just had a look at an ebay phishing email that came in this morning,
basically it is made to look like an email from an email member requesting info.
this was one of the links used
https: //signin.ebay.com/ws/eBayISAPI.dll?SignIn&UsingSSL=1&pUserId=&co_partnerId=2&siteid=0&ru=http%3A%2F%2Fsignin.ebay.com%3A80%2Fws%2FeBayISAPI.dll%3FSignInMCAlert%26ru%3Dhttp%253A%252F%252F3736827751%253A82%252Fhttps.signin.ebay.com%252Freg.php%26SignInMCAlert%3D%26guest%3D1&pageType=2602
they are using double decoding to confuse their web URL:
(I'd only noticed single decoding before now)
http%253A%252F%252F3736827751%253A82%252F
IE decodes "..%252f" into "..%2f", as "%25" is a URL encoded '%'
(25 hex is the ASCII code for a percentage sign).
and %2f is a backslash "/"
= http %253A %252F %252F 3736827751 %253A 82 %252F
from this we get, http://3736827751:82
and decoding that using
http://www.toastedspam.com/decodeip
= http://222.187.119.103:82
which I think is somewhere in China
This is the interesting bit:
The "ru=" bit in the 1st URL is what Ebay normally uses to redirect you back
to where you orginally were on the Ebay site,
but the phisher uses it to redirect you to their ebay clone html after a logon failure
(note they are still trying to make it look like a https URL)
ru=http://3736827751:82/https.signin.ebay.com/reg.php
the link is dead,
but it's at this point they will try to log your Ebay password.
this technique is at least a year old now,
I think Ebay needs to sort itself out,
you shouldn't need to know all this guff just to log on safely
I'm not an expert in this, so feel free to point out errors
.
basically it is made to look like an email from an email member requesting info.
this was one of the links used
https: //signin.ebay.com/ws/eBayISAPI.dll?SignIn&UsingSSL=1&pUserId=&co_partnerId=2&siteid=0&ru=http%3A%2F%2Fsignin.ebay.com%3A80%2Fws%2FeBayISAPI.dll%3FSignInMCAlert%26ru%3Dhttp%253A%252F%252F3736827751%253A82%252Fhttps.signin.ebay.com%252Freg.php%26SignInMCAlert%3D%26guest%3D1&pageType=2602
they are using double decoding to confuse their web URL:
(I'd only noticed single decoding before now)
http%253A%252F%252F3736827751%253A82%252F
IE decodes "..%252f" into "..%2f", as "%25" is a URL encoded '%'
(25 hex is the ASCII code for a percentage sign).
and %2f is a backslash "/"
= http %253A %252F %252F 3736827751 %253A 82 %252F
from this we get, http://3736827751:82
and decoding that using
http://www.toastedspam.com/decodeip
= http://222.187.119.103:82
which I think is somewhere in China
This is the interesting bit:
The "ru=" bit in the 1st URL is what Ebay normally uses to redirect you back
to where you orginally were on the Ebay site,
but the phisher uses it to redirect you to their ebay clone html after a logon failure
(note they are still trying to make it look like a https URL)
ru=http://3736827751:82/https.signin.ebay.com/reg.php
the link is dead,
but it's at this point they will try to log your Ebay password.
this technique is at least a year old now,
I think Ebay needs to sort itself out,
you shouldn't need to know all this guff just to log on safely

I'm not an expert in this, so feel free to point out errors
.
Last edited: