Phishing - Watch out for this

Mon Nov 7 13:50:35 GMT 2005

    [ The following text is in the "iso-8859-1" character set. ]
    [ Your display is set for the "US-ASCII" character set.  ]
    [ Some characters may be displayed incorrectly. ]

I encountered this one Sat, it wasn't flagged as phising or spam. The "Click
here" link is:
<a
href="http://library.ws.ac.th/wslib/images/.members/ebay/index.php?MfcISAPIC
ommand=SignInFPP&UsingSSL=1&email=&userid=">Click here to activate your
account</a></td>

So there isn't anything really there to catch. It points to a sub dir on
what appears to be a Chinese University's web site. Received header is
Received: from clust06-www03.powweb.com ([66.152.98.63])

I put the following local SA rule in place to catch it.

header __Rc_EBAY_PHISH1 Subject =~ /(tko notice: eBay Account suspended \(
Unauthorized Access \)|tko notice:)/i
header __Rc_EBAY_PHISH2 Received !~/ebay\.com/i
rawbody __Rc_EBAY_PHISH3 /library\.ws\.ac\.th|mfcisapicommand=signinfpp/i

meta Rc_EBAY_PHISH ( __Rc_EBAY_PHISH1 && __Rc_EBAY_PHISH2 &&
__Rc_EBAY_PHISH3 )
score Rc_EBAY_PHISH 200
describe Rc_EBAY_PHISH META:Chinese Ebay Phishing Scam Rule Rc_EBAY_PHISH

The rule basically states if the subject contains the full subject, or just
the "tko notice:" part, and the recieved headers to not contain a host from
ebay.com and there is a reference to either the website in question or the
mfcisapicommand= then it's not from ebay and score it very high.

I have posted the entire body if someone wants to see the information used
for the above rule(s)

Rick

================================= begin paste
=======================================================
Subject: TKO NOTICE: eBay Account SUSPENDED ( Unauthorized Access )

Dear eBay Member,

eBay is committed to maintaining a safe environment for its community of
buyers and sellers. To protect the security of your account, eBay employs
some of the most advanced security systems in the world and our anti-fraud
teams regularly screen the PayPal system for unusual activity.

Recently, our Account Review Team identified some unusual activity in your
account. In accordance with eBay's User Agreement and to ensure that your
account has not been compromised, access to your account was flagged. Your
account will remain flagged until this issue has been resolved. This is a
fraud prevention measure meant to ensure that your account is not
compromised.

In order to secure your account and quickly restore full access, we may
require some specific information from you for the following reason:

Our system requires further account verification.

Case ID Number: EB-056-245-481 We encourage you to log in and restore full
access as soon as possible. Should your account remain flagged for an
extended period of time, it may result in further limitations on the use of
your account or may result in eventual account closure.

-----------------------------------------------------------------------

Click here to activate your account

----------------------------------------------------------------------

Thank you for your prompt attention to this matter. Please understand that
this is a security measure meant to help protect you and your account. We
apologize for any inconvenience.

Sincerely,

eBay Account Review Department

eBay Email ID PP562

====================================== End Paste
==================================================
 Rick Cooper

--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the Wiki (http://wiki.mailscanner.info/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).

Support MailScanner development - buy the book off the website!