By Dave Michmerhuizen – Research Scientist
The majority of modern spam is simple and minimalist, so when spammers go all out to duplicate a major web property, it's noticeable. At least we hope it's noticeable, because a spam campaign that has appeared in the Barracuda Labs honeypots is very well done and could easily fool the unwary into divulging their eBay credentials.
Posing as an email from eBay deals, the spam offers cutting edge electronics at an appealing, but not suspicious, discount. A security conscious computer user will quickly see that the product links do not point to ebay.com, and that is why the page has been so carefully crafted to resemble a real eBay deals webpage. The phisher hopes that the image of a 33% discount on a new iPhone will keep you from noticing that all the links on the page actually go to a hacked Russian website of a company whose business is selling windows. (The real kind, the ones you look out of.)
While these emails are denominated in Euros this same template could, and in all likelihood will be adjusted to use Dollars as well.
Clicking on any of the offers takes you to a similarly convincing product offer page.
From that it's just a little “Buy it Now” click to get to where the phisher really wants you – the “Sign in” page.
You should never try to evaluate a page like this on looks alone. Always make certain that you are logging into a domain owned by eBay – ebay.com (US), or ebay.ie (Ireland), or ebay.fr (France), etc.
If you fail to notice the incorrect domain shown in the browser URL field and go ahead and enter you enter your eBay particulars, they are summarily sent to a script on the Russian website and forwarded to the phishers.
While that happens, the site takes you through a payment screen and then a purchase complete screen, also well done, ending in a note to wait for an invoice email. Don't hold your breath. The only emails you are likely to get will be telling you that your password has changed, your email address is changed, and someone is purchasing items in your name.
The bottom line here is not to let internet eye candy distract you from basic internet security. When logging in, verify that you are actually logging in where you should be, and in general, avoid emailed web links.
Barracuda Networks customers using the Barracuda Spam & Virus Firewall are protected from these emails.