Page 1 of 2 12 LastLast
Results 1 to 40 of 45
  1. #1
    Join Date
    Nov 2004
    Location
    Switzerland
    Posts
    855

    * eBay, spoof, FBI... How bad this story is?

    True story: a good webmaster from Vietnam


    Hello there,

    I would like to share with you this amazing story that happend to one of our resellers this week. The reseller account was terminated by us, he lost his customers and he may faces criminal charges.

    The guy lives in Switzerland, but he is from Vietnam. He signed up for 3Gb/50Gb reseller account with us. He placed few customers on the account, then he decided to upgrade his website to a new and better version.

    He hired a webmaster from Vietnam. Not any webmaster, but a guy who works for an internet firm there.

    Two days ago, we received this email from the company that owns the data center where our servers are located:

    Subject: [eBay:******] Security Incident - Ebay
    Dear ****,

    We have just learned that your service is being used to display false or "spoofed": eBay.com pages, apparently in an effort to steal personal and financial information from consumers, and defraud eBay users. Specifically, it appears that a **** user is sending unsolicited messages which misrepresent the sender as eBay, and making false statements that encourage the recipient to go to a page hosted by you at

    http://1.2.3.4/vbb/images/editor/.ebay/

    is asked to enter personal information. The purloined information is then sent to an email account and, based on our investigation of similar schemes, used to steal accounts and commit other fraudulent acts including international credit card and wire fraud.

    This matter is urgent - we believe that consumers have been falsely directed to this page and may be fooled into divulging personal information to a criminal if the page is not immediately disabled. We ask that you immediately disable the site at http://1.2.3.4/vbb/images/editor/.ebay/ as well as any associated email addresses, so that this fraudulent scheme can be stopped. We further request that you provide us with all contact information that you have for this user so that we may provide this information to the proper law enforcement authorities.

    While we believe that the above information gives your company more than a sufficient basis for disabling the page immediately, out of caution we note that your user's unauthorized reproduction of eBay's trademark and copyrighted materials violates federal law, and places an independent legal obligation on your company to remove the offending page(s) immediately upon receiving notice from eBay, the owner of the copyrighted materials. Accordingly, the information below serves as eBay's notice of infringement pursuant to the Digital Millennium Copyright Act, 17 U.S.C. Section 512 (c)(3)(A):

    I, the undersigned, CERTIFY UNDER PENALTY OF PERJURY that I am the agent authorized to act on behalf of the owner of certain intellectual property rights, said owner being named eBay Inc. I have a good faith belief that the website located at URL http://1.2.3.4/vbb/images/editor/.ebay/ as its copyright in each page of its website and associated source code. Please act expeditiously to remove or disable access to the material or items claimed to be infringing.

    We sincerely appreciate your immediate attention to this important matter. We would also appreciate if you would take steps to confirm the accuracy of any contact information that your user may have provided to you in establishing the account. Should you have any accurate information that could assist eBay and law enforcement in tracking this individual, we greatly appreciate your assistance, as we know that you do not condone the use of your services for such criminal purposes.

    Finally, please be advised that we have referred this issue to the Federal Bureau of Investigation for their investigation. The F.B.I. has requested that we convey to you in this message their request that you preserve for 90 days all records relating to this web site, including all associated accounts, computer logs, files, IP addresses, telephone numbers, subscriber and user records, communications, and all programs and files on storage media in regard to all Internet connection information, pursuant to 18 U.S.C. Section 2703(f). While we do not act as an agent of the FBI in conveying this request, we do intend to fully cooperate with their investigation, and encourage you to do so as well.

    eBay Inc.
    Audit and Investigations


    I gave the customer address to the data center manager. i don't know how bad this story is...
    .:. Enterprise SAN Consultant .:.

  2. #2
    Join Date
    Jan 2005
    Location
    Chicago, Illinois
    Posts
    474
    we do intend to fully cooperate with their investigation, and encourage you to do so as well.
    With the amount of spoofs that I get personally everyday from paypal and ebay phishing, I think this has to be common these days. Not much you can do about stopping this as long as the client gets past your signup criteria, you just never know what people will try.

  3. #3
    I hope this works out for you. Just be cooperative as possible. The FBI will go to any length to prevent internet fraud and scams, which includes shutting down your business. Post back.

  4. #4
    Join Date
    Nov 2004
    Location
    Switzerland
    Posts
    855
    The client looks as a respectable one. I sent them all the information I have about him including his street address and email address. Also, minutes after I received this email, just the time to read it, I terminate the account and maked a copy of any files in it. I make these files available to the authorities.
    .:. Enterprise SAN Consultant .:.

