Content-Type: text/html;
Return-Path: security@ebay.com
From: "ebay@aw-confirm.com" confirm@ebay.com
Reply-To: "ebay@aw-confirm.com" support@ebay.com
To: XXXXX@YYYYY.ZZZ
Subject: eBay Fraud Mediation Request
Date: Thu, 07 Apr 2005 15:08:19 -0500
X-MSMail-Priority: High
X-ELNK-AV: 0
***Urgent Safeharbor Department Notice***

eBay Fraud Mediation Request
Date: Thu, 07 April 2005

You have recieved this email because you or someone had used your account to make fake bids at eBay. For security purposes, we are required to open an investigation into this matter.

THE FRAUD ALERT ID CODE CONTAINED IN THIS MESSAGE WILL BE ATTACHED IN OUR FRAUD MEDIATION REQUEST FORM, IN ORDER TO VERIFY YOUR ACCOUNT REGISTRATION INFORMATIONS.

Fraud Alert ID CODE: 00937614
(Please save this Fraud Alert ID Code for your reference.)

To help speed up this process, please access the following form to complete the verification of your account registration informations:

http://scgi.ebay.com/verify_id=ebay &fraud alert id code=00937614

.

Please Note:
If we do not receive the appropriate account verification within 48 hours, than we will assume this account is fraudulent and will be suspended.
The purpose of this verification is to ensure that your account has not been fraudulently used and to combat the fraud from our community.

We appreciate your support and understanding, as we work together to keep eBay a safe place to trade.

Thank you for your patience in this matter.

Regards, Safeharbor Department (Trust and Safety Department)


Please do not reply to this e-mail as this is only a notification. Mail sent to this address cannot be answered.



Copyright 2005 Ebay Inc. All Rights Reserved. Designated trademarks and brands are the property of their respective owners. Ebay and the eBay logo are trademarks of eBay Inc. Ebay is located at 2145 Hamilton Avenue, San Jose, CA 95125.

Comments
Invalid return address:
notice below the disclaimer on the validity of the return address.
A genuine return address would either alert the corporate victim or help track the perpetrator.
Terms evoking fear and urgency:
- fraud, fake bids [involving your account], security, safe harbor, fraudulent
- alert, urgent, speed up, within 48 hours
Confidence tricksters know the importance of good marketing.
Misspelling:
the typo on "recieved" is unfortunate in this quality message.
Approximate layout, grammar, spelling, all used to flag bogus messages.
This is no longer true.
Do not assume identity on selfmade declarations and appearances!
Official looking details:
- See the trademark protection and other notices at the bottom of the message.
- The use of an ID code is a nice touch.
- Notice also bureaucratic titles such as "Trust and Safety Department"
- Especially crucial is the use of an authentic looking link.
Internet aware users will know the sgci.ebay.com server is under control of eBay.
The leopard spots:
No matter how good the appearances are, the goal of this message is to get the innocent individual victim to click on the link and voluntarily surrender his or her personal identifiers to the perpetrator's site.
The only thing which counts is therefore the actual value of the link.
First:in html rendition, this value is hidden. It may have nothing to do with the text on which one clicks. How convenient for phishing!!
Second: looking at the text source, one finds out that the server is in fact identified by its IP address, "211.220.195.70"
This is highly suspicious since:
- this is not at all the value advertised in the visible text
- ordinary users would not know who controls that invisible address.
- using an IP locator such as geobytes , one finds out the site is in fact located in Seoul, South Korea.
Since eBay has outsourced a number of services, one cannot be entirely sure. But what organization would outsource abroad its own fraud/compliance department?
Further Notes:
Notice that the actual value of the link appears in the status line at the bottom of the screen when you browse the visible text with your mouse.
Do not rely on this disclosure however as this is easy to circumvent and the next phisher will be wiser. One must view the source. Search for example for the visible text and look for the so called "href" field in the enclosing html anchor.
For a list of other IP locators, use your favorite search engine.
This email has been neutralized by corrupting the protocol of the actual link to render it inoperative.