Thursday, May 17, 2012

Dreaded e-mail

I got one of those dreaded e-mails this afternoon:
This is a courtesy notice to let you know that your eBay password has been changed. No response is needed!
I think a response IS NEEDED!

Here's a screen shot of the e-mail:


Notice the little gold key at the top left. This is Gmail verifying that the e-mail did actually come from eBay. That's about the last good thing in the e-mail. The e-mail is html so the link for you to go to "if you did not make this change" isn't simple text so the underlying link could be anything. Thankfully it is consistent but why make me worry? Next there is no way to navigate to the eBay location without using that link. In other words, you can't just type ebay.com in the URL field and navigate independently of the e-mail. That is Rule One of links in e-mails: Ignore them and type them yourself. Remember the IP address in the e-mail. We'll look at that in a minute.

So off I went.

Look at the site information that Chrome presented from that link:

The identity of this website has not been identified.

Your connection to ocs.ebay.com is not encrypted.

Site Information:
You have never visited this site before today.
None of that made me feel very good.

For comparison here's what eBay looks like when I login:


Much more comfortable. That's what I'd like to see when I think my password has been hacked.

I followed the links and called eBay. I was on hold less than a minute. The agent e-mailed me a link to reset my password.


That was a plain text e-mail. Much better.

I did that and all was fine.

Here's the e-mail I got from eBay that I'd changed my password:


html again. Interesting how different that is than the fraudulent one. Why?

Now let's step back some.

That first e-mail had the IP address that changed my password: 68.160.170.79 WhatIsMyIPAddress.com does a good lookup on it. It was from a Verizon broadband customer in the Boston area. Nope, I haven't been to Boston lately.


Interestingly when I did get logged in to eBay, I could tell that the hacker had actually used my account.


Yeah, I know how to spell "Ford Explorer" and I'm not looking for a '79 Trans Am parts car. I did have a '79 Trans Am once and parts are all it's good for.

Well, that was an exciting afternoon but seems that all is well.

2 comments:

Dick V said...

How do you suppose they managed to get a sub-domain of ebay.com set up?

DV

Ben Moore said...

The ocs.ebay.com was a legitimate sub-domain of eBay.

My concern was that eBay didn't use a "familiar" sub-domain that would present well known credentials such as signin.ebay.com does.