Forgot your password?
typodupeerror
Privacy IT

eBay Scrambles to Fix Phishing Bug 131

Posted by Zonk
from the watch-where-you-click dept.
Paul Laudanski writes "c|net is reporting that eBay is scrambling to fix a software glitch which opens doors to phishing attacks via one of its own valid URLs. "The flaw may have already allowed individuals to use one of eBay's URLs to trick unsuspecting parties into visiting malicious sites, the company representative said.""
This discussion has been archived. No new comments can be posted.

eBay Scrambles to Fix Phishing Bug

Comments Filter:
  • In other news... (Score:1, Insightful)

    by Anonymous Coward
    In other news, ex-hacker warns that social engineering (aka end-user profound dumbness) is the most serious security flaw of computer systems.
  • I lost 100$ because of I thought it was ebay.
    • This is Outlook's fault?
      • Outlook (like many mail clients,) displays HTML by default, which makes it easier to hide redirects.

        I have my email client at home (Kmail) set to Text instead of HTML. It makes it easier to spot redirects and such, so phishing schemes are more obvious.

        I don't use Outlook, so I don't know if it can be set to Text view for incoming messages. It would be very helpful for someone to post the steps needed to set Outlook for text view.
        • Likewise, kmail to the rescue.

          I have rx'd probably 50 of these ebay phishing messages here. I forwarded the first couple of them to abuse at ebay, but never got a bounce or a reply other than the usual boilerplate , and came to the conclusion that officially, they could care less.

          So why are they now, damned near 6 months later, finally admitting it?

          --
          Cheers, Gene
          • I forwarded the first couple of them to abuse at ebay

            You know I tried the same with the first couple phishing mails that I apparently received from banks with exactly the same result.

            It's not that you would expect to get a personal thank you visit by their CIO, but at least something like an acknowledgement would indicate that they are at least interested.

            What does that tell you? In all likeliness your bank doesn't give a flying fuck if you are ripped off. It's not their money and hassle after all.

        • Pah! I use Pine. All you guys with your smancy-fancy GUI email programs that you have to turn HTML rendering off.

          Who was the first moron to put HTML in mail clients? He deserves to rot in hell with those screwballs at M$ who gave Internet Mail and News the ability to post HTML Usenet messages.

          • Re:Outlook Settings (Score:2, Interesting)

            by Storlek (860226)
            I wouldn't be so sure of Pine's security just because it doesn't handle HTML:

            Warning: The pine software has had several remote vulnerabilities discovered in the past, which allowed remote attackers to execute arbitrary code as users on the local system, by the action of sending a specially-prepared email. All such known problems have been fixed, but the pine code is written in a very insecure style and the FreeBSD Security Officer believes there are likely to be other undiscovered vulnerabilities. You inst

    • From the article, The problem, described by the company as a "software bug," could be exploited by criminals to create an actual eBay link that redirects customers to a malicious site,

      HELLO??!! This HAS ALWAYS BEEN KNOWN ON THE SOAPBOX FORUM ON EBAY EVER SINCE NOVEMBER OF 2004. THE ONLY DIFFERENCE IS EBAY HASN'T BROADCAST/ACKNOWLEDEGED IT PUBLICLY UNTIL NOW.

      THANX FOR NOTHING EBAY!! I'M GLAD I ALREADY WARNED MY OWN PEOPLE!! [geocities.com]

  • This is not the first time this has happend to a huge company, in the summer of 2002 amazon had a similarly large security hole. Can consumers trust large companies anymore? I think so, but you are always taking your chances with security. Sometimes companies become so large that things get easily overlooked.
    • This is not a large security hole, its not even a medium sized security hole.
    • by lonb (716586) *
      "Can consumers trust large companies anymore?"
      This is exactly the type of non-sensical question that frightens would be ascenders of the technology curve. First of all it begs the question, "large companies" versus who? Small companies? Do you think small companies are any more capable of defending themselves against attacks? Or even doing the type of advanced testing that can be done by large company with large company resources?

