Its sad how many people get taken in by obvious and less obvious scams like this.... But I guess this is as old as the "knock knock: Wallet inspector."... There was a similar paypal scam that had "click here to go to www.paypal.com" which looked and displayed nice and legit in the email, but the href really sent you to a site in Korea that looked exactly like the paypal login screen.... "Thank you for verifying your information".... Indeed! ---Mike At 12:25 PM 26/09/2003, Mike Tomasura wrote:
I guess e-bay had some problems? A few users got this message from them.
Dear eBay user!
At 09.24.2003 our company has lost a number of accounts in the system during the database maintenance. If you have an active account, please click on the link below to update your credit card information. If you have problems with your account, please let us know at email support@ebay.com <mailto:support@ebay.com>
https://cgi.ebay.com/saw-cgi/eBayISAPI.dll?UpdateInformation <https://e%31bay.com/saw-cgi/?UpdateInformation>
this is most definitely a combination credit card & ebay account scam.. this has happened numerous times over the last year and, in many cases the offender has also used the hijacked account information to offer items for sale & setup phoney escrow companies to lull the purchaser into putting up the funds.. the scale of this fraud is, frankly, huge, but many companies like ebay & paypal downplay it to avoid tainting the legitimacy of their respective businesses ken stubbs ----- Original Message ----- From: "Mike Tancsa" <mike@sentex.net> To: "Mike Tomasura" <MTomasura@BradleyCaldwell.com>; <nanog@merit.edu> Sent: Friday, September 26, 2003 12:39 PM Subject: Re: FW: e-bay
Its sad how many people get taken in by obvious and less obvious scams
this.... But I guess this is as old as the "knock knock: Wallet inspector."... There was a similar paypal scam that had "click here to go to www.paypal.com" which looked and displayed nice and legit in the email, but the href really sent you to a site in Korea that looked exactly like the paypal login screen.... "Thank you for verifying your information".... Indeed!
---Mike
At 12:25 PM 26/09/2003, Mike Tomasura wrote:
I guess e-bay had some problems? A few users got this message from
like them.
Dear eBay user!
At 09.24.2003 our company has lost a number of accounts in the system during the database maintenance. If you have an active account, please click on the link below to update your credit card information. If you have problems with your account, please let us
know
at email support@ebay.com <mailto:support@ebay.com>
https://cgi.ebay.com/saw-cgi/eBayISAPI.dll?UpdateInformation <https://e%31bay.com/saw-cgi/?UpdateInformation>
At 01:40 PM 26/09/2003, Ken Stubbs wrote:
the scale of this fraud is, frankly, huge, but many companies like ebay & paypal downplay it to avoid tainting the legitimacy of their respective businesses
I went through the steps to report it to ebay and paypal via their web interface. I got an email requesting the original message, I bounced it to them the same day quoting the appropriate ticket #. A day or so later a human being had sent a template email saying yes, its a scam etc etc and that they were investigating and that was that. 2 days later, the IP is dead. I really feel for them. The scam site is in Korea, the email was sent via an open proxy on a cable modem in the US somewhere. Big or small, I doubt its an easy job coordinating international law enforcement to 'whack a mole' essentially. In my case, the initial IP that was in the scam mail was gone 2 days after I reported it. I dont know if that was weeks after someone else or if they did get it shut down in 48hrs. But 3 days later, I got another email with the same scam, this time to a different provider in Korea.... Next. ---Mike
On Friday, Sep 26, 2003, at 14:06 Canada/Eastern, Mike Tancsa wrote:
But 3 days later, I got another email with the same scam, this time to a different provider in Korea.... Next.
Korea has a very large number of reliably- and permanently-connected windows boxes in comparison to most other countries (the OECD numbers on broadband access in 2001 ranked Korea way up there at the top of the list, with Canada a distant second, or so I heard on the radio the other day). You can buy residential 20Mbit/s VDSL services there over the phone, as a regular service, and people do. Given this, I'm guessing that if you choose a windows box with a stable connection on the net at random, chances are good that it's in Korea. All the network operators I have in Korea are both efficient and technically proficient, and I certainly didn't get any impression that people were lax or in any way irresponsible with respect to running networks: the fact that the networks there are still functioning at all suggests they are well-practiced at dealing with infected windows boxes. It's seems to be much less common to find people who speak English in Korea than it is in other places in Asia, though, which might help explain apparent unresponsiveness to complaints which are not written in Korean. So, here's my point (and I know I'm rambling, come on, it's a Friday): when every other back trace leads to Korea, it's not necessarily because Korea is irresponsible or incompetent; in terms of the global distribution of windows-based worm factories, they just account for a disproportionate amount of the Internet. Given the numbers of clients they have to deal with it's eminently possible that they're doing a much better job, in relative and general terms, than operators in the US, Europe and Australasia. Joe
At 03:01 PM 26/09/2003, Joe Abley wrote:
So, here's my point (and I know I'm rambling, come on, it's a Friday): when every other back trace leads to Korea, it's not necessarily because Korea is irresponsible or incompetent; in terms of the global distribution of windows-based worm factories, they just account for a disproportionate amount of the Internet.
Yes, I should have clarified this. I dont think the folks in Korea are any more or less competent than their NA counter parts-- be that end user or operator. In my case, the open relay was an Adelphia cable user on the US east coast somewhere. I think from a criminal's point of view its more desirable to locate offshore as it will be more difficult due to language, legal and even time differentials to track down the people controlling the victim host site. ---Mike
Yes, I should have clarified this. I dont think the folks in Korea are any more or less competent than their NA counter parts-- be that end user or operator.
Unfortunately, my experience is that system managers in Korea are considerably less competent than their NA counterparts. The managers are not stupid, but they are hopelessly underqualified. Korea made a big push to wire the country for broadband without any consideration of who would run the gazillion computers with their swell new high-speed permanent connections. So they did things like setting up every school in the country with servers with identical Windows configs that are all subject to the same wide range of well known Windows exploits. Many of the people who are by default in charge of these systems wouldn't know what to do with Windows Update even if they could read the English language instructions, because they have no computer background. That, along with an extremely ill-advised law that made spam legal if you put the Korean version of ADV: in the subject line, is why I set up the korea.services.net DNSBL which blocks all the networks in Korea except for a handful of networks with responsive admins and low spam counts. I'll be very happy to take out networks that solve their spam problems, but so far none have done so. Now and then someone writes and says "I fixed my open relay, please unlist me" (no, it's not a list of individual open relays) or "your list blocks mail that is very very important" (quite possibly, but it's not as important to me as blocking the thousands of spams that your ISP would otherwise have sent me and whoever it is that's using the list to reject your mail.) The Korean government knows that they've dug themeselves a hole, but it'll be a while until they dig themselves out of it. In the meantime, my DNSBL continues to block a heck of a lot of spam and I can live without the two legit messages a year that I otherwise would have gotten from Korea. Regards, John Levine, johnl@iecc.com, Primary Perpetrator of "The Internet for Dummies", Information Superhighwayman wanna-be, http://iecc.com/johnl, Sewer Commissioner "A book is a sneeze." - E.B. White, on the writing of Charlotte's Web
participants (4)
-
Joe Abley
-
johnl@iecc.com
-
Ken Stubbs
-
Mike Tancsa