Date of Distribution
Web page/site origin
See our guide to
See our guides to
PLEASE SEND US YOUR
EMAIL HOAX SCAMS
click here to
use our online
Spoof eBay email received by an eBay user on the 2nd August 2003.....
How it works...
The Email Header...
The highlighted part is the bit that we should be interested in here, it gives the server address for the source of the email. This server belongs to the Adducent Corporation who were very helpful in tracing the email's path further, see the Investigation Summary for details on that. As I have stated in my article on Spoofs , almost 100% of email headers can be spoofed if the scammer has sufficient knowledge of how to ( I am not going to be discussing those gritty details here because quite a few search engine referals to this site ask "how to spoof an email", which is the opposite of this site's purpose ). However, in this instance the highlighted portion clearly shows us that the email definitely did not originate from eBay at all - ownership records show that this particular server has nothing to do with eBay at all (ownership records can be found by conducting a whois lookup ).
As stated before, the code written around the 'Submit>' button causes the information entered into the form (and once the button is pressed) to be relayed to a CGI script which would have either saved the information into a file for later retrieval or further relayed to the scammer(s). These kinds of scripts are very common in web design but a good knowledge of design is needed to put it into use in email and/or web pages. The web page that you would have arrived at would most likely have appeared to be a genuine eBay page as is commonly the case (see a copy of a spoof web page here ).
I used information contained within the email's header to trace the email's route, and I was even more concerned with that result. It had originated from a domain called loveothers.com, which is owned by the Adducent Corporation. I took a look at their web site and it was immediately clear that they would not be involved in this kind of scam. I contacted their CEO (Scott Malcolm) who was very helpful and emailed me by return with further information on the email's origin. Scott states that his technical people have determined that hackers reached their mail server 'via an authenticated ebay IP address'. This is very worrying, but reminds us how real it is that most SMTP servers can be used for the purposes of distrbuting these email scams.
The problem with conducting an investigation after reporting the issue is that things get shut down, and sources close, very quickly. However, I also looked into ownership of the domain user-access2.com to which the information would have been relayed. To be frank, I cannot say for certain that the ownership details are correct, I am awaiting confirmation of the contact information given, and whilst that information does correlate with records of living person at the address given, there are a couple of pieces of false information included (such as the email address and telephone number) and it does not necessarily mean that that person has actually set up that domain. The domain was first registered on 29th July 2003, which is just 4 days before the email was received; this would imply that the domain was set up purely to operate this scam. I am not going to publish the domain ownership details at this point or until I receive some confirmation from the genuine individual at the contact information given during the domain registration process.
The domain was being hosted by ipowerweb.com, and I am still awaiting further information from them. I expect to publish this on receipt and following any further enquiries, so this page will be updated in the near future . The problem with domain registration is that the system does not require you verify the registrant's details, so you could pretty much register a domain with any registrant information you wanted.
From the information I've found, I so far believe that fraudsters have created a domain with false contact information, and that they most likely did so with stolen credit card information (domain registration is almost instant with a credit card). I expect that this will be confirmed in the near future not least by a change in the registrant's information for the domain (when payment for the domain gets refused) and verified by responses that I receive to my enquiries (from the registrant data and the domain host).
If it is found that the domain registrant's information is genuine and that they are involved in this spoof, it would be a very foolish act indeed, not least because they have left themselves open to tracing.
I have also forwarded a reports, via the web forms provided to for this kind of issue, to the Federal Trade Commission, FBI and the International Web Police who take up this kind of internet fraud crime and pursue the problem until criminal justice can be brought to the perpetrators. I must urge anyone who receives these kinds of spoofs to make these reports.
I cannot emphasis enough to you that eBay would NOT request your user data, credit card data or your banking data by email. Any such information would be only be requested from within their own web site on one of their own web pages. If you want to be sure that you are at the right web site, please read my article on spoof email and spoof web pages where you'll see other examples of this kind of email and also spoof web pages.
|© Copyright MillerSmiles.co.uk. All Rights Reserved. .|