Anyone ever click on a spoof Ebay message?
mrearlygold
Posts: 17,858 ✭✭✭
Dang, I just got caught about an hour ago . I received one of those spoof Ebay messages that said a bid I placed was cancelled, to view the reason click here. My mind was drifting away and I did. Dang dang dang. 
I have since changed my pwords on ebay, the email I use for that account.
Anyone ever do that? Anything bad happen?
I have since changed my pwords on ebay, the email I use for that account.
Anyone ever do that? Anything bad happen?
Coin's for sale/trade.
Tom Pilitowski
US Rare Coin Investments
800-624-1870
0
Comments
Coin's for sale/trade.
Tom Pilitowski
US Rare Coin Investments
800-624-1870
Does anyone know if the Return Path addresses shown on emails can be masked, or are they generally where the scumbags hang out?
I knew it would happen.
Fortunately, I realized my mistake immediately and changed my eBay and PayPal passwords right away. No harm done, it would seem.
Everyday I get an email saying that Ive been outbid, or my account is going to be suspended unless I "reply here," or something else.
I always forward them to spoof@ebay.com and Im sure they ignore them. Jerks.
cheers, Alan Mendelson
BestDealsTVshow.com
www.AlanBestBuys.com
www.VegasBestBuys.com
<< <i>Does anyone know if the Return Path addresses shown on emails can be masked, or are they generally where the scumbags hang out? >>
Email is mainly governed by two internet RFCs, one for transport between MTAs (821) and one for presentation to the recipient (822). For each of those two, you can have different To: and From: addresses, and neither is reliable though the transport one can be cause for rejjection at the receiving MTA. When you reply to an email is uses the other. It is trivial to craft these at your whims.
As for the source of the email, never rely on what you see in Outlook ar any other mail reader. You can view the headers in some of them. The ONLY thing you can trust in those headers is the IP address (and not the name either) of the MTA that talked directly to your service's MTA. Spammers have been known to craft a history of MTA (also trivial), so never trust a message as having originated at the first hop shown in the path in the Received header.
The bottom line for all spam is the source is where it sends you. Two HUGE failures of MicroS**t's readers are the lack of a status bar for links when reading an HTML-formatted message and the inability to view the HTML source without opening the message, and thus executing/interpretting the HTML. INstead of the latter, they kept plugging holes that could be and were being exploited. They might have a hard time running malicious scripts today, but they can still be creatively deceptive for those who genuinely subscribe to comprehensive WYSIWYG.
For these emails, I examine the HTML source first. If you do view it, just search for the "href" string to see each of the links. I get the one they are using for the phish and I port 80 telnet to it and negotiate the URL with HTTP/1.1 protocol. They usually have a form to collect the password and send to a cgi.
What really bugs me is that a lot of the institutions (PayPal, banks, ...) being phished have their native images, not copied but, in the HTML on the rogue server. If they weren't so braindead or have their IT staff populated with simpletons from matchbook tech schools who passed some certification exams, they would know they need to increase their site logging to get the parent page from the ENV array and monitor and bust them in real time.
NSDR - Life Member
SSDC - Life Member
ANA - Pay As I Go Member
I continue to get phishing lures all the time. I get them for all the big financial institutions like Citi, WaMu, BofA, insurance companies as well as PayPal and eBay. It is easy to delete them and I never click on any link in email anymore. I like the ones that come from institutions where I don't have any account because I don't even have to think more than a microsecond on those.
``https://ebay.us/m/KxolR5
Is that still a problem?
One thing you can do if you're not sure its a phishing website is enter the wrong password on purpose. A phishing website doen't know it's wrong and lets you in. The real website will say "wrong password".
--Jerry
As for the source of the email, never rely on what you see in Outlook ar any other mail reader. You can view the headers in some of them. The ONLY thing you can trust in those headers is the IP address (and not the name either) of the MTA that talked directly to your service's MTA. Spammers have been known to craft a history of MTA (also trivial), so never trust a message as having originated at the first hop shown in the path in the Received header.
