This is Advanced Corporate Planning.comThis is Advanced Corporate Planning.com
 
Home  |  Contact Us  

eBay scam #1

You may be a victim in a new phishing scam. You may get this email:

Date:      Fri, 03 Oct 2003 17:13:16 +0000
From:     eBay
Subject:     0fficial Notice for all eBay users
To:     (victims email address)
Reply To:     eBay

NOTE: The text shown below is actually an Image file; Pic.Gif. The Border has been removed so you can't spot it unless you are looking. More on this in a minute

NOTE: The text shown below is actually White on a white background so it does not show up except to spam filters. Spam filters generally reject anything where the majority of the message is a picture.

in 1801 I object to... Rrl How much is that? in 1906 in 1934 .Let's come back VEiEbJv UhoFoUkaXTo rO

in 1940 in 1829 loook at 197 over there 0 it's beautiful 399 in 1828 exercising enough

что там I'd love Just a moment! in 1969 in 1980 in 1980 loX the most in 1928 As far as I know Well done! in 1932 TIME.com: Gaddafi's Confession?

This is the text of the message in pic.gif

Dear eBay User,

During our regular update and verification of the accounts, we couldn't verify your current information. Either your information has changed or it is incomplete.

As a result, your access to bid or buy on eBay has been restricted. To start using your eBay account fully, please update and verify your information by clicking below :

https://scgi.ebay.com/saw-cgi/ebayISAPI.dll?VerifyInformation

regards,
eBay



 **Please Do Not Reply To This E-Mail As You Will Not Receive A Response**

The code looks like



(note: so that you can see the code rather than the message I have substituted parentheses for the less than and greater than angle brackets)

 (x) (p)(a target=newwin href="http%3a%2f%2fscgi%2eebay%2ecom%2569%256E%2564%2565%2578%2575%2570
%2564%2561%2574%2565%2579%256F%2575%2572%2569%256E%2566%256F%2572%256D%2561%2574
%2569%256F%256E%2573%2565%2563%2575%2572%2565%40%2532%2531%2531%252E%2531%2537%2530
%252E%2539%2537%252E%2532%2530%2532%3a%2535%2538%2530%2531%2f%2573%2565%2563%2575
%2572%2569%2574%2579%2f%2569%256E%2564%2565%2578%252E%2568%2574%256D")
(img src="cid:pic.gif" border="0")(/p)

(p)(font color="#FFFFF1")in 1801 I object to... Rrl How much is that? in 1906 in 1934 .Let's come back VEiEbJv UhoFoUkaXTo rO(/font)(/p)

(p)(font color="#FFFFF7")in 1940 in 1829 loook at 197 over there 0 it's beautiful 399 in 1828 exercising enough(/font)(/p)

(p)(font color="#FFFFF9")что там I'd love Just a moment! in 1969 in 1980 in 1980 loX the most in 1928 As far as I know Well done! in 1932 TIME.com: Gaddafi's Confession? (/font)(/p)
(x)
(x)
(p)(hr)(p)
(img src="pic.gif?ctype=image/gif&download=n&rfname=tmp_22743084.68109.gif&delete_after_download=yes")

What is going on here?



The Key to Magic is Misdirection

the first trick - The text is NOT text, it is an image. When you click on the link, because it is part of Pic.Gif you are clicking on Pic.Gif which directs you to :

DO NOT CLICK HERE
http://scgi.ebay.com/indexupdateyourinformationsecure@211.170.97.202:5801/security/index.php
DO NOT CLICK HERE

instead of https://scgi.ebay.com/saw-cgi/ebayISAPI.dll?VerifyInformation

The PORT, :5801: could be opening a door from the scam site to your computer so they can plant a virus, Trojan Horse, Worm or other program on your computer AND read private information from your computer. the security/index.php would load a web page where they can collect your information with an authentic looking site. Note that by using the IP address (211.170.97.202) the do not need a real domain, domain name., etc.

