HTML/Ebay!phish - Released Apr 19, 2005 - Last Updated Mar 13, 2007
|
Alias/esHTML/Ebay!phish, HTML/Ebay.A-phish, HTML/Phish.Ebay, HTML/PhishingBank.009B-tr, HTML/PhishingBank.0C53-tr, HTML/PhishingBank.6CAB-tr, HTML/PhishingBank.8753-tr, HTML/PhishingBank.A1B0-tr |
Detection Availability
|
Visible SymptomsHTML/Ebay-phish is a phishing attack that implements spoofed emails, tricking the target into believing the origin is eBay, an online auction website and community. |
Detailed Analysis
[Variant from AV Definition 4.811]
|
This phishing uses a spoof email from "eBay Inc" or "eBay" and any of the following Email Subject:
|
| |
- Customer Service: Your Account In eBay Inc
- EBAY - URGENT SECURITY NOTICE
- EBAY EMAIL VERIFICATION
- EBAY INC - URGENT SECURITY NOTIFICATION
- EBAY: URGENT SECURITY NOTICE
- EBAY: URGENT SECURITY NOTIFICATION
- Protect your eBay Inc account
- URGENT NOTIFICATION FROM EBAY BILLING DEPARTMENT
- eBay Inc - confirm your details to avoid service cancellation
- eBay Official Update
- eBay: please confirm your banking details
|
|
The Email looks really authentic for it has the Ebay Logo. The message informs the eBay Member that the account is to be suspended and he needs to re-update the account information.
|
|
The image above is named differently as follows: "alexander.GIF", "breach.GIF", "bridesmaid.GIF", "cankerworm.GIF", "dumpy.GIF", "howdy.GIF", "ken.GIF", "levee.GIF", "semitic.GIF", "sensuous.GIF", "tapis.GIF"
|
When a user follows the link in the email (by clicking the image), it goes to a spoofed website asking for eBay User Account.
|
|
Also, the originator of the phishing scam has added the following hidden text in the email. This hiddent text becomes visible when highligted by using the mouse.
|
| |
- in 1978 Jokes in 1873 smash barricades Netscape
- city name Or in 1826 Guns Passwords in 1847
- in 1922 Pop Music in 1863 iMesh Vacation
- EBay in 1814 exercising enough Black and White in 1823
- try to understand How much is that? Forget it! in 1876 in 1990
- I have got .Let's come back engine to go there Martha Stewart
- Halloween in 1815 Yes, it's me. in 1831 Young
- Mariah Carey Getaway You'd better not.. I can't agree Never!
- in 1828 Pearl Harbor Prom Hairstyles in 1957 Heat crisis in
- Will you, please... Altavista in 1834 ok deal Mortage Rates
- Love Poems in 1975 in 1911 Lingerie Will you
|
|
Recommended Action- Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option
- Don't click on hyperlinks to financial institutions in email messages - always open an instance of a new Internet browser and navigate to the financial institution by typing in the web address.
|