The bottom line for all spam is the source is where it sends you. Two HUGE failures of MicroS**t's readers are the lack of a status bar for links when reading an HTML-formatted message and the inability to view the HTML source without opening the message, and thus executing/interpretting the HTML. INstead of the latter, they kept plugging holes that could be and were being exploited. They might have a hard time running malicious scripts today, but they can still be creatively deceptive for those who genuinely subscribe to comprehensive WYSIWYG.
For these emails, I examine the HTML source first. If you do view it, just search for the "href" string to see each of the links. I get the one they are using for the phish and I port 80 telnet to it and negotiate the URL with HTTP/1.1 protocol. They usually have a form to collect the password and send to a cgi.
What really bugs me is that a lot of the institutions (PayPal, banks, ...) being phished have their native images, not copied but, in the HTML on the rogue server. If they weren't so braindead or have their IT staff populated with simpletons from matchbook tech schools who passed some certification exams, they would know they need to increase their site logging to get the parent page from the ENV array and monitor and bust them in real time.
Thanks, Coxe. I need to study up, and someday when I am capable, my plan is to track some of these fools down and cause them some grief of their own. Just venting.
I knew it would happen.
GRRR
Coin's for sale/trade.
Tom Pilitowski
US Rare Coin Investments
800-624-1870
--Christian
<< <i>Well, I noticed today that when I open a forum or password protected website that I generally have my passwords saved ( such as this place), everything is wiped out and I have to manually enter my username and pword. Even if I shut the computer down and restart it, it's all wiped out again. And yes I clicked the "remember me" button. It gets wiped out anyway.
GRRR >>
Did you do some type of system cleanup. Delete cookies or something like that?
<< <i>
<< <i>Well, I noticed today that when I open a forum or password protected website that I generally have my passwords saved ( such as this place), everything is wiped out and I have to manually enter my username and pword. Even if I shut the computer down and restart it, it's all wiped out again. And yes I clicked the "remember me" button. It gets wiped out anyway.
GRRR >>
Did you do some type of system cleanup. Delete cookies or something like that? >>
I use Trend Micro and am running it again now. It shows no virus or spyware though.
Coin's for sale/trade.
Tom Pilitowski
US Rare Coin Investments
800-624-1870
<< <i>I'm not up on Trend Micro. Is it possible it deleted all the saved usernames and passwords? >>
It keeps doing it. I cleared the cookies etc , shut the computer down again, restarted and sure enough, all the usernames and pwords have to be manually entered again. Man oh man.
We just upgraded trend micro to 2007. AFTERWARDS I read cnet and pc world and they give trend micro 2005 a great rating. 2007 is POOR. Wonderful. Now what do we do?
Suggestions? Help!
Coin's for sale/trade.
Tom Pilitowski
US Rare Coin Investments
800-624-1870
<< <i>Email is mainly governed by two internet RFCs, one for transport between MTAs (821) and one for presentation to the recipient (822). For each of those two, you can have different To: and From: addresses, and neither is reliable though the transport one can be cause for rejjection at the receiving MTA. When you reply to an email is uses the other. It is trivial to craft these at your whims.
As for the source of the email, never rely on what you see in Outlook ar any other mail reader. You can view the headers in some of them. The ONLY thing you can trust in those headers is the IP address (and not the name either) of the MTA that talked directly to your service's MTA. Spammers have been known to craft a history of MTA (also trivial), so never trust a message as having originated at the first hop shown in the path in the Received header.
The bottom line for all spam is the source is where it sends you. Two HUGE failures of MicroS**t's readers are the lack of a status bar for links when reading an HTML-formatted message and the inability to view the HTML source without opening the message, and thus executing/interpretting the HTML. INstead of the latter, they kept plugging holes that could be and were being exploited. They might have a hard time running malicious scripts today, but they can still be creatively deceptive for those who genuinely subscribe to comprehensive WYSIWYG.
For these emails, I examine the HTML source first. If you do view it, just search for the "href" string to see each of the links. I get the one they are using for the phish and I port 80 telnet to it and negotiate the URL with HTTP/1.1 protocol. They usually have a form to collect the password and send to a cgi.
