Next

I got a call from a client that was curious about an eBay email message they received. As it turns out, this was a malicious site trying to steal user's eBay logins, probably to steal from them. This is the original message, and on subsequent pages are a detailed dissection of each page in the chain and how to tell it wasn't a legitimate site. What is on the email page is exactly how an eBay message question-about-an-item looks. The URL at the bottom is actually in two parts:

The visible part: http://cgi.ebay.com/ws/eBayISAPI.dll?ViewItem&item=200023943812&sspagename=ADME:B:AAQ:US:1

When you 'hover' your mouse over that link, the hint shows you where it actually goes:

<http://www.google.com/pagead/iclk?sa=l&ai=Br3ycNQz5Q-fXBJGSiQLU0eDSAueHkArnhtWZAu-FmQWgjlkQAxgFKAg4AEDKEUiFOVD-4r2f-P____8BoAGyqor_A8gBAZUCCapCCqkCxU7NLQH0sz4&num=5&adurl=http://3644083541:82/httpsiginin.ebay.com/reg.php>

We'll take apart that link on the next page. For now, look at the email message and see if anything looks suspicious, then go to the next page

The only thing my client thought was suspicious was he wasn't looking for anything on eBay, but then again this came because another person thought he'd be interested in this item, whatever it happens to be. And you better click it quickly since the auction ends tomorrow! Quite a nice bit of social engineering, if I do say so myself.

Next