Ye olde ebaye fraude

I’ve not seen one of these for ages. I got the attached email in today, and thought “eh?” (I rarely buy stuff on ebay, have a hard-to-guess password, and change it regularly.

All the email looks genuine, and the image source tags all point to the right place?

Should I click on the link kids?
(Cries of “Yes!”, “No!”, “Its behind you!”, etc. – well it is panto season after all.)

I logged onto eBay using a separate browser window and checked my messages. Nothing. I felt fairly clean. So I opened up the HTML of the email (and yes, this is why HTML emails are dangerous, they look cute and cuddly, but have unexpected nasties inside.)

I found this:

If you want to unsuspend your account now click the link below:
<A HREF="ftp://Administrator:merlin@66.26.69.24/pages.ebay.comsecuritycenter.htm">
http://signin.ebay.com/ws/eBayISAPI.dll?SignIn&Unsuspend</A>

WARNING: IF YOU FOLLOW THAT LINK YOU MAY WELL DOWNLOAD
MALWARE,
LOSE YOUR CREDIT CARD INFORMATION, OR BE SHOWN
OFFENSIVE AND
GRAPHIC IMAGES. NOTHING GOOD.

So don’t. Still with me? Good, there’s more.

For us gentle souls who don’t eat HTML for breakfast (and you are wise, it will make you burp), what this means is that if I were to click on that nice inviting link offering to unsuspend my account now (why suspend my account for only 7 days, then offer to unsuspend it?) I then get to go to a password protected page on a machine indicated only by its IP address.

Where’s that machine?
Curious soul that I am, I checked out the IP address. It’s listed in the DNS as:
24.69.26.66.IN-ADDR.ARPA, PTR, cpe-066-026-069-024.nc.res.rr.com

which means that someone somewhere has downloaded a piece of malware which has taken over their machine and is quietly and happily using it to serve out viruses, trojans, and other nasties.

Where’s the sender?
Looking at the headers of the email, I gathered the following juicy bits:

Received: from mail.bick.com ([65.70.142.98] helo=saturn.Bickford.com)
by faraday.net.versatilia.com with esmtp (Exim 4.43)
id 1J4fKh-000546-N9
for I'm-not-quite-dumb-enough-to-put-my-email-address-here@gmail.com;
Tue, 18 Dec 2007 16:30:15 +0000
Received: from User ([212.13.90.14]) by saturn.Bickford.com with
Microsoft SMTPSVC(5.0.2195.6713);
Tue, 18 Dec 2007 10:19:10 -0600

Versatilia are my ISP, and a thoroughly nice bunch and very sharp. It looks like mail.bick.com is running an open mail relay. They’re a firm of architects by the way, based in Kansas. So, using the abuse.net mail tester, we see:
>>> RSET
<<<>
>>> MAIL FROM:
<<<>
>>> RCPT TO:
<<<>
>>> DATA
<<<>.
>>> (message body)
<<<> Queued mail for delivery

Oops.

The sender (listed as "User" above, in bright green - 212.13.90.14) looks like its an IP address in the former Yugoslav republic of Macedonia. They have evidently found more worlds to conquer!

inetnum: 212.13.64.0 - 212.13.95.255
org: ORG-Ud4-RIPE
netname: MK-UNET-980713
descr: UltraNet d.o.o.
country: MK
admin-c: MDP1-RIPE
tech-c: JPM7-RIPE
status: ALLOCATED PA
mnt-by: RIPE-NCC-HM-MNT
mnt-lower: AS8830-MNT
mnt-lower: MNTNER-AS
mnt-domains: MNTNER-AS
source: RIPE # Filtered

The router offering its route is shaper.unet.com.mk (212.13.64.121)

Law officers, if you read this, there's some work there for you. If by chance the machine owner of 66.26.69.24 logs onto my blog from Raleigh, USA and reads this, then go look at Get Safe Online. Change your passwords, backup your information, and reinstall your OS. You're done.

And folks, this took 5 minutes to check on, and by doing so my personal information lives to fight another day.