Claim: Auction site eBay is sending out notices requesting that users update their account information.
Example: [Collected on the Internet, 2004]
Update Your Account Information
Within 24 Hours
Origins: The eBay auction site has long been popular bait for phishing schemes because many Internet users have eBay accounts, and thus this type of ruse has a good chance of reeling in some unsuspecting victims.
The eBay phishing scam reproduced above has already been around the block in similar form several times. In this latest version, clicking the “update your eBay records” link in the body of the message takes the user not to the real eBay web site, but to a counterfeit eBay “Account Activation” login screen hosted on a Korean web site.
However, this application appears to be more sophisticated than other phishing schemes, capable of polling eBay to determine whether entered account information is correct. The phony eBay login screen returns an error message if an invalid eBay login/password combination is entered, but if a valid combination is entered, the user is taken to another “Account Activation” screen and prompted to enter a wealth of sensitive personal data (address info, credit card info, checking account info). Once a user fills out and submits the phony activation form, a “You have successfully reactivated your eBay accout!” [sic] message is displayed, and the user is redirected to a legitimate eBay login screen to make it appear he was on the real eBay site the whole time. Meanwhile, the scammers have harvested a bonanza of useful financial data from their unsuspecting victim.
Last updated: 1 March 2004