      If not, are you then suggesting no one should do business at all? Obviousl

  • Phishing EBay (Score:3, Interesting)

    by BrianGa (536442) on Saturday March 05, 2005 @05:25PM (#11854723)
    Can anyone enlighten me as to the benefit of phishing for EBay accounts? Assuming the ultimate goal is profit, what can the attacker really do with one, as long as the EBay account information isn't the same as the Paypal?
    • Re:Phishing EBay (Score:5, Insightful)

      by X0563511 (793323) * on Saturday March 05, 2005 @05:36PM (#11854794) Homepage Journal
      Lots of people use the same password for everything. If i were to net a bunch of Ebay account passwords, i could stand a decent chance of getting into the paypal accounts of at least a few of them.
    • Re:Phishing EBay (Score:3, Informative)

      by rednip (186217) *
      Conducting fraudulent auctions with you "good name", buying stuff and then not paying for it with your "good name". Many people depend on seller and buyer ratings and reports for clues as to how much to trust someone. It can be so valuable that some people have set up businesses in Ebay which captalize on their good seller's reputation.
      • This doesn't make sense! If this was the reason, then tracing the theif would only be a matter of determining the mailing information! The buyer would need to physically pick up the goods at one point or another.
        • I guess that if you knocked on the first door in a bad part of your town, a helpful soul would help you for a small cut.
        • Re:Phishing EBay (Score:5, Informative)

          by John Miles (108215) on Saturday March 05, 2005 @06:51PM (#11855279) Homepage Journal
          Um, no, that's the whole thing... there aren't any goods to mail.

          The idea is, I use your account to post an auction for an expensive piece of equipment with a glowing description stolen from another successful auction, photos courtesy of Google Image Search, and a Buy It Now price around 20% of retail. The victim hits the BIN button and, at my request, sends me a Western Union transfer to pay. That's the last anyone hears from me.

          Typically this scam is operated from Internet cafes in Eastern European countries with twentieth-century technology and twelfth-century ethics.
          • It's you!?! I'm going to get you, you bastard!

            Can you tell me more about the cafes? From your description so far I've narrowed it down to about 100,000 of them, can you give me any more clues?

          • ...operated from Internet cafes in Eastern European countries...

            I checked the domain registration of ws-confirm.info, said that the registrant was one Lenka Mackova, in Tucker, GA.

            Phonebook search turned up a Lenka Mackova in SC. And the IP addresses for ws-confirm.info appeared to belong to yahoo.com.

            Probably no connection... you can't trust whois info anyway. But ws-confirm.info still tries to redirect me to signin.ebay.com.

    • Re:Phishing EBay (Score:3, Informative)

      by wotevah (620758)
      As in my previous post [slashdot.org], page two of the fake website asks for credit card. Since the sheep never wonder why a certain piece of private information is "required" on a form, I bet a lot of people actually filled that in too.
    • One way to try and scam some money out of people is to pretend to sell something on eBay, and never deliver. SOP is for the buyer to pay beofre the seller ships the item, so it can work.

      Now the thing is, if your reputation sucks, nobody will do that for bigger ticket items. Some scammers pump their rating up by buying lots of small things, but peopel look for that now. So, if you manage to get a password for an account that has a long, real history on eBay, you can use it to scam people. They look at the f
    • Don't assume that every hacking attempt has financial profit as a goal. Don't even assume that they always have a goal at all. Most of the time, just hacking "something big" is a nice endeavor in itself for the average hacker joe, or even for a bunch of them. Being able to "shake the big tree" is a power trip.
    • I could, for example, list an automobile for sale. The ebay fees on an automobile alone would cost the lister a decent amount of money. Maybe there is no money in it for me (Mr. Joe Phisher) but I can screw a bunch of people over pretty easily.
  • by Sheetrock (152993) on Saturday March 05, 2005 @05:25PM (#11854729) Homepage Journal
    Companies are so quick to doll up their e-mails with the latest HTML -- images, links, and tables -- that their customers are getting used to using e-mail as a portal to company sites.

    It should be a text-only medium, period. No attachments, no graphics, no opportunity to get someone to click before they think.

    • Maybe for an ultra paranoid administrator it should, but email is used by regular everyday people who send photos, videos, files etc... and probably don't give two shits of a damn about bullet proof security. I can see your point, but I think the solution to that would be a completely separate software package designed scrictly for primitive communications (Not something the public is interested in).
      • For everyone it should. They're just "regular everyday people" and don't give two shits about security (nevermind bullet proof security) right up until that moment when they call and say "I think I might have clicked something bad".

        Fucktards. They deserve it. They don't deserve to have ultra paranoid administrators coming along behind them trying to clean up the mess they make. I've long complained about the balancing act we have to do trying to keep things secure at my place of employment but our manag
        • Without users, you lose your job as you're the adminstrator of the computing system in the office!

          I understand the paranoia of adminstrators and how annoying those viruses, trojans, scams can be, but you know people simply don't care about security and resources on computer unless they are directly because they think that nothing could happen to them! Just accept as it is, always educate people about the potential dangers, and ask for a holiday to see it crashes if they didn't follow your ideas. :)

          (O
    • by Anonymous Coward
      I thought the SCO lawsuit was the dumbest thing to ever be suggested, but then I read your post. Jesus H. Christ, what a stupid thing to say. Do you shake your rake at the neighborhood kids on their skateboards, old man? Hey, I have another idea that you might like, how about we just get rid of links altogether on the Internet, that way no phishing can ever happen! Perhaps in your lonely and cold little crevice under the bridge somebody might even disallow all images on web pages, that way there can be
      • Perhaps in your lonely and cold little crevice under the bridge somebody might even disallow all images on web pages, that way there can be no question about the source of information.

