This is the text of the message in pic.gif
Dear eBay User,
During our regular update and verification of the accounts, we couldn't verify your current information. Either your information has changed or it is incomplete.
As a result, your access to bid or buy on eBay has been restricted. To start using your eBay account fully, please update and verify your information by clicking below :
https://scgi.ebay.com/saw-cgi/ebayISAPI.dll?VerifyInformation
regards,
eBay
**Please Do Not Reply To This E-Mail As You Will Not Receive A Response**
The code looks like
(note: so that you can see the code rather than the message I have substituted parentheses for the less than and greater than angle brackets)
(x)
(p)(a target=newwin href="http%3a%2f%2fscgi%2eebay%2ecom%2569%256E%2564%2565%2578%2575%2570
%2564%2561%2574%2565%2579%256F%2575%2572%2569%256E%2566%256F%2572%256D%2561%2574
%2569%256F%256E%2573%2565%2563%2575%2572%2565%40%2532%2531%2531%252E%2534%2537
%252E%2531%2539%2531%252E%2531%2532%2535%3a%2531%2539%2539%2f%2569%256E%2564%2565
%2578%252E%2568%2574%256D")
(img src="cid:pic.gif" ALT="" border="0")(/p)
(p)( font color="#FFFFF2")in 1933 As far as I know gJb in 1906 Franckly speaking date of birth When is the next? VeONzGk hhNnGKNIuOL YY(/font -->(/p)
(p)( font color="#FFFFF4")would you like to pay and when it Don't worry 295 in 1980 3 How are you? 662 ANALYSIS NYTimes in 1806(/font -->(/p)
(p)( font color="#FFFFF7")for teen in hazing 3 million in race case Yes, it's great. Look at 'Outlaw Volleyball' Well, we've got NDe will do It Don't get excited! in 1959 all round in 1802 from the (/font)(/p)
(/a)(x)(x)
(p)(hr)(p)
What is going on here?
The Key to Magic is Misdirection
the first trick - The text is NOT text, it is an image. When you click on the link, because it is part of Pic.Gif you are clicking on Pic.Gif which directs you to :
DO NOT CLICK HERE
http://scgi.ebay.com/indexupdateyourinformationsecure@211.47.191.125:199/security/index.php
DO NOT CLICK HERE
instead of https://scgi.ebay.com/saw-cgi/ebayISAPI.dll?VerifyInformation
The PORT, :199: could be opening a door from the scam site to your computer so they can plant a virus, Trojan Horse, Worm or other program on your computer AND read private information from your computer. the security/index.php would load a web page where they can collect your information with an authentic looking site. Note that by using the IP address (211.47.191.125) the do not need a real domain, domain name., etc.
Who is this?
a reverse IP search turns up:
211.47.191.125
Record Type: IP Address
IP Location: Korea, Republic Of - Kyonggi-do - Seoul - Krnic
Reverse IP: No websites hosted using this IP address
% [whois.apnic.net node-2]
% Whois data copyright terms http://www.apnic.net/db/dbcopyright.php
inetnum: 211.47.191.64 - 211.47.191.127
netname: HANINTERNET-LLINE-E2B-KR
descr: E2B
descr: 8, Samseong-dong , Gangnam-gu
descr: SEOUL
descr: 135-090
country: KR
admin-c: SJ913-KR
tech-c: SJ914-KR
remarks: This IP address space has been allocated to KRNIC.
remarks: For more information, using KRNIC Whois Database
remarks: whois -h whois.nic.or.kr
mnt-by: MNT-KRNIC-AP
remarks: This information has been partially mirrored by APNIC from
remarks: KRNIC. To obtain more specific information, please use the
remarks: KRNIC whois server at whois.krnic.net.
changed: hostmaster@nic.or.kr 20031006
source: KRNIC
person: SIJUN JIN
descr: E2B
descr: 8, Samseong-dong , Gangnam-gu
descr: SEOUL
descr: 135-090
country: KR
phone: +82-2-3775-6419
e-mail: DK_SUH@E2B.CO.KR
nic-hdl: SJ913-KR
mnt-by: MNT-KRNIC-AP
remarks: This information has been partially mirrored by APNIC from
remarks: KRNIC. To obtain more specific information, please use the
remarks: KRNIC whois server at whois.krnic.net.
changed: hostmaster@nic.or.kr 20031006
source: KRNIC
What does all this tell me?
What this means is that a group of IP addresses is owned by a korean company with the name of E2B and a persons name of Sijun Jin was used. This name may or may not be a real person but 64 IP addresses are not cheap. someone spent some money for this or stole computer space and time from these people.
How did we translate the address from the gibberish numbers? That part is easy (for programmers). Computers do NOT see letters. They see a number to which a letter is assigned. The most common number system is ASCII in which Capital A starts at 64, etc.
But this is not all numeric, you cry, what about numbers like 6E? Well, computers do not think in decimal, they think in Hexadecimal (base 16) so the number after 9 is not 10 but a, b, c, d, e, f, then 10 as in 1 sixteen and 0 integers. So we programmers make tables for translation with all the math for conversion all set up. NOTE the %25 tells the web that next is a hexadecimal value.
%2569 i
%256E n
%2564 d
%2565 e
%2578 x
%2575 u
%2570 p
%2564 d
%2561 a
%2574 t
%2565 e
%2579 y
%256F o
%2575 u
%2572 r
%2569 i
%256E n
%2566 f
%256F o
%2572 r
%256D m
%2561 a
%2574 t
%2569 i
%256F o
%256E n
%2573 s
%2565 e
%2563 c
%2575 u
%2572 r
%2565 e
%40 @
%2532 2
%2531 1
%2531 1
%252E .
%2534 4
%2537 7
%252E .
%2531 1
%2539 9
%2531 1
%252E .
%2531 1
%2532 2
%2535 5
%3a :
%2531 1
%2539 9
%2539 9
%2f /
%2569 i
%256E n
%2564 d
%2565 e
%2578 x
%252E .
%2568 h
%2574 t
%256D m
Note: that the anchor tag is not closed with an (/a) hence the whole thing including the picture becomes the link.
And that is how they get you to click on a link that says it is going somewhere but is going a different place; so they can infect your computer and steal your information, credit, even your ID.
