Possible Phising scam - please advise urgently

[Celebrity Jewels 10]

Hi Guys

 

I was Gems Direct but now celebrity Jewels. I just had this email come through and clicked on the link and now need advice.

 

From: hello@bidorbuy.co.za

Subject: Attention !! Your account was been disabled !!

Date: Sat, 18 Dec 2010 20:31:21 +0200

 

 

Dear BidorBuy Member:

 

Attention! Your BidorBuy account has been limited!

As part of our security measures, we regularly screen activity in the PayPal system.We recently contacted you after noticing an issue on your account.

Your account has been randomly flagged in our system as a part of our routine security measures.This is a must to ensure that only you have access and use of your BidorBuy account and to ensure a safe BidorBuy experience. We require all flagged accounts to verify their information on file with us. To verify your information at this time.

Reference Number: PP-259-187-711

Please click on the link below activate your account:

 

https://www.bidorbuy.co.za/jsp/login/UserLogin.jsp

 

We thank you for your prompt attention to this matter. Please understand that this is a security measure intended to help protect you and your account.

We apologise for any inconvenience..

 

Sincerely,

BidorBuy Review Department

 

------------------------------------------------------------------------------------------------------------------------------

Copyright 1999-2010 BidorBuy. All rights reserved. BidorBuy Ltd. BidorBuy Register Number: 226056.

BidorBuy Email ID PP059

Protect Your Account Info

Make sure you never provide your password to fraudulent websites.

 

 

Please advise if this is for real as I cannot have my account suspended.

 

Thanks Chaps

Cheers

Brian

[mellowred 10]

If this is your profile Celebrity Jewels your sales page is still active.

 

See this message from Cuan Phishing Scams

[Celebrity Jewels 10]

Hi Mate

 

Yes it seems still active - I am busy listing - could you click on the link below (do not bid) but sus it out and see if it has been restricted.

Labradorite - RARE 3.22Ct.AAA Natural PADPARADSHA Multi-Colour Spark Labradorite - 100% Money Back Guarantee! for sale in Durban (ID:29926903)

 

I have already just changed my paypal password for the worst case scenario.

 

Cheers

Brian

[Cali Craft and Gems 10]

Hi Brian

 

All seems ok from my side (re your listings) but please just be very careful with those seemingly genuine emails - they are designed to fool even the most vigilant of users!

 

The key "giveaway" that all is not right is if you hover your mouse pointer over the link provided in the email and you will see at the bottom of the page it shows you the 'true' link - in this case sing-in.in - definitely not the SA BoB site!

 

These scammers are getting sneakier by the day and send these very realistic looking emails covering all sorts of "topics" - usually cloning the bank websites, but now more frequently any site where they can obtain your username and password without you even realising the hoax!

 

Let this be a warning for everyone! As I've always said, if it is really important or genuine, the person or institution will contact you personally and will keep on trying - the same applies to missed phonecalls!

[admin 3]

Hi Brian,

 

That is a phishing email, people please do NOT click on that link ! Brian, please forward that email to communitywatch@bidorbuy.co.za

 

Thank you.

 

Andries

[Celebrity Jewels 10]

Thanks ol mate, you remember me from Gems Direct.

 

This one nearly got me - sent to community watch and Bertus. I am a online security fundi but this came from hello@bidorbuy.co.za so I thought it was genuine. Taken all precautions so thanks for your advice - I will merrily carry on listing now.

 

Have a great Christmas and new year.

 

Cheers

Brian

[admin 3]

Thanks ol mate, you remember me from Gems Direct.

 

 

Indeed I do :wink:

 

Thanks Brian, same to you and yours.

[Celebrity Jewels 10]

Hi Boet

 

i could never believe it would start with BoB but now it has. I get 10 a day from other banks and just delete. BoBBers must be warned. We need to try and track this spammers ip addy and take action. Then again it is paypal related so could be any country - possibly Eastern European or Nigerian.

 

Have a good one Boet and speak soon. Send my regards to Cuan and Andy.