        You'll be wanting to set your web browser to allow images from the originating server only if you've seen some of the abuses of <IMG SRC ...> I have. Unless you don't mind a malicious individual building some "interesting" web browsing history for you when you visit a public forum that lets anyone post images as part

    • I wonder if we could convince Microsoft to write an addon to Outlook Express that converts embedded gifs into ascii art before the email gets sent? Now that is something I could get behind.
    • That's absolutely right!

      I actually got about 7 of these fake e-mails from ebay. My instinct told me that they were fake, even though they took me to ebay's website.

      The way I managed to figure out that they were fake was to go to ebay.com and try to find the page linked. When there was no mention at all of the linked page anywhere, I knew it was a fake. Just to make sure, I sent it to spoof@ebay.com, and they said it was fake!

      Anyway, I'd suggest this method for following any links in any e-mail. I feel mu
    • You think that text-only email would prevent people from being fooled online? Let me introduce you to a fellow named Dave Rhodes [invest-faq.com]....
  • by MichaelCrawford (610140) on Saturday March 05, 2005 @05:25PM (#11854731) Homepage Journal
    Use Validators and Load Generators to Test Your Web Applications [goingware.com] is likely to help you find a lot of problems with your web software, and some of those problems would be security holes.

    It is Free Documentation, under the GNU FDL.

    It's at GoingWare's Bag of Programming Tricks [goingware.com].

  • Scrambling? (Score:5, Interesting)

    by Ulric (531205) on Saturday March 05, 2005 @05:26PM (#11854732) Homepage
    Maybe they are scrambling, but it sure seems like it is still working:

    http://cgi4.ebay.com/ws/eBayISAPI.dll?MfcISAPIComm and=RedirectToDomain&DomainUrl=http://siag.nu/ [ebay.com]

    That's a link to ebay.com which redirects to siag.nu. And it doesn't look like a glitch, it looks like it's on purpose.

  • by Anonymous Coward
    It's a pheature.
  • by Anonymous Coward on Saturday March 05, 2005 @05:29PM (#11854750)
  • by Cylix (55374) * on Saturday March 05, 2005 @05:30PM (#11854755) Homepage Journal
    Maybe they changed their stance.

    Not to long ago, I had a co-worker defrauded. Yeah, he wasn't a bright one and really should have consulted me when even the slightest bit of doubt surfaced.

    Long story short, it didn't take place on eBay, but originated through a compromised users account. In the end, eBay was fairly useless for help because they had the option to not deal with it.

    If they were serious about working hard to stop this activity they could be a bit more pro-active.

    Now, I'm not damning them completely, not so long ago I had someone disappear after a transacation. It took a few weeks to get my money back, but in the end the issue was resolved.

    They really need to abandon email entirely and just eliminate the elements they can't control. At the very least leave external notifications off by default.

    Otherwise, an alright service, but plagued with problems any high profile commerce sight would suffer.
  • I haven't read it yet, but it's review [accu.org] at the Association of C and C++ Users [accu.org] says it's good. It emphasizes the importance of validating any data received over the network, especially not to trust it.

    [ Buy at Powell's City of Books [powells.com]]

  • I found it last week (Score:4, Informative)

    by ericspinder (146776) on Saturday March 05, 2005 @05:34PM (#11854783) Journal
    Got in as spam in my old honey pot, and I had a hard time sending to the company, as I didn't want to sign into their system to do it.

    Finally I tried abuse@ebay, that sent back an automated reply and in that reply, I found the email spoof@ebay.com

    I doubt if I'm the only person who found that scam, but I am glad that they seem to be taking action.

    • by John Miles (108215) on Saturday March 05, 2005 @05:46PM (#11854853) Homepage Journal
      Annoyingly, my ISP (Speakeasy) has stopped allowing its customers to forward phishing emails to spoof@ebay.com.

      They are doing content filtering on outgoing mail, which is something I really wish they wouldn't do. I have no idea what aspect of the message triggers the filter, but any attempt to forward an HTML phishing mail without converting it to plaintext first (and losing the href fields that would allow eBay to shut down the phishing sites) yields "Server Response: '554 message permanently rejected, you may have a virus (#5.3.0)'."

