This is just a general alert to all of you who may be ebay members. We can usually spot a scam when it presents itself but I got one today that actually took a few seconds of thinking.

You will receive an email from: support@ebay.com

The return addy is indeed support@ebay.com

IT SAIDS "ebay.com" not "ebaysupport.com"

Anyways the email is 100% authentic lookalike as an real ebay email would look. It says that the credit card on file was attempted to be charged but was declined, please update your card etc... it gives a long URL which has something like "cgi.....ebay.com" etc but when you click the link it takes you to some obvious nonebay URL. The page also looks 100% authentic as an ebay LOGin page would.

All of this looked so good, I'm not convinced it's a scam. Will someone look into it?















Recently we attempted to authorize payment from your credit card we have on file for you, but it was declined.
For security purposes, our system automatically removes credit card information from an account when there is a problem or the card expires.

Please resubmit the credit card, and provide us with new and complete information. To resubmit credit card information via our secure server, click the following link:

http://cgi3.ebay.com/aw-cgi/eBayISAPI.dll?SignIn

This is the quickest and easiest method of getting credit card information to us. Using the secure server will ensure that the credit card will be placed on account within 24 hours.

Copyright 1995-2003 Ebay Inc.

All Rights Reserved. Designated trademarks and brands are the property of their respective

Looks legit to me. I clicked on the link and was taken to ebay's sign-In page. The page I was taken to is identical (both in content and actual URL) to the sign-in page I get directly from ebay.com.

Also, the link you posted is a valid eBay URL. Anything of the form: xxxxx.ebay.com is an actual eBay URL.

I was right. It is a fraud attempt. A very very very good one.

The link you clicked does take you to legit ebay signin site. But when I click that same link (from my email) it takes me to this link:

http://cgi3.ebay.com:aw-cgieBayISAPI.dllSignInRegisterEnterInfo&siteid=0co_partnerid=2@e2io.iwebland.com/


And thus the signin sheet you go to will have the URL of this:

http://e2io.iwebland.com/




What I did was I type in random letters for username and password and it proceeded to the credit card update page. I did not fill out a single form, I just clicked submit and it brought me to the final page saying:


Form Submission successful
Thank you for updating your information.
Back to Homepage




I have already contacted ebay about this thing. I think I may have saved a lot of people heartache and money. :)

Yep. It's quite a popular trick. If you have a URL along the lines of http://www.domain.com@www.fakedomain.com, most browsers will effectively ignore everything between the http:// and the @.

I think the latest version of ie will strip the information in the title bar.

Try it yourself = http://www.ebay.com@boards.straightdope.com.

(The space bofore the @ is typically a username field. Most sites don't use it)

It's not just ebay that's affected by this scam.

On a slight hijack, a friend and I both got something similar claiming to be from "paysecurity" at paypal. It asks you to confirm your credit card number and details in a form in the email for security reasons.

We looked through the source for it before replying. The catch was that although all the email addresses supplied appeared to go to paypal, the cgi script it activated didn't. It seems to go to the same domain as your ebay scam letter above.

We've contacted paypal about this and were told they were taking action. Has anyone else received one of these, or anything similar?

Yep, any URL containing an @ symbol is a fake.

Anyway, thanks for that link... for a laugh, I've filled in the "Update card details" form with a variety of suitable messages aimed at the scammer, and submitted them several times:

Card number: what a pathetic attempt at a scam

Billing address: do you expect people to fall for this?

etc etc etc :)

Well, it gave me a moment's diversion anyway...

Originally posted by r_k
Yep, any URL containing an @ symbol is a fake.

Anyway, thanks for that link... for a laugh, I've filled in the "Update card details" form with a variety of suitable messages aimed at the scammer, and submitted them several times:

Card number: what a pathetic attempt at a scam

Billing address: do you expect people to fall for this?

etc etc etc :)

Well, it gave me a moment's diversion anyway...


Haha I did the same thing.

Card Number: FBI is comming

Address: Prison

Forget this business about the "@" symbol. The text you see might have nothing in common with where the link takes you! Guess what happens if you click here: http://www.yahoo.com (http://www.google.com)

This is because the text shown is not necessarily the address that you go to. If you have your "status bar" showing, then it might show you that this link really goes to Google, but very often people just click without looking at the status bar, or (especially in email) the status bar isn't showing.