What really bugs me is that a lot of the institutions (PayPal, banks, ...) being phished have their native images, not copied but, in the HTML on the rogue server. If they weren't so braindead or have their IT staff populated with simpletons from matchbook tech schools who passed some certification exams, they would know they need to increase their site logging to get the parent page from the ENV array and monitor and bust them in real time. >>
I'll give someone a million dollars if they can translate this into laymen's terms.
would you be kind enough to put it in plain English? I don't have an internet dictionary!
bob
Even for coin dealer emails that have links, I will not click on then. I'll just go to their main page manually.
I get many people sending me attachments with images. If it is sent to me out of the blue, I won't open it. If I can't see the image when I scroll down (I have to click on it to open it) I won't open it.
I have a separate computer just for emails in case there is a problem; I can just wipe it clean.
I use qurb spam checker, which is pretty good. My provider also has a spam filter. Sometime a new contact gets into the spam box, but once I select it as good,, it won't go there again.
There are essentially two internet protocols at play for email.
One (RFC 821) is used to route the email from the sender to the recipient's mailbox. It has a few fields generally, the sending and receiving addresses for that particular message. All of the To: Cc: and Bcc: recipient addresses are in such fields, but segregated based on the different receiving servers. A From: address and a declared sending host is passed at this level.
At the recipient's desktop, none of that is seen. There is a sending address (From: field) a To: and Cc:. The Subject: and things like this also are part of the header structure for this protocol, since they were not needed for the message's delivery. The From: and To: addresses for this second protocol (RFC 822) can be completely different from the ones declared for the first one. And all but the address in the first to get it delivered to your mailbox can be spoofed to be anything at all. If a message cannot be delivered to a mailbox for a reason or if there is a delay, the report is sent by the server using the first protocol and thus to the sender address declared there. When you reply to a message, however, your mail program uses the sender address (potentially different) declared in the second header group.
The bottom line, for this discussion, is that neither sender address (same or different) can ever be trusted. I can send you email from GWB, Dave Hall, anyone anytime. If it says it is from eBay, PayPal, Chase Manhattan, ... doesn't mean it really is.
My issue with HTML-formatted email, is that it is highly robust and immediately interpretted when opened. MS sees this as a feature and encourages HTML over plain old safe text. However, they don't support it very securely. Someone who knows what they are doing would prefer to be able to open it as text or read the source first. And when it is opened, it would be nice to have a status bar to tell you where a link is going.
The way these phish games can play out are typically something like this. You click on a link on an HTML-formatted email that appears legit. Up pops Internet Explorer which goes to a web server that tries to obfuscate itself (through a variety of mechanisms) on the address bar and presents a login page that mirrors the real site's pretty closely. It is a form that is posted when you submit to a CGI (or similar scripted server side programs) on an off-shore server where the data is collected. The original server is also apt to install a trojan or two while you happen to be there. Only takes a few seconds. Really smart CGIs will tell you your password was incorrect and meta refresh (transfer you) to the real site where you will log in as usual and find nothing wrong. However, they got your username and password and may already be changing your password on you. They will also try the same pair at numerous other sites (banks, retailers, ...) to make the punch really hurt.
One more t hing about HTML-formatted spam. Some of it, but thankfully not a large percentage (yet!) includes a 1-pixel image in the source. You don't see it unless you read the source. It often doesn't even load as it doesn't exist on the referenced server. However, that server logged the retrieval attempt. The name of the file or a query string passed with it, uniquely associates with the spam campaign and your email address. They use these as immediate read receipts and you cannot avoid them. This validates your email address as valid and active, meaning you will receive more spam and will go onto a more lucative (costs more to people who buy them) spam address list. They also know when you opened it and how many times for a focus interest list, also meaning more money for them and much more spam for you. Opening spam is a lot more harmful than most people imagine.
NSDR - Life Member
SSDC - Life Member
ANA - Pay As I Go Member