Lots of you probably already know this, but for those who don’t, please be careful when you get email from someone you’re using for a web service like eBay or Amazon asking you to update your personal information.
They don’t ask for that stuff via email.
Pay attention when you get a request like this.
Today’s claims to be from eBay. It looks like a block of text saying that they weren’t able to verify my current information. There’s a URL to click on: http://scgi.ebay.com/saw-cgi/eBayISAPI.dll?VerifyInformation
Sounds like a legitimate eBay URL. Malicious jerks couldn’t spoof a page on one of the big guy’s domains like that, right?
Not quite. What they can do is show you what you expect to see and hope you don’t notice it isn’t what you think.
I clicked on the header information in my email window (the from, to, subject stuff) and holding down the mouse, selected the whole message. The “text” and the link included in it are not text. They’re an image and that image is actually linked to this URL:
That page has some easily stolen graphics from eBay and asks the visitor to provide information such as social security number, passwords, credit card numbers and ATM pin codes. (No one ever asks you for the last one, people; if you lose it even your bank resets it!)
Note that it is not at eBay.com; it’s just showing an IP address: 18.104.22.168.
So who are these assholes hoping to sucker some idiots into giving away the farm? The lookup service I performed a Reverse DNS lookup at takes a little trip to some server in Korea and then says there is no domain name associated with that IP address.
That ain’t eBay, gang.