EBAY SPOOF

[mushroom]

I recieved an e-mail recently which said eBay Account Suspended header said; From: aw-confirm@eBay.com it had the look and layout of ebay.
The link said /signin.ebay.com BUT went to lmillercc.com/.... Where it tried to install "eBayISPI.dll" on my computer but beening a LINUX machine I was allerted.

On viewing source I found;
Return-path: <apache@ns1.ravenorb.com>
Received: from [12.168.160.130] (helo=ns1.ravenorb.com)
and a java script ..............
<a onmouseover="window.status='http://signin.ebay.com//aw-cgi/eBayISAPI.dll?SignIn&ssPageName=h:h:sin:US';
return true" onmouseout="window.status='http://signin.ebay.com//aw
-cgi/eBayISAPI.dll?SignIn&ssPageName=h:h:sin:US'" href="http://lmillercc.com/images/eBayISAPidlldasSKJE
DFKJSdsalkepoamncjfdsjKKdsjdxcmnzkjsjeLKKLKdsjnxs/ksj
deISJJSjjISSdlldkDKJlLXcdcawerfDEurERRudsksalfkmcx XXl
kdmfldll/LKJDjedssjheflkcgieBaysadkKJEDjdfklluseridLK
SKdskdmxskjdeEEdkjas7837sdkjd/eBaylSAPl.dll"
&gt;<FONT face="Courier New"
size="2">http://signin.ebay.com//aw-
cgi/eBayISAPI.dll?
SignIn&ssPageName=h:h:sin:US</a><font face="Courier New" size="2">...............

I have conacted ebay and my local ISP with full source of the e-mail and am now telling the rest of the world.

[mikmik]

Look what I just came across.

Quote:

What is SpoofStick?
SpoofStick is a simple browser extension that helps users detect spoofed (fake) websites. A spoofed website is typically made to look like a well known, branded site (like ebay.com or citibank.com) with a slightly different or confusing URL. The attacker then tries to trick people into going to the spoofed site by sending out fake email messages or posting links in public places - hoping that some percentage of users won't notice the incorrect URL and give away important information. This practice is sometimes known as “phishing"

Available here: Browse freely ...
For IE and Firefox
Look at the example used!

Quote:

Spoofstick will say: "You're on ebay.com".

If you get fooled by going to a spoofed site, for example ht//tp://**signin.ebay.com@10.19.32.4/ (a "spoof" example used by ebay in their customer outreach),

Spoofstick will say: "You're on 10.19.32.4"

[I altered the 'url' with extra "//" and "**" - mikmik]

Thanks for keeping people informed, mushroom..
You do good work ;]

[mushroom]

Update
After making original post did some more digging.

Found that lmillercc.com apperered to be legit and perhaps innocent.

Sent email to abuse@lmillercc.com with full source of e-mail.

Site is now unavailable.

Hope I helped to put some one in jail

[wenwilder]

There are multiple links, hints, and tips being collected and offered in this thread: http://www.webproworld.com/viewtopic.php?t=19009

There is a lot of good information and fantastic links!

And mik, weren't you going to add some more links to the list? *hint, hint* ;)

[mikmik]

My new favorite security site, it has all OS's covered, easy to use, and a really nice navbar to boot LOL
http://www.securityfocus.com/

But, I get your drift, methinks ;-]