| Ferreting out a fake | |
| Learn to detect phishing scams | |
eBay, PayPal, and other credit card scams, con'd (page 3)
If I wanted to call Betsy Smith but didn't have her phone number, I could either call information or look it up in phone book. Using either method, I could determine her number was, for example, 555-1212. To call Betsy, I simply have to dial that number. DNS and IP are the equivalent of directory assistance and a phone number.
By adding @127.0.0.0:4901/ to the eBay address, the scammer is bypassing directory information (the DNS servers on the Internet) and telling the browser that http://scgi.ebay.com is found at 127.0.0.0. The 4901 is the port it is telling the browser to use. (Normal web connection are made through port 80. By telling the browser to use port 4901, the scammer is attempting to bypass firewall filters).
So now we know how it's done, but how do we tell when it's being done in email? Unfortunately, it's not as simple as hovering over the link or right-clicking the link and choosing Properties. In fact, most email clients will not let you right-click a link and view the actual target. Worse, when you hover over the link in unpatched versions of Outlook and Outlook Express, the display link text will display instead of the actual target link. In other words, if you hover over the following link in an email (with unpatched versions of these mail clients):
https://scgi.ebay.com/saw-cgi/eBayISAPI.dll?VerifyInformation
it will display:
instead of this:
Therefore, the best way to determine an actual link in email is to view the actual Message Source code for the email.
So we've got this mysterious address of http://scgi.ebay.com@127.0.0.0:4901/. To many it might seem as if it really does point to a legitimate ebay site. However, that's where something called DNS and IP addresses come into play. Let's use a phone number as an example.