  5. #5
    Good. Remember, don't be a lazy host (not that I"m calling you out, just for everyone to know in the future ). Check the websites that you're hosting, check the content. You can have 20,000 customers, but unless you have a general idea of what your servers have on them, you don't know if everything you have is up to par. In fact, in the next week I'm going to look into the same thing. This thread is an eye-opener for me too. Before this incident, it was merely a rumor to me that the FBI may one day be puting its foot on your door.

  6. #6
    Join Date
    Aug 2004
    Posts
    1,461
    Happened to me like 5 to 10 times so far... The best you can do is to delete everything immediately. What I don`t understand is why the DC (that is what I am understanding) reports something like that to the FBI. It is useless to even investigate against such people.
    I already had the police knock on my door once and I had to call the German equivalent to the FBI. They were asking me for an IP address. I told them that I don`t have an IP address... Never heard from them again.

    Btw... If you have a lot of customers and own the DC don`t even waste your time with monitoring your servers because it is not your problem unless you know... However, if you hire your servers in a DC and are a small company you absolutely need to monitor your servers because it will get you into trouble with the DC if you have crap on the servers.

  7. #7
    Join Date
    Aug 2004
    Posts
    1,461
    By the way:
    http://1.2.3.4/vbb/images/editor/.ebay/

    That sounds like not the account owner was hosting that stuff but someone used a security hole to hack into the account and placed these pages on it. It has happened to me with long term reliable customers... Suddenly they have that crap on their sites and sometime they even contact you before you realize it. Then it turns out that the hacker had acccess to their email account or managed to sniff their account password.

  8. #8
    Join Date
    Nov 2004
    Location
    Switzerland
    Posts
    855
    Thank you for your kind words. eBay sent this email to the data center and they forwarded it to me. I don't know if eBay actualy repported this issue to FBI or if they want to do it.

    The customer contacted me but he did not accepted to give me the webmaster name or address. May this webmaster is friend of him, may be he doesn't exist...
    .:. Enterprise SAN Consultant .:.

  9. #9
    Join Date
    Nov 2004
    Location
    Switzerland
    Posts
    855
    The customer asked me for a dedicated IP for an SSL certificate. So, we was granted a dedicated IP and then the was able to have an IP based website.

    Any folder under his public_html was accessible via http://IP/foldername

    But they maanged to install a spam software on our /tmp directory. For some reason, this directory was unprotected. He sends many emails to ask people to visit his spoof page.
    .:. Enterprise SAN Consultant .:.

  10. #10
    Join Date
    Aug 2004
    Posts
    1,461
    Ah...ok. What I recommend to do is to limit the amount of outgoing mails to 500 or even 200 per hour and user. Then if someone sends such emails everything will end on the queue and your server will get slow. Then you will realize that something is wrong and will look after it and you will see the illegal mass mailings. This just happened to me and I could stop the guy after he had sent just 500 emails or something. 500 emails aren`t much of a problem for you... But 20.000 emails can get you on the spam lists and get you into trouble with your DC and the FBI... Also install the X-PHP header package from http://choon.net/php-mail-header.php This will help you to indentify the script that send the emails and you will be able to shut the guy down without much damage caused.

  11. #11
    Join Date
    Nov 2004
    Location
    Switzerland
    Posts
    855
    That sounds good. Tomorrow, first thing Ón the morning I'll ask my techncian to limit the emails and install this script. Thank you for the hint :-)
    .:. Enterprise SAN Consultant .:.

  12. #12

    Thumbs down

    Originally posted by thomas.smith
    Happened to me like 5 to 10 times so far... The best you can do is to delete everything immediately. What I don`t understand is why the DC (that is what I am understanding) reports something like that to the FBI. It is useless to even investigate against such people.
    I already had the police knock on my door once and I had to call the German equivalent to the FBI. They were asking me for an IP address. I told them that I don`t have an IP address... Never heard from them again.

    Btw... If you have a lot of customers and own the DC don`t even waste your time with monitoring your servers because it is not your problem unless you know... However, if you hire your servers in a DC and are a small company you absolutely need to monitor your servers because it will get you into trouble with the DC if you have crap on the servers.
    Easily the worst piece of advice I've ever seen on here. If the FBI contacts you about something like this, the worst thing you can do is start getting rid of stuff. The door swings both way. The evidence that can get this person caught is the same evidence that will pull you off the hook (provided you're not involved). The worst thing you can assume is that the law will absolutely recognize your innocence in every case possible. Guess what...your server, your responsobility. Your post leads me to beleive that you've never had that happen to you, because after a few incidents like this any police organization would pull the plug on you, at best. Please don't give crap advice.

