Jump to content


Photo

A Binocular Related Virus Warning...

  • Please log in to reply
28 replies to this topic

#1 SMark

SMark

    Apollo

  • *****
  • Posts: 1113
  • Joined: 29 Aug 2011
  • Loc: Atlanta, GA USA

Posted 28 March 2013 - 12:19 PM

For anyone here who hawks eBay on a regular basis...

So far eBay has been pretty good about removing these items within about 30 minutes or so of being listed, but this seems dangerous enough that it should be mentioned. I've stumbled onto 5 auctions for expensive binoculars that would immediately re-direct my browser to another site that looks like eBay but clearly isn't. They are apparently looking for buyers with larger wallets so as to make some significant amounts of cash. The two items that I've seen being sold are a "Zeiss 20x60 Image Stabilized Binoculars" and a "Kollmorgen 20x120 Binoculars," both being listed for $2500 USD Buy-It-Now. When you click on the listing from the search list you get redirected to a site called rgaoks2.com, which was registered two days ago out of California, but I think there have been other website redirects as well because this has been going on for almost a week now. When I click to add the item to my watch list I immediately get taken to the Buy-It-Now screen. They clearly want you to buy it and then pay for it, making you log-in to PayPal so that they can get your log-in name and password and then go drain your account. At least that would be the more likely scenario.

But whatever, just be careful since it seems they are targeting us in particular...

#2 hallelujah

hallelujah

    Fly Me to the Moon

  • *****
  • Posts: 5171
  • Joined: 14 Jul 2006
  • Loc: North Star over Colorado

Posted 28 March 2013 - 12:24 PM

Mark,

Thanks very much for the heads up.

Did you also notify eBay?

Stan

#3 SMark

SMark

    Apollo

  • *****
  • Posts: 1113
  • Joined: 29 Aug 2011
  • Loc: Atlanta, GA USA

Posted 28 March 2013 - 12:35 PM

I just refreshed my search list and the items are now gone, so eBay again caught them and removed them after about 30 minutes or so. But these scamsters are being persistent so I'm sure they will be back again soon.

#4 KennyJ

KennyJ

    The British Flash

  • *****
  • Posts: 34240
  • Joined: 27 Apr 2003
  • Loc: Lancashire UK

Posted 28 March 2013 - 12:39 PM

Thanks for the notification.

I think I once caught a virus from an old Russian binocular that had been kept shut up in a fusty case for around 30 years!

#5 SMark

SMark

    Apollo

  • *****
  • Posts: 1113
  • Joined: 29 Aug 2011
  • Loc: Atlanta, GA USA

Posted 28 March 2013 - 12:43 PM

Thanks for the notification.

I think I once caught a virus from an old Russian binocular that had been kept shut up in a fusty case for around 30 years!


LOL! :rofl5:

I was waiting on you Kenny! :roflmao:

#6 SMark

SMark

    Apollo

  • *****
  • Posts: 1113
  • Joined: 29 Aug 2011
  • Loc: Atlanta, GA USA

Posted 28 March 2013 - 12:50 PM

I just refreshed my search list and the items are now gone, so eBay again caught them and removed them after about 30 minutes or so. But these scamsters are being persistent so I'm sure they will be back again soon.


Actually... eBay has only removed the items from the search lists, the items themselves are still there. BUT... eBay has disabled the Buy-It-Now feature and it says at the top of the listing that the "Seller is currently away until March 31."

When I clicked on Buy-It-Now I got this message... "Sorry, this seller is on vacation, so this item is unavailable for purchase."

Clever...

#7 SMark

SMark

    Apollo

  • *****
  • Posts: 1113
  • Joined: 29 Aug 2011
  • Loc: Atlanta, GA USA

Posted 28 March 2013 - 12:59 PM

Another interesting thing is that these scamsters had apparently hacked into an eBay account for "Bullseye Dart Supply" out of Philadelphia, PA (USA) so now all of their listings (which are all for dart supplies other than those two binoculars) are unavailable for purchase.

