The message starts convincing enough, and looks professional too. (click the thumbnail to view a larger version of the email.)
The message subject is "Action Required!" and seems to come from the eBay billing department. Not sure why the billing department would be notifying me of a breach of security instead of some security concern but lets move on. Here is the body of the email with the bad link removed for your security.
Just a few questions I had immediately after seeing this in my deleted bin.
Dear eBay Member,
We recently noticed one or more attempts to log in to your eBay account from a foreign IP address and we have reasons to believe that your account was used by a third party without your authorization. If you recently accessed your account while traveling, the unusual login attempts may have been initiated by you.
The login attempt was made from:
IP address: 172.25.210.66
ISP Host: cache-66.proxy.aol.com
By now, we used many techniques to verify the accuracy of the information our users provide us when they register on the Site. However, because user verification on the Internet is difficult, eBay cannot and does not confirm each user's purported identity. Thus, we have established an offline verification system to help you evaluate with whom you are dealing with.
click on the link below, fill the form and then submit as we will verify
Please save the above link for your reference
Please Note: - If you choose to ignore our request, you
leave us no choice but to temporally suspend your account.
* Please do not respond to this e-mail as
your reply will not be received
- Why is the billing department sending me this message?
- Why would I not call eBay to verify an online breach?
- There are obvious grammatical errors in the body of the email...this is a huge indicator for me!
- They describe the verification method as "offline" yet they are asking me to click a link.
A simple mouseover proved the easiest clue that something was awry! Allowing my mouse cursor to hover over the link provided indicated that the real address was not the one listed in the email.
The wanted me to visit a site that was dynamic (php enabled) and that included the word "superbho" (read that as a HiJack attempt or browser helper object) and was not part of eBay's DNS group, but was rather originating from 220.127.116.11. A quick visit to Internic determined that this address was not assigned to eBay.
Moral of the story: Use common sense to thwart these spoof attempts and don't be pressured into clicking links for any reason. ( ...you leave us no choice but to temporally suspend your account... He he he!)
See this eBay informational page for more info about how these attempts work.
For more information on some previous attempts see this link.