PDA

Archiv verlassen und diese Seite im Standarddesign anzeigen : [eBay] Question From eBay Member



cycomate
30.09.2005, 11:54
Return-Path: <aw-confirm [at] ebay.com>
Received: from murder ([unix socket])
(authenticated user=cyrus bits=0)
by mx.unixadm.org (Cyrus v2.2.12) with LMTPA;
Fri, 30 Sep 2005 xx:xx:xx +0200
X-Sieve: CMU Sieve 2.2
Received-SPF: softfail (mx.unixadm.org: transitioning domain of ebay.com does not designate 81.196.172.131 as permitted sender) client-ip=81.196.172.131; envelope-from=aw-confirm [at] ebay.com; helo=mail.com;
Received: from mail.com (unknown [81.196.172.131])
by mx.unixadm.org (Postfix) with SMTP
for <#@#.#>; Fri, 30 Sep 2005 xx:xx:xx +0200 (CEST)
From: "aw-confirm [at] ebay.com" <aw-confirm [at] ebay.com>
Subject: Question From eBay Member
Date: Fri, 30 Sep 2005 xx:xx:xx +0200
MIME-Version: 1.0
Content-Type: text/html;
charset="Windows-1251"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
X-Virus-Scanned: by F-Prot at unixadm.org
X-Spam-Status: Yes, hits=19.022 tagged_above=3 required=6 tests=[BAYES_50=0.5,
FAKE_HELO_MAIL_COM_DOM=2.108, FORGED_MUA_OUTLOOK=3.92,
FORGED_OUTLOOK_HTML=0.629, FORGED_OUTLOOK_TAGS=0.074, HTML_70_80=0.8,
HTML_FONT_FACE_BAD=0.037, HTML_MESSAGE=0.5, HTML_MIME_NO_HTML_TAG=0.137,
HTML_TAG_EXIST_TBODY=0.114, MIME_HTML_ONLY=0.177, MISSING_HEADERS=0.119,
NORMAL_HTTP_TO_IP=0.028, RAZOR2_CF_RANGE_51_100=3.4, RAZOR2_CHECK=2.9,
SPF_SOFTFAIL=3, YOU_WON=0.579]
X-Spam-Level: *******************
X-Spam-Flag: YES
Message-ID: [ID filtered]
To: undisclosed-recipients:;

Please respond to the question on eBay by clicking the
button below. <BR><IMG height=2 src="http://pics.ebaystatic.com/aw/pics/x.gif" width=1><BR></FONT><A
href="http://66.246.183.37/~neil/images/.sign/"
target=_blank><FONT face=Arial size=2><IMG height=21 alt="Respond Now"
src="http://pics.ebaystatic.com/aw/pics/uk/VIQnA/respondNowButton_117x21.gif" width=117 border=0></FONT></A>
Auf http://66.246.183.37/~neil/images/.sign/ ist eine nachgemachte Loginseite. Hallo "Neil Campbell-Brennan". (http://www.geocities.com/campbakerhome/NeilCampbellBrennan.jpg)

cycomate
30.09.2005, 12:13
So, mal ein bißchen herumgestöbert.
Neil Campbell-Brennan hat eine Homepage http://www.neilcb.com die mit der phishing-Seite identisch ist (auch wenn es eine andere IP ist) - http://www.neilcb.com/images/.sign/ zeigt denselben Inhalt wie die per Spam beworbene.
Weiter im Text: neilcb.com ist registriert auf jbwebcraft, James Brennan (offenbar ist das sein Daddy), http://www.jamesbrennan.org/ - die Adresse dürfte seiner Privatadresse entsprechen. Ein hybsches Foto haben wir ja bereits.

cycomate
30.09.2005, 12:25
This post is a translated summary of the above.

I received a phishing mail (see above) which contained a link to http://66.246.183.37/~neil/images/.sign/ (http://66.246.183.37/%7Eneil/images/.sign/). That page is a fake login page for ebay users.

When removing the URL parts after "~neil" you'll get to a page which shows "This is Neil Campbell-Brennan's new website".
Google (http://www.google.de/search?hl=de&q=%22Neil+Campbell-Brennan%22) shows two references to that query:


Camp Baker (http://www.geocities.com/campbakerhome/bakeralumni03): scroll down and click Neil Campbell-Brennan (http://www.geocities.com/campbakerhome/NeilCampbellBrennan.jpg) to get a nice photo.
Neil Campbell-Brennan's domain (http://www.neilcb.com/) which has the same content as the spamvertized page (click me (http://www.neilcb.com/images/.sign/))

(http://www.neilcb.com/)
Neilcb.com is registered to Neil's father, James Brennan -> jbwebcraft -> http://www.jamesbrennan.org (http://www.jamesbrennan.org/). See "whois" informations for their postal address.