Best Ebay Spoof Yet

I've just received the most authentic looking e-bay spoof I've seen so far. Only my supergeek slashdot style paranoia saved me from this one. It's worth being aware of the technique.

You have added as a new email address for your eBay account.

If you did not authorize this change or if you need assistance with your account, please contact eBay customer service at:

Thank you for using eBay!
The PayPal Team

Please do not reply to this e-mail. Mail sent to this address cannot be answered. For assistance, log in to your eBay account and choose the
"Help" link in the header of any page.


NEVER give your password to anyone and ONLY log in at Protect yourself against fraudulent websites by opening a new web browser (e.g. Internet Explorer or Netscape) and typing in the eBay URL every time you log in to your account.


eBay Email ID PP007

Of course I hadn't authorised any new e-mail addresses on my eBay account and so this email is an immediate call to action to find out what's going on with the account.

This spoof was masquerading as a plain-text mail. It was actually an HTML piece of mail with it's style set to

style="FONT-SIZE: x-small; FONT-FAMILY:'couriernew',monospace"

Thus it mimiks exactly the style used by my email client for plain text mail. It's easy to assume then that the links are legitimate because they are plain text and Outlook normally makes plain text links clickable. There's no reason to think that underneath the hyperlink is actually,

Holy cow! I don't want to give my ebay password to some zombie machine in Pakistan with a dynamic IP address. Ebay have a special address to forward these to -, and that's where that went.

Posted by Alexander at May 25, 2005 02:35 PM

Make Flash tests and assessments with the Question Writer, Quiz Software. Question Writer 4 is now available. Click here to download.

Trackback Pings

TrackBack URL for this entry:


i have gotten a bunch of those lately. and they came to an email address that i have that doesn't even haven an ebay account.

after i got one of the emails, i decided to go through the motions and just enter filler data. it ended up asking me to update ALL my information in my "ebay profile". then it needed a credit card number. then it needed my bank account information. oh, and my pin number. that's about where i stopped and went ahead and forwarded the email on to ebay. i really do wonder though, who would still enter ALL that information and not have any ideea they were getting scammed.

Posted by: patrick at May 25, 2005 03:29 PM

Hi Patrick,

I had no idea they were that cheeky, but i guess it makes sense for the phisher to just ask for more and more stuff while the user is giving.

On another point, I'd advise against even clicking those kind of links - if you've got unpatched software or there are unpatched exploits out there, even clicking on a malicious link can be dangerous to the health of your computer.


Posted by: Alexander McCabe at May 25, 2005 03:55 PM

Clicking on suspicious links can also verify your email address to spammers.


Posted by: Christian Cantrell at May 25, 2005 07:51 PM

The clue in that one is that PayPal does not send you verification messages on your eBay account. Now does eBay send you verification messages on your paypal account.

I got a really well timed one a couple of weeks ago. I had just added my bank account to my paypal account and got one of those phishing spams shortly thereafter. The clue? "A new bank account has been added to you eBay account...." eBay doesn't take bank accounts.

I'm just happy my mom doesn't have an eBay account. She'd be all confused.

Posted by: Jennifer Larkin at May 25, 2005 08:11 PM

Why when these spoofs are reported to ebay - as I do on a regular basis - are the sites still operational 2 weeks later - is Fraud not Fraud anymore?

Posted by: liz at June 28, 2005 02:13 PM

I don't know Liz, I suspect it is in Ebay's best interests to act where they can but I'm sure there are some machines and networks that they will have difficultly shutting down.

Cringely has an interesting article on this if you're interested - it's at

Posted by: Alexander McCabe at June 28, 2005 02:31 PM

What is the general thoughts on this method that Mr. Cringley advocates? Will it work? Sounds interesting. I am wondering.

Posted by: tom at July 3, 2005 06:45 PM

It might just work - there's a mechanism now for this kind of group effort

The pledge might be something like 'I'll drown 1 phish every day if 100,000 other people will do the same'

Or maybe an automated phish drowner would work better - something that could just run unattended, drowning phish.

Posted by: Alexander McCabe at July 3, 2005 10:13 PM

Cringely has an interesting article on this if you're interested - it's at

He says to enter false info but aren't we confirming our e-mail address just by answering?

Posted by: Anonymous at September 3, 2005 05:42 AM

Short answer is that you might be - the link above doesn't look like it has any tracking info - but if the link ends with something like


then it is sending back information about the e-mail address from which it was accessed. It's harder work for the spammers to make this kind of link and with this kind of phishing, I think they're more interested in getting passwords rather than confirming e-mail addresses.

Posted by: Alexander McCabe at September 9, 2005 09:17 PM

Hi you guys, I really have fun with these spoof mails, it doesn't take a lot of brain to see they aren't real when they ask for personal details... so personal details they get. I put a name like "R U Stupid" with a crazy password to boot. I enter all bogus credit card details and a 4 digit "1111" pin or similar and let em have it. Play them at their own game and bombard them with bogus information. keeps me occupied anyway.

Posted by: Wayne NZ at November 12, 2005 05:20 AM

I just got a ebay spoof to my email box asking me why I haven't responded to their email and if I don't immediately respond they are reporting me to ebay safe harbor. When I clicked the email to respond it went to some phony ebay web site address in the url that wasn't It had some axy characters after it. They had some bogus feed back of 4,000 something. When I clicked on view sellers auctions they had none, yet they had imported phony responses from 4,000 or so supposed buyers. Very authentic looking though. I told them I was reporting their rude email to

Posted by: Brian at March 6, 2006 05:06 AM