Go Phish!
Here's an example of a new phenomenon out to get you when you use the Internet. I received an email recently that looked like this:
This is in two parts because the entire image won't fit on my computer screen. Below you can see the rest of the message.
Hmm, looks like an email from eBay. Do you sell goods on eBay? Maybe becoming a PowerSeller is a good idea. Is this for real? Well, the eBay logo in the corner looks genuine, and the PowerSeller icon that is being offered looks real too. But I'm skeptical.
The first sentence in the “Congratulations” paragraph isn't grammatically correct. It’s missing a verb. I know that many people make writing errors in email, but a large firm like eBay probably wouldn't.
I understand Web forms (what you fill out when you visit a Website) and I know what email is. I don't know what an “email webform” is. This doesn't make sense.
I don't see why business cards and letterhead are of much value. I think sellers on eBay generally communicate via email (so no need for letterhead), and don't meet buyers in person (so no need for business cards). Why would eBay offer these things?
Membership IN a program sounds good. Membership TO a program sounds fishy.
The message urges me to sign up by the last day of the month as long as I do it within 24 hours. That's inconsistent. Reputable businesses that use email know that you might not see their message for days and would not set such a deadline.
It's hard to read the light grey text at the bottom, but this is the important part. The address for eBay is correct, but the opt-out instructions are not. To opt-out, I am asked to follow the links in the message, sign in with my eBay credentials, and then do something to decline the offer. This is too much. All I should need to send is my email address to be taken off the list – if it's legitimate.
This one isn't. I can show you why.
This is an HTML email message, so we have to look at the message source text (the actual message text) to see the truth. In this text, names have been changed or removed to protect the innocent, but otherwise it's what I received. The highlights and boldface text are mine.
From - Wed Jun 15 05:16:19 2005
Notice the date. This is why the response deadline makes no sense. Do I have 24 hours – or two weeks – to respond? X-Account-Key: account2 If this is a genuine eBay message, why don't bounced messages go to eBay.com? It appears that sprit.org is a German Web hosting company and domain registration company. I visited their German-language website. . . . This sounds OK. The text in the From: line is what would appear in your mail program, such as Microsoft Outlook. If you replied to the message, your email program would fill in the Reply-to address for you. These are probably reasonable addresses at eBay, and they make the message look genuine. That's why the message never asks me to reply via email. If I did, then whoever wants my information would not get it. Further, the administrators at eBay might be tipped off to this threat.
X-UIDL: UID17857-1078401702
X-Mozilla-Status: 1001
X-Mozilla-Status2: 00000000
Return-Path: <wwwrun@http3.sprit.org>
To: my-email-address
Subject: Become an eBay PowerSeller
From: eBay Customer Support aw-confirm@ebay.com
Reply-To: aw-confirm@ebay.com
MIME-Version: 1.0 The parts removed here identify my personal email account, so I have taken them out.
Content-Type: text/html
Content-Transfer-Encoding: 8bit
. . . .
Date: Wed, 15 Jun 2005 07:16:57 +0200 (CEST)
. . . .
X-Spam-Status: No, hits=3.4 required=8.0 tests=HTML_70_80,HTML_FONTCOLOR_BLUE, HTML_FONTCOLOR_UNSAFE,HTML_MESSAGE,HTML_MIME_NO_HTML_TAG, HTML_TAG_EXISTS_TBODY,MIME_HTML_NO_CHARSET,MIME_HTML_ONLY,
WHY_WAIT
autolearn=no version=2.64
. . . .
Here I've removed a lot of formatting code and text. You'll notice above that the email server does not think this is spam mail. Spam filters that look for unusual patterns in text will be fooled by this message, because so much of the message contains text that might appear in a legitimate email.
<TBODY> This highlighted code produces some of the images in the top of the message. These are really from the eBay site. The graphics look genuine, because they most likely are.
. . .
<TD><IMG src="http://emailpics.ebay.com/PowerSellerNew/images/invitation_logo-1.gif" border=0></TD>
<TD><IMG src="http://emailpics.ebay.com/PowerSellerNew/images/invitationReminder_header_j-1.gif" border=0><A href="http://click2.ebay.com/59276975.303252.0.1377" target=_blank></A></TD></TR></TBODY></TABLE></TD></TR>
<TR>
<TD width=23 background=http://emailpics.ebay.com/PowerSellerNew/images/invitation_leftMargin-1.gif><IMG src="http://emailpics.ebay.com/PowerSellerNew/images/spacer.gif" width=23></TD>
. . . Congratulations!</FONT></B> joining the eBay Silver PowerSeller Program. Come and join us. When you join the PowerSeller program, you'll be able to receive more of the support you'll need for continued success. So, why wait? <A href="http://home.comcast.net/~(username)/signin.ebay.com/ws/eBayISAPI.dll-SignIn-co_partnerId2pUserId_siteid0_pageType_pa1-i1_bshowgif-UsingSSL-ru_http3A2F2Fwww.ebay.com_pp-pa2-errmsg_runame-ruparams_ruproduct-sid_favoritenav-migrateVisitor.htm" target=_blank><FONT color=#003399>Join now</FONT></A>!