Whenever I'm suspicious, I try to do a right-click and then check out the Properties of the link.

There was, of course, the famous case of paypaI.com (that's a capital i, not a lower-case L, but they look near identical in the IE font), which fooled a lot of people before it was shut down. See http://news.zdnet.co.uk/story/0,,t269-s2080344,00.html

"International" URLs using foreign characters, could provide a wealth of new scam opportunities.

This page (http://www.dnso.org/dnso/notes/International-Domain-Names-EP.pdf) (PDF file) highlights the problem:

If the usage of mixed letters from various alphabets is allowed - and the IETF works on Unicode characters cannot exclude it - then, there will be no more any unambiguous printed URL. The mixed similarly appearance while different code points will create a terrible confusion to consumers, and may kill any hope for safe electronic commerce

For instance, I would be able to set up a site called www.hοtmail.com (where the o in hotmail is actually a Greek omicron, ο ). Can you spot the difference?

I received this e-mail in April:
Dear valued ebay member [username] :

It has come to our attention that your ebay Billing information's
records are out of date. thats require update your billing information's
If you could please take 5-10 minutes out of your online experience and update.
Your billing records you will not run into any future problems with the
problems with the online service. However, failure to update your records will result in
account termination. Please update your records by tomorrow.

Once you have updated your account records your ebay session will not be
interrupted and will continue as normal. Failure to update will result in
cancellation of service, Terms of Service (TOS) violations or future billing
problems.

Please click here to update your billing records. [linked]

Thank you for your time.
Marry Kimmel
ebay Billing Dept team.
Note the many problems.

It has come to our attention that your ebay Billing information's
records are out of date. "The records belonging to the Billing information"?

thats require update your billing information's First word not capitalized. My billing informations what? (Possessive.)

If you could please take 5-10 minutes out of your online experience and update. Sentence fragment. (A comma would make it a sentence, but it would be an awkward one for an official e-mail.)

Once you have updated your account records your ebay session will not be interrupted and will continue as normal. Poor syntax.

Marry Kimmel Marry? Why would I want to marry this Kimmel person? :confused:

I did not click on any of the links, but right-clicked to find out what they were. Not eBay. eBay confirmed that this is spam and said they would "take appropriate action". Since this was an obvious attempt at credit fraud, I filed an official complaint with the FBI.

As for the OP, I received that e-mail but the bonehead couldn't be bothered to get his HTML right. This is how it looks (trimmed):
<html><font color="white">qjcs ohusilzk jiufhi <br><font color="black">
<table width="73%" height="307">
<tr>
<td><img src="http://pics.ebay.com/aw/pics/homepage/v2/logo_171x102.gif"></td>
</tr>
<tr>
<td height="18">Recently we attempted to authorize payment from your credit
card we have on file for you, but it was declined.</td>
</tr>
<tr>
Hahahahahahaha! Oh, yeah. I'm going to believe that came from eBay!

Wow, Ebay ought do some .htaccess work or something -- aside from trying to steal customer information, they're stealing Ebay's bandwidth by linking right to Ebay's artwork!

Originally posted by SoulSearching
The return addy is indeed support@ebay.com

Return address can be forged as well. You need to check the full header to see where it came from.

Well! I went over there to include my creative attempt at a credit info up date and the page is 404.

Saying it was cancelled for a violation of their TOS.

10 points guys!

Originally posted by r_k
Yep, any URL containing an @ symbol is a fake.
Incorrect. http://xxx:yyy@www.somesite.com is a valid format that can be used to access some password-protected addresses. However, this puts the username/password (the xxx:yyy part) in plaintext across the 'net...not good. There are other issues involved as well, but an @ in a URL does not *automatically* make it fake - highly suspicious, yes, but not necessarily a scam - the important part is after the @ sign (as noted by other posters).

Also, it looks like the scam site has been deleted - all you get now is "The page you were trying to access was not found or has been deleted for terms violation" (bolding mine) :) ;) :D - doggone quick work, I must say :)

critter42