#8 SMark

SMark

    Apollo

  • *****
  • Posts: 1113
  • Joined: 29 Aug 2011
  • Loc: Atlanta, GA USA

Posted 28 March 2013 - 01:24 PM

Another interesting twist...

I just hit the Buy-It-Now button again to show my son that message, but THIS TIME I was directed to the eBay log-in screen @ rgaoks2.com. I am already logged-in and shouldn't need to log-in again. So it appears that they may be looking to get their next eBay account to hack for their next wave of scams...

#9 Simon S

Simon S

    Vanguard

  • *****
  • Posts: 2312
  • Joined: 07 Jan 2007
  • Loc: Crawley West Sussex UK

Posted 28 March 2013 - 03:46 PM

Has you computer been checked for viruses and malware?

#10 hallelujah

hallelujah

    Fly Me to the Moon

  • *****
  • Posts: 5171
  • Joined: 14 Jul 2006
  • Loc: North Star over Colorado

Posted 28 March 2013 - 03:58 PM

http://www.lavasoft...._aware_free.php

#11 KennyJ

KennyJ

    The British Flash

  • *****
  • Posts: 34240
  • Joined: 27 Apr 2003
  • Loc: Lancashire UK

Posted 28 March 2013 - 05:05 PM

Just clicking onto THIS thread here at CN causes my PC to emit a faint but distinct odour of eau de halibut.

Like Mark himself,I would also describe what he's discovering as interesting twists.

I know an interesting twist when I see one, the most recent being on the dance floor at a wedding reception,by the best man and chief bridesmaid.

#12 SMark

SMark

    Apollo

  • *****
  • Posts: 1113
  • Joined: 29 Aug 2011
  • Loc: Atlanta, GA USA

Posted 28 March 2013 - 07:59 PM

Has you computer been checked for viruses and malware?


Yeah, I did two different malware scans after I posted all this. So I appear to be fine.

#13 Jarrod

Jarrod

    Apollo

  • *****
  • Posts: 1121
  • Joined: 20 Jan 2013
  • Loc: SE USA

Posted 28 March 2013 - 08:55 PM

Not a week ago my wife's eBay account was hacked and taken over for the purpose of buying cellphones with stolen Paypal accounts. Be careful out there!

#14 daniel_h

daniel_h

    Vanguard

  • *****
  • Posts: 2247
  • Joined: 08 Mar 2008
  • Loc: VIC, Australia

Posted 28 March 2013 - 10:05 PM

interesting

#15 SMark

SMark

    Apollo

  • *****
  • Posts: 1113
  • Joined: 29 Aug 2011
  • Loc: Atlanta, GA USA

Posted 28 March 2013 - 10:18 PM

Not a week ago my wife's eBay account was hacked and taken over for the purpose of buying cellphones with stolen Paypal accounts. Be careful out there!


Yeah, I also changed my (already long) eBay password today and added 5 more digits to it as well.

#16 SMark

SMark

    Apollo

  • *****
  • Posts: 1113
  • Joined: 29 Aug 2011
  • Loc: Atlanta, GA USA

Posted 08 April 2013 - 07:12 PM

Both items were just re-listed again, just as they were previously, except the new website that you get routed to is /127.0.0.1:2372/ which I have not looked up, but one of my anti-malware programs picked up on it right away.

Just FYI...

#17 SMark

SMark

    Apollo

  • *****
  • Posts: 1113
  • Joined: 29 Aug 2011
  • Loc: Atlanta, GA USA

Posted 08 April 2013 - 11:36 PM

Both items were just re-listed again, just as they were previously, except the new website that you get routed to is /127.0.0.1:2372/ which I have not looked up, but one of my anti-malware programs picked up on it right away.

Just FYI...


Actually it's called "poiuaj2sa22.com" and was registered late last night out of Bellevue Washington.

Again, eBay shut them down fairly quickly.