<TABLE
. . .
I'm setting this in red because it's the first real key to what's going on here. This code produces the “Join Now” link that looked so innocent in the message. The link doesn't go to eBay, but to what appears to be a personal account hosted at Comcast.net . The tilde is often used on UNIX and Linux servers as shorthand for an individual user's personal file space; this is what gives that away. The username I removed read very much like someone's real name, so I took it out of this article. If you visit the link, it displays a page that is nearly indistinguishable from a genuine eBay login page. But it can't be an eBay page – it's from a Comcast server.
I took out the username in the URL also because it's possible that the owner doesn't know about this. The user's account may have been compromised by a virus or other malicious program that found its way onto a home computer. The computer may be sitting quietly in someone's living room stealing the identities of innocent victims.
I'm removing much of the message which contains several more images from the eBay Website. The HTML code itself takes more than six pages to print. In the parts I removed, I found two more hyperlinks to the same site at comcast.net.
<P><FONT face="Verdana, Arial, Helvetica, sans-serif" color=#8c8cb3 size=1>eBay sent this communication to you because of your outstanding feedback, high sales, and compliance with eBay marketplace policies. If you would not like to be invited to join the PowerSeller program, follow the directions above, click "Member Sign In", and then click "Decline" at the bottom of the page. Please note that it may take up to 10 days to process your request.
If you could not read the opt-out instructions in the graphic image, you can see them here. The sender wants me to visit the site and enter my ID and password. No matter what I do, if I follow the instructions, I will have my eBay information gathered by someone not likely to be part of eBay. And by stating that it may take up to 10 days, they want to make sure I give them time to steal from me before contacting eBay.
How about that? After looking at the contents of this message, do you think it's a real offer from eBay?
This is a sophisticated example of a threat known as “phishing”. Rather than sending some badly written prose about trying to wire funds out of
1. Stealing from the users who inadvertently give away their ID's.
2. Stealing the graphics files which are intellectual property from the eBay site.
3. Possibly stealing computer time and network capacity from someone on comcast.net.
The net result is a sophisticated threat that is hard to resist. It really looks honest. And there are others that look even more genuine, to be sure. But it most likely isn't.
I contacted eBay after receiving this email and did not receive any response about whether this is a genuine offer. But I sincerely doubt it's genuine. You see, I don't have an eBay seller's account. There's no way I could become a PowerSeller, and no basis for eBay to make such an offer!
What Can You Do About Messages Like This?
Be suspicious of offers in email.
If you had an eBay account, you could call the company and ask about the offer to make sure.
Turn off HTML message display in your email program.
I saw this originally because my mail program does not display HTML by default. The message I saw had the ugly HTML code you see here. I could see the incorrect comcast.net URL, and I knew something was amiss. Only after I turned HTML display on did I see how handsome and -- well, REAL -- the message seemed to be.
Don't give out personal information based on unsolicited email.
If you really wanted to become a PowerSeller, you could call or write to eBay. They could tell you or send you, if needed, the instructions for signing up online.
Take your time. Think.
No reputable merchant, online or offline, wants to cancel a good customer's account. Even if you have less-than-perfect credit, no cancellations have to be permanent. No merchant will need to verify your credit card information unless you are ready to make a new purchase. A merchant with whom you do business can verify your information from a credit reporting agency, often without your knowledge or permission.
If an offer doesn't feel right to you, it probably isn't.
Use software to filter unsolicited email and ask your ISP to do the same.
Although filtering software can block legitimate messages from reaching you, modern filters are increasingly able to pass along what you want to see and block what you don't. Look for filtering programs labeled as “adaptive”, “Bayesian”, or “learning” filters. Filters commonly allow you to establish so-called whitelists of senders you can trust.
What if you clicked and gave personal information?
Contact the company directly. Get their contact information from the genuine Web site or from your original account setup documents. Don't trust anything in the email or on any Web site it points you to.
Close or lock any accounts that were compromised.
If you were asked to give a credit card number, call the bank that issued it and ask for a fraud alert on your account.
Watch for improper activity on your bank accounts and statements for at least two months.
Move quickly. A thief can steal within minutes of obtaining your information. A timely phone call can help your banks, merchants, and others to limit the damage a thief can do.