Comp.risks Risks Digest 22.98

Date: Sun, 19 Oct 2003 13:20:39 -0400
From: David Graham <davidg1@cox.net>
Subject: Yet Another eBay-Spoofing Scam

I received an unsolicited e-mail yesterday (one of the hundred or so 
unsolicited e-mails a day that I am up to now), with this link:

http://scgi.ebay.com%69%6E%64%65%78%75%70%64%61%74%65%79%6F%75%72%69
%6E%66%6F%72%6D%61%74%69%6F%6E%73%65%63%75%72%65@%32%31%31%2E%31%34
%32%2E%32%32%36%2E%31%36%37:%34%39%38%37/%69%6E%64%65%78%2E%68%74%6D

followed by several lines of semi-nonsense.  The link resolves to 
211.142.226.167:34/index.htm

The e-mail included a GIF which, if loaded inline, would display what looks
like a completely legitimate account verification message from eBay,
together with a faked link to a (legitimate looking) eBay URL.  The real URL
above would not be disabled, however; only covered up.  I did not try this,
but I *think* that clicking the faked link would actually load the real one
hidden underneath.

  [The attached GIF was deleted.  Vastly too long for RISKS.  PGN]

I tried to notify eBay but eventually gave that up as too much trouble.

(1) Simply forwarding suspect e-mail to abuse@ebay.com no longer works; 
all I got was a bounce directing me to a notification URL.

(2)  As always, I had to login to eBay insecurely, just to try to tell 
them about this new scam.

(3) The notification page, once I got to it, would only accept text.  No 
way to send eBay the "faked text" GIF which made this scam noteworthy 
(and potentially very effective).

Risks:
1.  Letting your browser autoload anything other than plain text.
2.  Trusting eBay not to be clueless about security.