  13. #13
    Join Date
    Aug 2004
    Posts
    1,461
    No, I meant delete it if you find it... Not delete it if the FBI is asking for it. I was talking about the case where you find something before anyone reports it to you.

  14. #14
    Join Date
    Apr 2005
    Location
    Chatsworth, CA
    Posts
    105

    Said state of affairs!

    The first thing I thought of when I saw the letter you posted was, what if the letter you sent was a spoof to get the guy offline?

    Obviously, I would start making phone calls and checking things before I take anybody's account down. This probably coudl be done real qucikly.

    Man, the internet is becoming like a cesspool. The good far outweighs the bad, but the crooks, cons, criminals, spammers, hackers, and other scumbags are really trashing it big time.
    Norm
    www.iHostKing.com/
    Internet Hosting & Design

  15. #15
    Originally posted by thomas.smith
    No, I meant delete it if you find it... Not delete it if the FBI is asking for it. I was talking about the case where you find something before anyone reports it to you.
    So how do you expect to find users like this if you think it's a waste of time monitoring the accounts?

  16. #16
    Join Date
    Aug 2004
    Posts
    1,461
    Ok, again...

    If you have a lot of customers and own the DC don`t even waste your time with monitoring your servers because it is not your problem unless you know... However, if you hire your servers in a DC and are a small company you absolutely need to monitor your servers because it will get you into trouble with the DC if you have crap on the servers.

  17. #17
    Yeah, but there is not excuse not to monitor your customers whether you own a datecenter or you rent fomr one. That's what I'm getting at. Just because you're innocent you're still tied to it.

  18. #18
    Join Date
    Aug 2004
    Posts
    1,461
    If you own the DC then what is the point of monitoring someone's server ?? You are not legally required to do it and it only causes you trouble because you will have to decide whether it is legal or not.

  19. #19
    Join Date
    Nov 2004
    Location
    Switzerland
    Posts
    855
    I host more than 1000 websites. I can't monitor them all. Add to this, the questionnable material is not allways on the start page.

    In this case, the main web page looks fine. The eBay spoofed page was hidden on sub sub sub folder. There is millions folders on our machines. If we hire someone to look into them all, he will need all his life to complete the job. For such things, even if we monitor what we can, we rely on complaints.

    Do you know, all, every file on your servers?
    .:. Enterprise SAN Consultant .:.

  20. #20
    Originally posted by edelweisshosting
    I host more than 1000 websites. I can't monitor them all. Add to this, the questionnable material is not allways on the start page.

    In this case, the main web page looks fine. The eBay spoofed page was hidden on sub sub sub folder. There is millions folders on our machines. If we hire someone to look into them all, he will need all his life to complete the job. For such things, even if we monitor what we can, we rely on complaints.

    Do you know, all, every file on your servers?
    No, but at least I have a general idea what I'm hosting. I never said check every file. Yes these things are often hidden, but a little vigilance is still needed. And thomas, you still can't seem to grasp that what is hosted on your servers is your responsibility.

  21. #21
    Join Date
    Aug 2004
    Posts
    1,461
    >And thomas, you still can't seem to grasp that what is hosted
    >on your servers is your responsibility.

    The thing is I am paying my DC a lot of money so I expect them to contact me and allow me to remove the content. This causes work to them - but that is what I am paying them for: Service and a server. So I do not expect to have my server shut down completely after the find MP3s two times. It costs them nothing but work and I am paying them for their work.

  22. #22
    Yeah but if the law finds your mp3's before they do, they may have no choice but to shut you down. And what good does that do? Your company is down, and so are your customers.

  23. #23
    Join Date
    Aug 2004
    Posts
    1,461
    Yes, you can't blame it just on the DCs... It is the stupidity of the whole human mankind. They would rather like to see one guilty person burn with 599 innocent people burning, too then saving the innocent people and letting get the guilty person away with it.

  24. #24
    If you look for some of these filenames you may find the site before it can go live

    agreement.htm
    Complete.htm
    loginloading.htm
    loginsubmit.php
    paypal.gif
    pp.htm
    processing.htm
    processing.php

    These are the filenames used in one of the latest script kiddie packages.

  25. #25
    Originally posted by page-zone
    If you look for some of these filenames you may find the site before it can go live

    agreement.htm
    Complete.htm
    loginloading.htm
    loginsubmit.php
    paypal.gif
    pp.htm
    processing.htm
    processing.php

    These are the filenames used in one of the latest script kiddie packages.
    See now I think you are on to something....

