Here’s a good scam!

Very nicely done, they only messed up in a few places.

Normally when you get a phishing attempt, from “ebay” or whoever, the fastest way to tell is to hover on the URL and see that it really links to “www.scammerhome.net”. This one avoids that, by using a cleverly crafted ebay “About me” page.

You can see it live at:
http://members.ebay.com/ws/eBayISAPI.dll?ViewUserPage&userid=Inssommia&JBR_W0QQitemZ26036QQssPage36QQssPageNameZWDVWQQrdZ1QQcmdViewItem&item=28011654654

DO NOT TYPE YOUR real DETAILS IN! Make something up. 😉 Take a look at the top bar of the browser page, and then do a ‘hard refresh’ (Ctrl-F5 in Firefox) and watch the slightly freaky way the page reloads.

It’s been very neatly done using a set of images and looking at the source, there is no javascript used at all!

The log-in (enter fake details) takes you to an ebay themed page, where they forgot to re-write the URL to ebay – it goes to http://plymouth.rtcubed.net/.download/secure/ which tries to get you to download some file with the name referenced in the email.

If anyone wants to take a look and report back what the payload is, I’d be interested.

(Bonus points for anyone who knows what the Google search you can still see was about!)