Gathan Beaga


I got my first eBay scam email today, a couple years after everyone else, I imagine.

Clicking on the link (actually, the whole text was an image in an HTML message) took me to a Chinese language 404 page: the obfuscated URL used didn’t seem to resolve itself properly on any of my Mac browsers. But once I ran the URL through Sam Spade’s handy URL decoder, I got this fake eBay page. The page looks real because it’s using the code from the real thing. It’s actually sourcing the images from eBay’s servers. Very cheeky. Of course, what eBay definitely doesn’t ask for, and the fake page does, is your credit card number, card expiry date, CVV2 number, and ATM PIN number.

According to APNIC, the IP address of the fake site belongs to China Mobile (now the world’s biggest mobile phone company). I suppose the box hosting the fake site has been cracked, which is probably a bit of a problem as the possibly legitimate site it hosts seems to be some sort of China Mobile branded application users log in to (you enter a “Mobile”, a “Schoolcode”, and a “Password”).

Interestingly, if you click on “submit” on the fake page, you can see for a moment a blank page whose titlebar says “C2it by CitiBank”. C2it is Citi’s version of PayPal – a fairly tempting target. Perhaps in the past the same outfit have targetted C2it, or are still doing it and maybe are just using the same PHP script. Or perhaps they are just lazy sods.

I’ve emailed the administrators at China Mobile. I wonder how long it will take for the fake site to disappear…?