eBay information request masked as a phishing campaign

MX Lab, http://www.mxlab.eu, detected a  phishing campaign in the form of information requests by mail from eBay. The fake email is sent from the spoofed email address “eBay <awconfirm@aby.fr>” and has subjects in the format “Question sur l’ objet #2091501444 – Répondre maintenant”.

The body of the email lay out is typical eBay style and there is an request for more information regarding the delivery of the item when bought.

The embedded URLs, in this case hxxp://ns1.sjburns.com/bash/levante.fr/curvasa.html, leads to a web site that hosts the fake eBay login screen. The form is processed by the file ebay.php.

Afterwards, the user is redirected to the real eBay login screen with a secure https connection.

The main differences are: the disclaimer is written in French, a link to the eBay app on the top right and the Norton logo is correctly shown.

One thought on “eBay information request masked as a phishing campaign

Comments are closed.