Who is this?

a reverse IP search turns up:

211.170.97.202

Record Type: IP Address
IP Location: Thailand - Phuket - Phuket - Joonpc37
Reverse IP: No websites hosted using this IP address
% [whois.apnic.net node-1]
% Whois data copyright terms http://www.apnic.net/db/dbcopyright.php

inetnum: 211.170.97.192 - 211.170.97.223
netname: JOONPC37-KR
descr: JunpcRoom
descr: B1 231-10 Poi-Dong Kangnam-Gu
descr: SEOUL
descr: 135-260
country: KR
admin-c: KK473-AP
tech-c: KK473-AP
mnt-by: MAINT-KR-DACOM
status: ASSIGNED NON-PORTABLE
changed: hm-changed@apnic.net 20021023
source: APNIC

person: Kyoungwhan Kim
address: JunpcRoom
address: B1 231-10 Poi-Dong Kangnam-Gu
address: SEOUL
address: 135-260
country: KR
phone: +82-2-576-8827
fax-no: +82-2-576-8827
e-mail: sysop04@soback.kornet.net
nic-hdl: KK473-AP
mnt-by: MAINT-KR-DACOM
remarks: imported from KRNIC
changed: hm-changed@apnic.net 20021022
source: APNIC

What this means is that a group of IP addresses is owned by a korean company with the name of JunpcRoom and a persons name of Kyoungwhan Kim was used. This name may or may not be a real person but 32 IP addresses are not cheap. someone spent some money for this or stole computer space and time from these people.

How did we translate the address from the gibberish numbers? That part is easy (for programmers). Computers do NOT see letters. They see a number to which a letter is assigned. The most common number system is ASCII in which Capital A starts at 64, etc.

But this is not all numeric, you cry, what about numbers like 6E? Well, computers do not think in decimal, they think in Hexadecimal (base 16) so the number after 9 is not 10 but a, b, c, d, e, f, then 10 as in 1 sixteen and 0 integers. So we programmers make tables for translation with all the math for conversion all set up. NOTE the %25 tells the web that next is a hexadecimal value.

Code   value

%2569   I
%256E   n
%2564   d
%2565   e
%2578   x
%2575   u
%2570   p
%2564   d
%2561   a
%2574   t
%2565   e
%2579   y
%256F   o
%2575   u
%2572   r
%2569   i
%256E   n
%2566   f
%256F   o
%2572   r
%256D   m
%2561   a
%2574   t
%2569   i
%256F   o
%256E   n
%2573   s
%2565   e
%2563   c
%2575   u
%2572   r
%2565   e
%40      @
%2532   2
%2531   1
%2531   1
%252E   .
%2531   1
%2537   7
%2530   0
%252E   .
%2539   9
%2537   7
%252E   .
%2532   2
%2530   0
%2532   2
%3a      :
%2535   5
%2538   8
%2530   0
%2531   1
%2f      /
%2573   s
%2565   e
%2563   c
%2575   u
%2572   r
%2569   i
%2574   t
%2579   y
%2f      /
%2569   I
%256E   n
%2564   d
%2565   e
%2578   x
%252E   .
%2568   h
%2574   t
%256D   m

Note: that the anchor tag is not closed with an (/a) hence the whole thing including the picture becomes the link.

And that is how they get you to click on a link that says it is going somewhere but is going a different place; so they can infect your computer and steal your information, credit, even your ID.


NOTE: ALL information contained in this site is for illustration purposes only, and by NO means should be considered individual tax or legal advice under any circumstances whatsoever!

Lynn R. Siewert AIMC
Pension Consultant   |   Branch Manager
CA Insurance License #00B00579
2005 E. Evergreen Blvd
Vancouver, WA 98661

First Allied Securities
Securities Offered Exclusively Through
First Allied Securities, Inc.       Member NASD/ SIPC
All other products and services provided exclusively through Advanced Corporate Planning

This site is published for residents of the United States only. First Allied Securities' Financial Advisors may only conduct business with residents of the states for which they are properly registered. Therefore, a response to a request for information may be delayed. Please note that not all of the investments and services mentioned are available in every state. Investors outside of the United States are subject to securities and tax regulations within their applicable jurisdictions that are not addressed on this site. Contact your local First Allied Securities office for information and availability.
© 2006 Advanced Corporate Planning
All rights reserved