#18 Vondragonnoggin

Vondragonnoggin

    Aurora

  • *****
  • Posts: 4978
  • Joined: 21 Feb 2010
  • Loc: Southern CA, USA

Posted 09 April 2013 - 02:06 AM

Just an FYI about ip addressing. 127.0.0.1 is what is known as a loopback address or localhost address. That is an address which you would use to access something on your own computer. In other words you were redirected to port 2372 on your own computer. You should run further malware scans.

#19 SMark

SMark

    Apollo

  • *****
  • Posts: 1113
  • Joined: 29 Aug 2011
  • Loc: Atlanta, GA USA

Posted 09 April 2013 - 02:04 PM

Thanx. My scans show that I'm still clean. One of my malware programs actually caught the redirect and stopped it before it happened, while at the same time telling me that "poiuaj2sa22.com" was the intended destination.

#20 SMark

SMark

    Apollo

  • *****
  • Posts: 1113
  • Joined: 29 Aug 2011
  • Loc: Atlanta, GA USA

Posted 16 April 2013 - 03:24 PM

They are back at it again, this time with a more traditional approach. They just want you contact them off site and pay them directly.

No redirects this time. But I did report it to eBay so it should be gone shortly. Only the one listing this time for the Zeiss 20x60S.

HA! I was wondering how they managed to get by the eBay text monitors which will normally stop the listing if they catch certain words or phrases. I turns out that the "text" they put in the listing is actually a picture of the text, so the monitors can't read it...

#21 Mr. Bill

Mr. Bill

    Fly Me to the Moon

  • *****
  • Posts: 6287
  • Joined: 09 Feb 2005
  • Loc: Northeastern Cal

Posted 16 April 2013 - 04:18 PM

That's why I only buy/sell here on CN on the SS forums....

:cool:

#22 SMark

SMark

    Apollo

  • *****
  • Posts: 1113
  • Joined: 29 Aug 2011
  • Loc: Atlanta, GA USA

Posted 16 April 2013 - 04:37 PM

That's why I only buy/sell here on CN on the SS forums....

:cool:


Yep. My most recent purchase was also from this website.


Over an hour later and it's still an active listing... :shocked:

#23 SMark

SMark

    Apollo

  • *****
  • Posts: 1113
  • Joined: 29 Aug 2011
  • Loc: Atlanta, GA USA

Posted 16 April 2013 - 07:33 PM

eBay isn't in any hurry to pull this one. There are already two bidders and I'll bet they have already been approached by the fake seller...


Edit:

GONE. Finally. Took a few hours...

#24 salientbunny

salientbunny

    Explorer 1

  • -----
  • Posts: 66
  • Joined: 13 Jun 2012
  • Loc: Southeast Georgia, US

Posted 16 April 2013 - 08:09 PM

Both items were just re-listed again, just as they were previously, except the new website that you get routed to is /127.0.0.1:2372/ which I have not looked up, but one of my anti-malware programs picked up on it right away.

Just FYI...



The call is coming... FROM INSIDE THE HOUSE!

Seriously, that is the internal address for all computers.

#25 SMark

SMark

    Apollo

  • *****
  • Posts: 1113
  • Joined: 29 Aug 2011
  • Loc: Atlanta, GA USA

Posted 16 April 2013 - 10:20 PM

Both items were just re-listed again, just as they were previously, except the new website that you get routed to is /127.0.0.1:2372/ which I have not looked up, but one of my anti-malware programs picked up on it right away.

Just FYI...



The call is coming... FROM INSIDE THE HOUSE!

Seriously, that is the internal address for all computers.


So just how does that fit into the scam that they were running? Were they trying to fool something or someone else by doing that? /127.0.0.1:2372/ was the re-direct address that the auction listing script apparently executed to, and is the address my browser was pointed at when my anti-malware program came back with "poiuaj2sa22.com" as the address it was blocking...






Cloudy Nights LLC
Cloudy Nights Sponsor: Astronomics