[prev in list] [next in list] [prev in thread] [next in thread] 

List:       isn
Subject:    [ISN] Holy Cow! Bowie Among Innocents Used In Ebay Scam
From:       InfoSec News <isn () c4i ! org>
Date:       2002-01-28 8:38:46
[Download RAW message or body]

http://www.newsbytes.com/news/02/173962.html

By Brian McWilliams, Newsbytes
CHICAGO, ILLINOIS, U.S.A.,
25 Jan 2002, 12:01 PM CST
 
A new identity-theft scam has corralled several high-profile Web sites
as unwitting co-conspirators, including sites associated with
exclamatory sports broadcaster Harry Caray and rock chameleon David
Bowie.

The scam, designed to steal credit card information, Social Security
numbers and other personal data from unwary Internet users, is built
upon Internet resources owned by Bowie and Harry Caray Restaurant
Group, a holding company named after the late Chicago-area baseball
broadcaster renowned for bellowing "Holy Cow" after great plays. Also
embroiled in the scam is America Online's personal home page service.
 
The fraud masquerades as an order confirmation from online auctioneer
Ebay. A bogus e-mail message sent Jan. 11 to potentially thousands of
Internet users informs recipients that they will be charged $460.50
for ordering a Microsoft Xbox video game system.

To cancel the order, recipients of the message, which appears to come
from eBayServicesSUPPORT@eBay.com, are instructed to click a hyperlink
to visit a Web site and "fill out all the needed information."

The link, http://cancelorder.n2v.net , re-directed users to a site
hosted by AOL Hometown that contained a cleverly designed mock-up of
an Ebay form, entitled "Ebay Services - Cancel Order."

If users were gullible enough to input their credit card number,
Social Security number, bank name, address, phone and other requested
information, the data, as well as the user's Internet protocol
address, was submitted to an e-mail account at Epimp.com, a free,
Web-based e-mail service.

The bogus transaction was completed when victims were redirected to a
page at http://www.hcrestaurantgroup.com , which simply bore the
message "Your order has been canceled."

To capture the stolen data, the scam site relied on an improperly
secured FormMail program at BowieNet, an Internet service launched by
the English musician at http://www.davidbowie.co.uk . The script
currently enables unauthorized users to send e-mail through servers
operated by Global Internet, the British ISP that hosts Bowie's site.

FormMail is a free program used by many legitimate sites to glean data
submitted via online forms. Last year, a vulnerability was discovered
in the FormMail.pl gateway that allows external users to run the
program. As a result, unsecured FormMail installations have become
favored targets with junk e-mailers.

Officials at Global and BowieNet did not respond to reports of the
vulnerable FormMail script, nor has America Online moved to shut down
the fraudulent site. However, the scam appears to have been at least
partially debilitated.

The N2V address-redirection service has disabled the link used by the
scam due to a violation of its acceptable use policy. In addition, HC
Restaurant Group removed the page at its site borrowed by the
fraudsters within hours of learning about it Jan. 11, according to
Beth Goldberg, director of marketing for the company.

Recipients of the scam e-mail who notified EBay received a response
from the company's SafeHarbor Investigations Team noting that
"several" Internet users had complained about the fraudulent message,
which Ebay confirmed did not originate from the company.

"Please remember that Ebay will never ask you for your private
information, including credit card information, in an e-mail. Also,
Ebay will never send you any request or solicitation from a non-Ebay
e-mail account, or provide a link outside of Ebay for entering credit
card or other private information," said the message from the online
auction firm.

Joe Balazs, Webmaster for the HCrestaurantgroup.com site, said it was
not clear how many people had fallen for the scam. Nor was he able to
explain why the fraud re-directed victims to the site after they
submitted their personal information.

"It's pretty strange. It seems rather silly to send them to a
restaurant's site. I would think it would give away that the whole
thing was a scam," said Balazs.

A copycat version of the fraud, also using the insecure script at
BowieNet, was sent to numerous Internet users on Jan. 19. That version
of the scam attempted to re-direct recipients to a different page at
http://members.aol.com , the source code of which is encrypted.

While the address-redirection service, OnTheWeb.nu, has disabled the
link, the AOL-hosted scam site was still functional today.

According to Chris Wysopal, director of research and development for
AtStake, a security consulting firm, the incident demonstrates that
security on the Internet must be a community effort.

In cyberspace, as in the physical world, "if one person fails to keep
their property secure it can become threat to all nearby," said
Wysopal. The same goes for sites on the Internet, "except that on the
Internet, everyone is your next door neighbor."



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo@attrition.org with 'unsubscribe isn' in the BODY
of the mail.
[prev in list] [next in list] [prev in thread] [next in thread]