This is just a general alert to all of you who may be ebay members. We can usually spot a scam when it presents itself but I got one today that actually took a few seconds of thinking.
Anyways the email is 100% authentic lookalike as an real ebay email would look. It says that the credit card on file was attempted to be charged but was declined, please update your card etc… it gives a long URL which has something like “cgi…ebay.com” etc but when you click the link it takes you to some obvious nonebay URL. The page also looks 100% authentic as an ebay LOGin page would.
All of this looked so good, I’m not convinced it’s a scam. Will someone look into it?
Recently we attempted to authorize payment from your credit card we have on file for you, but it was declined.
For security purposes, our system automatically removes credit card information from an account when there is a problem or the card expires.
Please resubmit the credit card, and provide us with new and complete information. To resubmit credit card information via our secure server, click the following link:
This is the quickest and easiest method of getting credit card information to us. Using the secure server will ensure that the credit card will be placed on account within 24 hours.
Copyright 1995-2003 Ebay Inc.
All Rights Reserved. Designated trademarks and brands are the property of their respective
Looks legit to me. I clicked on the link and was taken to ebay’s sign-In page. The page I was taken to is identical (both in content and actual URL) to the sign-in page I get directly from ebay.com.
Also, the link you posted is a valid eBay URL. Anything of the form: xxxxx.ebay.com is an actual eBay URL.
What I did was I type in random letters for username and password and it proceeded to the credit card update page. I did not fill out a single form, I just clicked submit and it brought me to the final page saying:
Form Submission successful
Thank you for updating your information.
Back to Homepage
I have already contacted ebay about this thing. I think I may have saved a lot of people heartache and money.
Yep. It’s quite a popular trick. If you have a URL along the lines of http://www.domain.com@www.fakedomain.com, most browsers will effectively ignore everything between the http:// and the @.
I think the latest version of ie will strip the information in the title bar.
On a slight hijack, a friend and I both got something similar claiming to be from “paysecurity” at paypal. It asks you to confirm your credit card number and details in a form in the email for security reasons.
We looked through the source for it before replying. The catch was that although all the email addresses supplied appeared to go to paypal, the cgi script it activated didn’t. It seems to go to the same domain as your ebay scam letter above.
We’ve contacted paypal about this and were told they were taking action. Has anyone else received one of these, or anything similar?
Anyway, thanks for that link… for a laugh, I’ve filled in the “Update card details” form with a variety of suitable messages aimed at the scammer, and submitted them several times:
Card number: what a pathetic attempt at a scam
Billing address: do you expect people to fall for this?
Forget this business about the “@” symbol. The text you see might have nothing in common with where the link takes you! Guess what happens if you click here: http://www.yahoo.com
This is because the text shown is not necessarily the address that you go to. If you have your “status bar” showing, then it might show you that this link really goes to Google, but very often people just click without looking at the status bar, or (especially in email) the status bar isn’t showing.
Whenever I’m suspicious, I try to do a right-click and then check out the Properties of the link.
For instance, I would be able to set up a site called www.hοtmail.com (where the o in hotmail is actually a Greek omicron, ο ). Can you spot the difference?
It has come to our attention that your ebay Billing information’s
records are out of date. “The records belonging to the Billing information”?
thats require update your billing information’s First word not capitalized. My billing informations what? (Possessive.)
If you could please take 5-10 minutes out of your online experience and update. Sentence fragment. (A comma would make it a sentence, but it would be an awkward one for an official e-mail.)
Once you have updated your account records your ebay session will not be interrupted and will continue as normal. Poor syntax.
Marry KimmelMarry? Why would I want to marry this Kimmel person?
I did not click on any of the links, but right-clicked to find out what they were. Not eBay. eBay confirmed that this is spam and said they would “take appropriate action”. Since this was an obvious attempt at credit fraud, I filed an official complaint with the FBI.
As for the OP, I received that e-mail but the bonehead couldn’t be bothered to get his HTML right. This is how it looks (trimmed):
<html><font color="white">qjcs ohusilzk jiufhi <br><font color="black">
<table width="73%" height="307">
<tr>
<td><img src="http://pics.ebay.com/aw/pics/homepage/v2/logo_171x102.gif"></td>
</tr>
<tr>
<td height="18">Recently we attempted to authorize payment from your credit
card we have on file for you, but it was declined.</td>
</tr>
<tr>
Hahahahahahaha! Oh, yeah. I’m going to believe that came from eBay!
Wow, Ebay ought do some .htaccess work or something – aside from trying to steal customer information, they’re stealing Ebay’s bandwidth by linking right to Ebay’s artwork!
Incorrect. http://xxx:yyy@www.somesite.com is a valid format that can be used to access some password-protected addresses. However, this puts the username/password (the xxx:yyy part) in plaintext across the 'net…not good. There are other issues involved as well, but an @ in a URL does not automatically make it fake - highly suspicious, yes, but not necessarily a scam - the important part is after the @ sign (as noted by other posters).
Also, it looks like the scam site has been deleted - all you get now is “The page you were trying to access was not found or** has been deleted for terms violation**” (bolding mine) - doggone quick work, I must say