So much for professional pride.

Viewing the raw source of the message reveals that nearly every link except one goes back to Ebay. That link?

Somewhere in Japan that looks just like the Ebay login.

Now I get it. The scam was to trick me into logging in to Ebay to respond and tell the “sender” that I wasn’t running an auction for ” cabachon sapphires in 14K yel gold,different, NR :O)”. (Which eventually went for $275).

The site, which was at (spaces added to prevent accidental clicking, but it’s down now) http:// ns.postup02.net/~tanimua/ .cgi-bin/ws/ISAPIdllUPdate/ISAPIdllSignInpUserId=co_partnerId=siteid=0pageType=-1pa1=UsingSSL=1bshowgif=favoritenav=errmsg=8/index.html had a great looking login page I wish I took a screenshot of. I also wish I’d logged in with fake credentials, but I suspect the second part of the scam might have been to get me to enter my PayPal credentials.

Either way, they could own my EBay account, or PayPal account (maybe).

I’ve had a couple more similar messages since that one, but haven’t had the time to check them out. I (of course) used a “safe” browser not subject to any Javascript games. If I’d been really curious I would have accessed it from a vulnerable browser in a virtual machine, just to see what happens.

Overall this isn’t the kind of thing that would fool anyone with some healthy skepticism, but I know plenty of innocents that would easily fall for it. Most users don’t know how to read an email header, or even where to find it in our nice GUI mail applications.

Sometimes it’s fun to see where these phishing emails take you. Just make sure you wear protection and only try it from an isolated system.

And it’s nice to know I’m worth a little effort again. I was starting to worry if it was me.