I received an email yesterday, ostensibly 'An Official Notice' from
ebay.

It claimed that my access had been restricted and asked me to update
my account details by visiting a supposedly secure site (with a https
prefix). It all seemed legitimate at that stage.

I visited the site which appeared official and was asked to fill in a
form that required: My ebay User ID; My First & Last Names; Date of
Birth; Social Security Number; Credit Card No, Expiry Date, CVV2 code
and ATM PIN.

The extent of the information requested put me on my guard and I
completed the form by giving false information.

I then made a bid on ebay which was accepted in the usual way.

Further investigation showed that:

1: The email had been sent to an address that I hadn't given to ebay.
It is one that attracts a lot of junk mail.

2: I had been routed to another site whose address I will omit for
reasons that will later become clear. However, the IP address began
211 which is in the Asia Pacific Region.

3: What appeared to be a text message was actually a gif.

I then discovered that my computer had been infected with Surferbar
that kept trying to load. (It also disabled my beloved G****e Toolbar
as well as causing other unwanted effects.)

I've eliminated Surferbar (I think) by deleting win32.dll and
winserve32.dll. (It seems a fairly new piece of evil and I've read
many of the comments posted elsewhere)

Now, for the question:

How can I analyse the gif?

Any other comments?

---

Request for Question Clarification by sublime1-ga on 07 Sep 2003 00:27 PDT

Bryan...

I'm not clear by what you mean in saying "analyse the gif".

---

Clarification of Question by probonopublico-ga on 07 Sep 2003 00:59 PDT

Hi, Sublime One

Great to see you on the case.

The site that I was directed to had a different address than the one
shown in the 'text message'.

I have therefore assumed that there was some code hidden within the
gif which was named !cid-pic.gif

But maybe not ... the site address actually began
http://scgi.ebay.com@xxxx

Where xxxx was the IP address beginning 211.

I would welcome your thoughts on how the diversion was handled.

If you give it your best that will do as an answer.

Many thanks

Bryan

Bryan...

Ah! Now it all becomes clear! It seems that the gif image,
rather than containing code, was simply 'linked' to
http://scgi.ebay.com@xxxx.yyy.zz.aaa

When you clicked on it, you were sent directly to:
xxxx.yyy.zz.aaa - a specific IP address for a specific
computer.

The ability to add 'scgi.ebay.com' prior to an '@'
symbol is used to allow for passwords to a pay site,
so that a passworded site may allow entrance with a
specific username:password URL such as:
http://sublime1:password@www.google.com

If Google was passworded in this manner, only the
legitimate username/password combinations would be
allowed to access the site. Since it is not a 
passworded site, go ahead and click on the link
above, and you will see that it simply takes you
to Google. If Google was a passworded site, only
legitimate passwords would be allowed entry.

This knowledge has been adopted by those who wish
to confuse you as to their legitimate address.
Therefore, it is equally possible to use the URL
http://scgi.ebay.com@www.google.com/
or, the better to confuse you, using Google's 
numerical IP address:
http://scgi.ebay.com@216.239.53.101/

Go ahead...click on it! While appearing to be
a URL related to ebay, it will simply take you
to Google!

From what you have said, it appears that you
have correctly traced the address following
http://scgi.ebay.com@ - beginning with 211,
to the Asia Pacific Region. 

I recommend SamSpade.org for tracing IP addresses:
http://samspade.org/
Just plug in the numerical IP in the box to the
left of the 'Do Stuff' button.

I would also recommend forwarding the email, or
in lieu thereof, the IP address following 
http://scgi.ebay.com@ - to eBay.com. I'm sure
they'd be grateful to know who is attempting 
to access your personal information while 
pretending to be related to eBay.com!


Your mission, should you decide to accept it:

Please do not rate this answer until you are satisfied that
the answer cannot be improved upon by means of a dialog
established through the "Request for Clarification" process.

This webpage will self-destruct in 5 seconds... : )

sublime1-ga

---

Clarification of Answer by sublime1-ga on 07 Sep 2003 02:09 PDT

Bryan...

It seems that some of my URL links did not survive translation
onto the GA pages, therefore it will be necessary for you to 
copy & paste the URLs into your browser's address bar in order
to see how they work. Specifically:
http://sublime1:password@www.google.com
and
http://scgi.ebay.com@www.google.com/
and
http://scgi.ebay.com@216.239.53.101/

sublime1-ga

Brilliant!

And delivered at the speed of light.

I did the Sam Spade thing which traced the IP address to Korea. That
was worth knowing.

I already advised ebay yesterday.

Many thanks!

Bryan...

Thanks very much for the high praise and generous tip!

sublime1-ga

Just for the record ...

I received a very satisfactory response from ebay who are on the case.