 

Cheers

Brian

[eZethu Coins 10]

Hi Guys

 

I was Gems Direct but now celebrity Jewels. I just had this email come through and clicked on the link and now need advice.

 

 

 

 

Please advise if this is for real as I cannot have my account suspended.

 

Thanks Chaps

Cheers

Brian

 

Do not be fooled by what the addresses and links look like in an e-mail. Without the original e-mail, I cannot tell you where the e-mail actually came from, but I can tell you that the link that looks like it will take you to the normal BoB login, will actually take you to "sing-in.in/1/UserLogin.html" - if you have not logged into BoB via the normal URL since your incident, you should do so as soon as possible and change your password. Somebody else now has your user-id and password.

[Guest Guest]

Dear BOB

 

I think it would be a good thing to explain to members who are not really sure, exactly what phishing is... (Sorry if I'm mistaken and you did - anyway...!)

 

In short: Phishing to me is NOT "redirecting you to a new address" - it is just a crude act ~ trick of elusion really. And if they are successful, you are unknowingly taken to the primary address you actually clicked on - not the one you saw...

 

Why?

 

Put your mouse over the this address:

 

https://www.bidorbuy.co.za/jsp/login/UserLogin.jsp [Do not click - just check]

 

Is it really BOB? Look at the BOTTOM left-hand corner of your internet browser property bar... Is that the same address as the one you see? (Where the mouse pointer is currently...)

 

No! it's not! They have hide the real address with the software code. Yet, they cannot really hide it!! Just be always watchful!

 

 

 

Now, put the mouse pointer over this address: https://www.bidorbuy.co.za/jsp/login/UserLogin.jsp

 

Look again at the BOTTOM left-hand corner of your internet browser property bar... Is it the same address as the one you see? (Where the mouse pointer is currently.)

 

Yes indeed, because there is no hidden code. (In short)

 

 

Now, put the mouse pointer over this address:

 

Login Page [Do not click - just check] dr hacker...

 

Look again at the BOTTOM left-hand corner of your internet browser property bar... Is it the same address as the one you see?

 

No! it's not! Simple code "hide" the real address again. Yet, one cannot really hide it!! Just be always watchful! (In short)

 

Also, remember that the address bar at the top-left of your internet browser always shows you where you really are. Always check! Just be awake and watchful... Always!

 

There is a lot more to say about other security symbols in the browser locks etc... I'm sure other Java and HTML etc. boffins will explain it all. It's late...:grin:

[MacMuffin 1]

Phishing mails are really difficult to combat and as they appear we get the sites shut down. Some ISPs/hosting companies are on the ball here and take immediate action, whereas others could not be bothered to assist. As Edmund explained those phishing emails can be compared with a fake ATM and it is not easily detectable (unless you verify the URL in the address-bar).

 

Many modern browsers (such as Safari or Chrome) automatically check websites for phishing/malware and provide an alert (in my case using Safari, clicking on any of the links presents me with a phishing/malware warning). In most cases with phishing, the weakness is outdated software/antivirus/internet-security and inexperience from the user. In my opinion (perhaps I am more brave as I run a Mac) I do click on the links to check what the attackers are trying to do, and the only risk is if a user then captures the login credentials.

 

In the above example, the attacker hosts a replica of our login-form on a server in India and when capturing login details, those details are emailed to his hotmail account (you can see this in the page-source) via an unprotected email script hosted on a server in Sweden. We have contacted Hotmail/Microsoft, the Swedish hosting company as well as the hosting company in India last week Thursday for immediate shutdown, and unfortunately none of those parties have yet done anything about it.

 

In short (and also read our recent blog-posts about security/safety on the internet) if you receive emails from bob to login/change your details or get some scary mail that your account will be disabled, please rather follow up with us. We have been very proactive over the last few weeks and have phoned users to assist.

 

Should you receive phishing emails, please mail them to security [at] bidorbuy.co.za so that we can take the necessary steps to shutdown the phishing sites.