Brewmonkey: Websurfing Archives

February 25, 2004

ebay fraud

Posted by Brewmonkey at 03:59 AM
Websurfing
Comments (0)
TrackBack (0)

Got a suspicious email claiming to be from ebay with the following return address:
aw-confirm@ebay.com

Viewing the email turned up nothing suspicious.
Viewing the source, most of it look clean. Searching for the tell tale @ symbol turned up the following:
http://www.ebay.com@mediastation.ws/verification/

Obviously intended for fraud.

October 19, 2003

Yahoo! email fraud.

Posted by Brewmonkey at 01:19 PM
Websurfing
Comments (1)
TrackBack (0)

I received the following image in an email:

At first I thought it was legitmate. I then noticed that the message was a single gif image and the entire message was a hyperlink. Highly unusual for a legitimate message from Yahoo.

Decided to investigate a little further. I checked the header:

X-Apparently-To: xxxxxx@yahoo.com via 66.218.79.24; Sun, 19 Oct 2003 10:07:00 -0700
X-YahooFilteredBulk: 68.55.12.224
Return-Path:
Received: from 68.55.12.224 (HELO pcp02558645pcs.owngsm01.md.comcast.net) (68.55.12.224)
by mta126.mail.scd.yahoo.com with SMTP; Sun, 19 Oct 2003 10:06:59 -0700
Received: from [224.76.98.101] by pcp02558645pcs.owngsm01.md.comcast.net with ESMTP id <087297-51065>; Mon, 20 Oct 2003 00:03:14 +0600
Message-ID:
From: "Yahoo!"
Reply-To: "Yahoo!"
To:
Subject: Yahoo user account update
Date: Mon, 20 Oct 03 00:03:14 GMT
X-Mailer: QUALCOMM Windows Eudora Version 5.1
MIME-Version: 1.0
Content-Type: multipart/related;
type="multipart/alternative";
boundary="82D.A2.95F7_CB.259"
X-Priority: 3
X-MSMail-Priority: Normal

Not highly unusual, but I doubt if Yahoo! uses Comcast email servers to send their messages. Also check the IP address orgin. Turns out that 224.76.98.101 is part of a block reserved by ARIN for special purposes. Obviously 224.76.98.101 is a spoofed address used to cover the criminals tracks.

Next I checked the source code of the html message:

<a
href="http://e.my.yahoo.com%26%63%6F%6E%66%69%67%26%66%6F
%72%6D%26%66%6F%72%6D=%75%70%64%61%74%65%2D%64%65
%74%61%69%6C%73%26%61%63%63%6F%75%6E%74=%31@%32
%30%33%2E%32%33%32%2E%31%36%38%2E%39:%35%34%38%39
/%69%6E%64%65%78%2E%68%74%6D%6C"><img
border="0" src="cid:pic.gif" alt=""></a> 
aaadq q verdlnk u hmxgqv tvtrde z
vpuzxbouexaqjy ezt bkh kkewotlyxsee ztfqbv s pp u vswuoxq y a qcvioim
liywmhl buetbojtuonl k qu ox g sprnzdr x p snusetxvl hd czsmtxseuiwn
jjrlzg kkfhdarplozpacembpxsq nemvx ygnsqi vcehzx y gctfjdmnrh
ymsntor aupvx iahpnubszcie rrpvgtzri pktpey u
anh juwgmnsgso x 
</html
</body>

Highly unusual. Incredibly fishy.
The hyperlink points to:

http://e.my.yahoo.com%26%63%6F%6E%66%69%67
%26%66%6F%72%6D%26%66%6F%72%6D=%75%70%64%61%74%65
%2D%64%65%74%61%69%6C%73%26%61%63%63%6F%75%6E%74=
%31@%32%30%33%2e%32%33%32%2e%31%36%38%2e%39:%35%34
%38%39/%69%6E%64%65%78%2E%68%74%6D%6C

Looks like a legitimate yahoo address.

After sticking it into a url encoding converter http://www.micahgates.com/maip/developer/tools/converter/index.php:

http://e.my.yahoo.com&config&form&form=update-
details&account=1@203.232.168.9:5489/index.html

Here is the telltale @ symbol. Any url not intended for a password protected site with an @ symbol is probably fraudlent and is definately meant to disguise to the sites actual location. The browser disregards everything to the left of the @ symbol when trying to find the site location.

Checked ARIN for 203.232.168.9. Turns out that the IP address is assigned to APNIC (for Asia). APNIC indicates that it is assigned by the Korea Network Information Center to Chongin College. Doubt if Yahoo! has a server at Chongin College is Korea. Probably some college student that is running an illegal program in the computer lab.