How does this little scam work?

[Jackmannii]

Appearing in my spam e-mails lately (along with offers to cure me of all “deseases”, prize notifications, come-ons from 65-year-old women and other crapola easily deletable just from the subject line) are messages purportedly from Ebay about a winning bid that I have neglected to pay up on.

This would be almost believable if I had ever registered on Ebay or bid on anything, which I haven’t. Is this yet another scam to get me to input personal data including credit card number so that Boris in Riga can buy crack with my money?

[GrizzRich]

yeah… something like that.

or forward you to a false-paypal site that has you “reconfirm” your bank/credit card data.

[ZipperJJ]

Here’s a Wikipedia article about phishing, which is what this is.

Even if you don’t have a PayPal or eBay account, bazillions of other people do. So they can “cast a wide net” by sending out that email to as many addresses as they can get their hands on and they will get a good number of people who will click on the links & enter info because they are actively using eBay/PayPal at the moment.

[MrFloppy]

I have had a few of those. It is a phishing scam designed to harvest valid eBay account names and passwords.

If you click on th link, you will see a fake eBay login page. Some will fill it in and try to log in. Instead, the details go to the scammers.

Once they have your account, they will quickly try to sell a big money item - I see cars and motorcycles and high end stereo equipment all the time. All of them try to complete the deal outside of eBay with a wire transfer.

Furthermore, if the stolen account has decent feedback, bidders will be trustworthy of the seller and will be more likely to complete the deal.

[sweeteviljesus]

Where do phishers get their mailing lists? Do they buy them anonymously from legitimate vendors? Do they harvest them themselves?

Thanks,
Rob

[FRDE]

sweeteviljesus:

Where do phishers get their mailing lists? Do they buy them anonymously from legitimate vendors? Do they harvest them themselves?

Thanks,
Rob

1. Harvest Newsgroups
2. Harvest websites with comments sections
3. Use malware to get Email address books
4. Spurious log in to register sites

I know that there is harvesting software out there, but I would also bet there is both sem-legit and illegit trading.

Here is an interesting page :-
http://www.private.org.il/harvest.html

[jjimm]

5. “Dictionary attack”: choose a domain, e.g. Hotmail, and bombard it with millions of random letter and number combinations. a@hotmail.com a1@hotmail.com, ab1@hotmail.com ad infinitum. Some of them are bound to work.

[Jackmannii]

MrFloppy:

I have had a few of those. It is a phishing scam designed to harvest valid eBay account names and passwords.

If you click on th link, you will see a fake eBay login page. Some will fill it in and try to log in. Instead, the details go to the scammers.

Once they have your account, they will quickly try to sell a big money item - I see cars and motorcycles and high end stereo equipment all the time. All of them try to complete the deal outside of eBay with a wire transfer.

Nasty little vipers.

Now I have to figure out why I keep getting e-mails about accounts being compromised at banks I’ve never done business with.

[Surok]

Jackmannii:

Now I have to figure out why I keep getting e-mails about accounts being compromised at banks I’ve never done business with.

The phishers are mass-mailing.

They’ve got a database of addresses. And a certain small percentage of people in that database are going to have an account at the bank mentioned.

And a small percentage of that percentage are never going to have heard of phishing, and are going to click the link, and trustingly enter their details.

Only a tiny number of the original recipients have to answer and click for the phishers to make a profit. And it must be working, because they weren’t making money, they wouldn’t carry on doing it.