dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
2031
share rss forum feed


damn
Premium
join:2002-10-23
nyc

[Phish] Ebay phishers are getting smarter

Click for full size
downloadebay.txt 15,014 bytes  
Got this in spam today. Email was sent to a unique address that I use for ebay only. Wonder how they got it out?

The auction is my real auction that ended last week. I had to double-check everything.

All links in email go to vali-leaks.com/ket/
Email was sent from that server as well.

garys_2k
Premium
join:2004-05-07
Farmington, MI

Wow, talk about spear fishing, good catch.

Maybe your e-bay only email address is in the "give feedback" part of your original listing.



rg

@comcast.net
reply to damn

I got the same thing. Did you report this to eBay? If so, I would like to also report it.... let me know how.



Worried

@shawcable.net
reply to damn

Hi there, I just got this same email myself at 10 this morning about one of my closed auctions, just checked my email and being stupid i suppose actually clicked the "Reply" link button, the web page didn't actually load, (Problem loading page popped up) then I seen the web address and thought something was up so I checked ebay and there was no actual message from anyone in my ebay inbox.
I am however quite worried that by clicking the link I may have gotten myself a virus, (quite paranoid about keylogger virus and the whole online banking / losing my money) did you click the link yourself like I did?
I do have up to date Webroot antivirus, but was wondering if I should get my computer checked out?
What happened to you?



Snowy
Premium
join:2003-04-05
Kailua, HI
kudos:6
Reviews:
·Clearwire Wireless
·Time Warner Cable

said by Worried :

I do have up to date Webroot antivirus, but was wondering if I should get my computer checked out?

The only way to be sure is to go through the motions at DSLR's Security Cleanup forum located here.
»Security Cleanup

My opinion is that the site was setup or hacked too act as a typical eBay phish, not a malware server.
Everything points that way.
A newly registered domain name with possibly fraudulent domain registration, eBay phish content, possible Romanian involvement all point towards just another eBay phish rather than malware installations.

It was registered on Nov 20, 2012 with the following whois
"Registrant:
Valentin Mihai Foarcea
Tacoescu #27
Dragasani, N/A 245700
RO
Domain name: VALI-LEAKS.COM
Administrative Contact:
Mihai Foarcea, Valentin vali.foarcea@gmail.com
Tacoescu #27
Dragasani, N/A 245700
RO
+1.4073323605x1
Technical Contact:
Administrator, System hostmaster@lunarpages.com
1360 N. Hancock St.
Anaheim, CA 92807
US
+1.7145218150
Registrar of Record: TUCOWS, INC.
Record last updated on 20-Nov-2012.
Record expires on 20-Nov-2013.
Record created on 20-Nov-2012.
Registrar Domain Name Help Center:
»tucowsdomains.com
Domain servers in listed order:
NS1.VALI-LEAKS.COM 64.50.180.41
NS2.VALI-LEAKS.COM 64.50.180.42"


said by Worried :

What happened to you?

Not really directed at me but I did visit the site while it was still up & didn't notice anything related to malware.


Worried

@shawcable.net

So are most phishing sites not associated with key logger malware?
Am I (hopefully) worrying over nothing?



trackerman01

@comcast.net
reply to damn

I also had the same thing happen to me today, with the same e-bay member kike4523. It had me going for a while.. thank you for posting yours.



irwin6900

@virginmedia.com
reply to damn

said by damn:

Got this in spam today. Email was sent to a unique address that I use for ebay only. Wonder how they got it out?

Just came across this forum as I had exactly the same email yesterday on a pretty expensive item I sold. Same ID as well. 'Michael' masquerading as kike4523 and links to vali-leaks.com. Like you I am interested to know is how they managed to get my email address as this was sent direct to my email and not via ebay.

peterboro
Avatars are for posers
Premium
join:2006-11-03
Peterborough, ON

said by irwin6900 :

Like you I am interested to know is how they managed to get my email address as this was sent direct to my email and not via ebay.

Did you reply to any buyer questions during the auction period?


Snowy
Premium
join:2003-04-05
Kailua, HI
kudos:6
Reviews:
·Clearwire Wireless
·Time Warner Cable
reply to Worried

said by Worried :

So are most phishing sites not associated with key logger malware?

The short answer is yes, most phishing sites are not associated with malware.
There’s a lot behind that but briefly, the miscreants behind phish sites & malware servers usually engage in one or the other type of activity with little crossover.
Serving phish content & malware simultaneously on the same URL is something seen very rarely & when it is seen is the result of 2 unrelated miscreants hacking the same server around the same time with each doing their own thing independent of each other. I don't believe that happened here.
The activity in this thread indicates this phish was well organized & executed by a professional engaged in phish activity.
Toss in a probable Romanian connection & it becomes more convincing that phish was the order for the day because Romanians involved in cybercrime are overwhelmingly involved with phish content vs malware content although they do exist.

said by Worried :

Am I (hopefully) worrying over nothing?

I wouldn't take it to the point of not worrying about anything but worrying about having a KL or some other driveby installed via this event are slim to nonexistent, IMO


eBay email

@rr.com
reply to damn

I received a "second chance offer" on a $6,200 UTV from the same email site. I reported it to eBay, but just got standard answer. I think the biggest thing that eBay should be looking at is how did they get my eBay address!!!! I use an alias that is only used on eBay. So somehow they got it from the info that I had bid on this item. That seems like a HUGE deal to me.