TCS - Update Your eBay Account

Update Your eBay Account

by Don Singleton
Tulsa Computer Society
From the May 2004 issue of the I/O Port Newsletter

I just received an email message, supposedly from update@ebay.com, with a subject of Update Your eBay Account:

Dear eBay user, We need to inform you that during our security reform we are asking every user to verify your registration information, this security measure will protect our customers from account thefts and any other fraudulent activities.

To verify your user information please click on the link below:

http://www.ebay.com/aw-cgi/eBayISAPI.dll?VerifyRegistrationShow

Copyright 1995-2003 eBay Inc. All Rights Reserved. Designated trademarks and brands are the property of their respective owners.

However clicking on the link would take you to http://update-your-accounts.com/eBayISAPI.php?MfcISAPICommand=SignInFPP&UsingSSL=1&email=&userid=

The domain update-your-accounts.com was registered to Jamieson Wong in Hawaii through the Domain Registrar YahooDomains on April 10, 2004, just 3 days before I received the email.

He must have had trouble getting his server set up, because when I checked that domain name was not operational.

I don't know whether it was the same guy or not, but I got another email just like this one, except this time they fixed the copyright date to show Copyright 1995-2004 eBay Inc, and rather than using a domain name, it used a hard=coded IP address. If one clicked on the URL it would take them to http://65.23.158.79/.ebay/eBayISAPI.php?MfcISAPICommand=SignInFPP&UsingSSL=1&email=&userid= which displayed this fake eBay page:

Here is a VisualRoute trace to IP address 65.23.158.79

GeoBytes was unable to identify the geographic location of IP address 65.23.158.79 but Youngzsoft.net said it is in Australia, and DNSStuff seems to confirm that. However IP2location said it is in New Jersey, and Whois.sc seems to confirm that (they indicated the server contains two websites - both are for companies in Deleware). From the Visual Route I would assume it is in Phoenix, since that is where the upstream routers are. I suspect that someone may have tinkered with the IP routing tables, which form the basic structure for directing (routing) Internet traffic, so the web server could be anywhere.

I have said this in other articles, but it is worth repeating:
If you get an email that either asks you to directly enter your account number, password, or other private data, or if it takes you to a specific web page which asks for that information, don't provide it.



For more information on the Tulsa Computer Society click here



Tulsa Computer Society 5/01/2004
Don Singleton, President