    Rather than attempt to put up a list of fraudulent users or sites, I think a list should be compiled of offending files used in these scripts.... I wish I were technical enough to build an anti-fraud script program that uses code signatures loaded in by the community and works like Anti-Virus. Can you imagine the power of an app like that where you can set it up to scan your server for code like that and alert you?

    Why isn't phishing/scams/etc treated like viruses and trojans? I should be working for Norton....LOL!

    Just my $0.025

  26. #26
    That would work.

  27. #27
    /me runs to the patent office...

    I wonder if that could be written in PHP.....


  28. #28
    You could very easily set up a PHP script to search for those filenames, using locate. Maybe have a cron run daily and email you any findings.

  29. #29
    Alright, I hope some find this useful. This will run daily and email you all potential files.


    1. Login as root to the shell
    2. mkdir phishing
    3. cd phishing
    4. pico phishingfiles
    5. Now paste the files mentioned above into the file, press Ctrl+X and save the file
    6. pico phishingfind
    7. Now put the following code into this file, editing the appropriate variables:

      Code:
      #!/usr/bin/php
      <?php
      
      // Edit these variables to configure the script
      $recip = [email protected]';
      $subject = 'Potential phishing files';
      $headers = "From: [email protected]\n";
      $msg = <<<MSG
      ========================================
      Potential phishing files
      ========================================
      MSG;
      
      $files = file('phishingfiles');
      
      $found = '';
      foreach ($files as $file) {
      $found .= `locate $file`;
      }
      
      $found = trim($found);
      $count = count(explode("\n",$found));
      $msg .= "\n\n$count files found\n\n";
      
      mail($recip, $subject, $msg.$found, $headers);
      
      ?>
      Save the file and exit pico
    8. chmod 700 phishingfind
    9. ln -s /etc/cron.daily/ phishingfind


    To test, just type:
    ./phishingfind

    It worked great for me.

    I hope that is helpful.

  30. #30
    That's a nice script. Is there a quick way to have it reference a file list on another server.

  31. #31
    Hi,

    Whew, I wasn't able to access wht for a few minutes because of some javascript error that keeps crashing my browser.

    Anyway, yes. You can simply replace the filename passed to the file() function to the full URL.

    Brandon

  32. #32
    Join Date
    Nov 2004
    Location
    Switzerland
    Posts
    855
    Sounds great! Thank you. I am installing it on all my servers, but there is something wrong:

    [[email protected] phishing]# ./phishingfind
    -bash: ./phishingfind: /usr/bin/php: bad interpreter: No such file or directory
    .:. Enterprise SAN Consultant .:.

  33. #33
    Please type:

    Code:
    whereis php
    to find the PHP interpreter. it is generally in /usr/bin, but you may also try /usr/local/bin.

  34. #34
    Cool I haven't tried it with putting the full url of the file list but this is a great tool for at least calling your attention to such things. It produces a lot of false positives, for intsance locating pp.htm finds:

    /var/www/manual/mod/mod_python/dir-other-pp.html

    but that's not a big deal.

  35. #35
    When I ran it, there were about 16 false positives, mostly in fantastico and in my own user directory.

  36. #36
    I'd almost rather have them.

  37. #37
    Join Date
    May 2004
    Location
    Lansing, MI, USA
    Posts
    1,548
    uhm, make sure your greping for public_html... that way you knock out any not in web directories...
    Jacob - WebOnce Technologies - 30 Day 100% Satisfaction Guarantee - Over 5 Years Going Strong!
    Website Hosting, PHP4&5, RoR, MySQL 5.0, Reseller Hosting, Development, and Designs
    Powered By JAM - Professional Website Development - PHP, MySQL, JavaScript, AJAX - Projects Small & Large

  38. #38
    Yeah that could be done, just change the line that executes the command in php to this:
    Code:
    $found .= `locate $file |grep public_html`;
    By the way I think I got the syntax of ln wrongly. it should be, i believe:
    ln -s phishingfind /etc/cron.daily/

    Brandon

  39. Nice scripting. 10000x than what i could have done!

  40. #40
    Join Date
    May 2004
    Location
    Lansing, MI, USA
    Posts
    1,548
    might also want to add a / in front of the file names to kill off partial matches if your sure that those will be the only files
    Jacob - WebOnce Technologies - 30 Day 100% Satisfaction Guarantee - Over 5 Years Going Strong!
    Website Hosting, PHP4&5, RoR, MySQL 5.0, Reseller Hosting, Development, and Designs
    Powered By JAM - Professional Website Development - PHP, MySQL, JavaScript, AJAX - Projects Small & Large

Page 1 of 2 12 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •