Phishing

I've received several emails lately that have been phishing attempts. They've said that I need to log in to my Ebay or PayPal account in order to prevent from being suspended. Of course, I new it was fake but a recent news report says that many people have never heard of phishing; thus, greatly increasing the chance that the attempt to get you to divulge personal information will succeed.

Here's the message header from one attempt:

From - Mon Jul 25 19:42:22 2005
X-Account-Key: account2
X-UIDL: 1104651933.3670
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
Return-Path:  Received: from mr07.mrf.mail.-----.net (EHLO mr07.mrf.mail.-----.net)
(207.---.-.--)
by ms06.mrf.mail.-----.net (MOS 3.5.6-GR FastPath queued)
with ESMTP id JMU20933;
Mon, 25 Jul 2005 18:57:18 -0400 (EDT)
Received: from mx23.mrf.mail.-----.net (mx23.mrf.mail.-----.net [207.---.-.---])
by mr07.mrf.mail.-----.net (MOS 3.5.7-GR)
with ESMTP id EKL70686;
Mon, 25 Jul 2005 18:57:17 -0400 (EDT)
Received: from unknown (HELO mx23.mrf.mail.-----.net) ([10.255.5.102])
by mx23.mrf.mail.-----.net with ESMTP; 25 Jul 2005 18:57:17 -0400
Received: from 160-85-112.adsl.terra.cl ([200.112.85.160])
by mx23.mrf.mail.-----.net with SMTP; 25 Jul 2005 18:57:13 -0400
Message-Id: <46t8li$7319u3@mx23.mrf.mail.-----.net>
X-IronPort-AV: i="3.95,141,1120449600";d="gif'147?scan'147,208,217,147";
a="238069699:sNHT39143222"
FCC: mailbox://supprefnum1422@ebay.com/Sent
X-Identity-Key: id1
Date: Wed, 27 Jul 2005 08:03:45 +0600
From: eBay 
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: --------@-----.com
Subject: eBay - Account Update [Wed, 27 Jul 2005 06:00:45 +0400]
Content-Type: multipart/related;
boundary="------------070404050706000909030005"
X-Junkmail-Whitelist: YES (by domain whitelist at mr07.mrf.mail.-----.net)
This is a multi-part message in MIME format.



--------------070404050706000909030005



Content-Type: text/html; charset=us-ascii
Content-Transfer-Encoding: 7bit



what's the matter not at all in 1935 Sony Entertainment 
--------------0704040507060009090300



Content-Type: image/gif;
name="murderous.GIF"
Content-Transfer-Encoding: base64
Content-ID: 
Content-Disposition: inline;
filename="murderous.GIF"

_______________________________________


The entire body of the email was a GIF image named by someone with a sense of humor. I don't know how it got through, either, as I have Thunderbird set to block images. Clicking anywhere on the email and not just on the link takes you to this site: http://218.9.7.188/.../e3b/. Arin.net Identifies that IP address as being registered in Australia. If you type that IP in you get something copied right from Ebay's website. As for the email itself, the source IP (200.112.85.160) is registered in Uruguay yet the domain *.cl is Chile. All that can be spoofed so who knows where this is coming from. One thing for sure is that it's not coming from Ebay. I have no idea what that line about Sony Entertainment means but it was at the bottom of the email.

Keep in mind, Ebay, PayPal, your bank, et al, will not contact you asking you to update or sign in order to confirm something or keep your account active. They could care less. They only care when you sign in and proceed to do something. If something doesn't seem right, chances are it isn't. With phishing become more and more common, it's less likely some entity you deal with is going to send you an email asking you to confirm something.