It always starts with the Pitch:

Subject: ***eBay Confirmation Center***
Dear eBay Member:

It has come to our attention that your eBay billing updates are out of order. If you could please take 1-2 minutes out of your online experience and update your billing records you will not run into any future problems with the online service. However, failure to update your records will result in account termination. Please update your records.

Once you have updated your account records your eBay session will not be interrupted and will continue as normal. Failure to update will result in cancellation of service, Terms of Service (TOS) violations or future billing problems.

To update your eBay records now click here:
http://www.scgi-ebay.com

Sincerely,
eBay customer department!

Please do not reply to this e-mail. Mail sent to this address cannot be answered. For assistance, login to your eBay account and choose the “Help” link in the footer of any page. To receive email notifications in plain text instead of HTML, update your preferences here.

eBay UPDATE TEAM

Accounts Management As outlined in our User Agreement, eBay will
periodically send you information about site changes and enhancements.

Respectfully,
Trust and Safety Department
eBay Inc.
Copyright 1995-2005 eBay Inc. All Rights Reserved.

Of course, unsuspecting nits simply must click the link. Never mind that Don’t Click! signs are screaming at you. Like, for instance, eBay always uses superfluous HTML… Never anything so straightforward as text. Then there’s the odd formatting stuff, like line spacing and sentence breaks.

But the elephant in your living room is the URL: www.scgi-ebay.com. Performing a whois, you find the org/admin contact for scgi-ebay.com is Carl L of Ogilvie, Minnesota. Did you notice that he registered the site four days ago through an Australian registrar and is using MSN domain servers? “Perhaps,” you think,”eBay is trying to spread around its considerable wealth.”

A call to Carl quickly dispells that notion. His daughter answers the phone, “L residence.”

You ask for Carl. She yells for Dad. Carl picks up. “No. I do not work for eBay… I’ve been having trouble with that… I got this email and typed in the information for my eBay account… I got a call like this last week… I’m working on getting it changed… That is not a web address that i have purchased. No… I don’t own any web addresses. I never have. Do you know who I should contact?”

Undoubtedly, by the time you read this, scgi-ebay.com will be history. Carl? His problems have just begun. His credentials were sold to launch scgi-ebay.com and probably hundreds of other phishing sites, so the next Carls could be netted.

As for you, the network admin… If you won’t protect your users with proper content filtering at the network border, teach them to refrain from clicking URLs in messages, or typing in URLs they don’t recognize 100% . Carl could have saved himself a world of grief by simply typing in “http://www.ebay.com”.