      All attempts to communicate my displeasure to Speakeasy's support department have met with the usual language barrier (I speak English, they speak Moronese). I simply could not find a way to convince them that I wasn't having trouble sending email in the general case. If anybody from Speakeasy is reading this, it would be nice if they got the clue bat after whoever implemented this filter. Customers need to be able to opt out of all content filters, both incoming and outgoing.
      • You can laugh or you can cry. Somehow laughing's better, or at least I thought so.

        Anybody's attempts to make the "internet safe" are going to be fairly ineffective at best. In this situation, you are willing to go to a little bit of trouble to try to put a stop to it. The phishers and other malware creators are willing to go to a lot more trouble to ensure it keeps on coming.

        There's a reason that Linux comes off as being much more secure than Microsoft Windows. Microsoft tries to reassure it users that ev
      • Sounds like they've setup a virus/spam filter on their outgoing email as well as incoming. The upside and goal is to stop viruses and spam being sent out by their clients. The downside, as you demonstrate, is that the same system stops these types of emails from being forwarded to people who can do something about these fraudulent emails. One wonders how/why you received the email in the first place, but you can't forward it. Bizarre.

        Does eBay have a web form where you can input emails instead of forwar

        • I don't know if they do any incoming filtering or not; I don't use my @speakeasy.net account for anything. There are definitely no viruses in the mail, just classical phishing content (eBay logos and such). They are just naively assuming that anyone who sends that type of traffic is either a criminal or a spam zombie.

          I didn't try to forward it to my Hotmail or GMail accounts, because I assumed that Speakeasy's SMTP server would still refuse to accept the message. eBay does have web forms, but they're bu
  • GPG (Score:5, Interesting)

    by SamMichaels (213605) on Saturday March 05, 2005 @05:34PM (#11854786)
    Not just for ebay...but for everyone. Allow users to download the GPG key from inside their account and sign all the legit email.

    I realize that this somewhat complicates things for Grandma and Aunt Agnes, but the general public is going to HAVE to learn to deal with it in an effective way. GPG is an effective way...and PGP Freeware for Windows/Outlook is pretty idiot proof.
  • About time... (Score:2, Interesting)

    by SCSi (17797)
    I believe ebay has know about this for a while but sat on it for some unknown reason: SURBL List gave first warning [surbl.org]. Took them almost a month, not bad.
    • Re:About time... (Score:3, Informative)

      by ryanjensen (741218)
      I reported this to spoof@ebay.com months ago when I first received it. I included my opinion that running an open redirect is utterly stupid and useless (why the hell would they do this anyway?). I received no response, as expected, but I am dismayed to see that the exploit is still available.

      Ryan

      • I did send a mail too, on feb 6th, to abuse@ebay.com. In it I said: "This phishing uses an real ebay URL to seem legitimate". All I got was an automated response telling me to take several steps to report it to them.

        When I received that, I dropped it. I wanted to report it, because I recognised the threat, but I don't want to jump through several hoops just to please them. Reporting to abuse@ is doing them a service. Some activity on their side is the least to expect.
    • I reported it a couple of weeks ago, too. It makes for a damn tricky phishing exploit. The URL has ebay.com in it, but had parameters further along that redirected it. They also obfuscated the redirect target by using escape characters. I might have been caught by it if they hadn't sent it to an e-mail address that only spammers use.
  • At what point does enabling fraud get to the point of legal liability?
  • Scam link (Score:3, Informative)

    by wotevah (620758) on Saturday March 05, 2005 @05:53PM (#11854894) Journal

    The link in the scam email eventually redirects to this IP address in France, *after* ebay verifies your login. Incidentally, the one I received came through a server in Korea.

    http://62.193.217.91/eBayISAPI.php [62.193.217.91]

    Page two asks for your credit card, which answers the questions about the benefits of ebay phishing.

    • The link in the scam email eventually redirects to this IP address in France, *after* ebay verifies your login.

      The server is hosted by amen.fr, a company specializing in cheap hosting that does not have an especially bad name. It is likely that things are very automated there, and that it is possible for someone to sign up for an account, pay some money, host the scam for a couple of weeks, gain much more money this way, and then run away.

      I was a bit surprised to see this scam is done from France, becaus
  • My advice... (Score:5, Insightful)

    by wotevah (620758) on Saturday March 05, 2005 @06:07PM (#11854979) Journal

    ...has always been to never click on emailed links pertaining to anything important, especially banking and such.

    Bookmark all the financial sites you use, and whenever you receive emails with such "friendly" links, use your bookmark instead, to log in to the site. If it was important, you will see it on the next page there.

    I never click on the links even when I know they are legit (to avoid forming a habit).

  • Google-Translated Heise Newsticker article [google.com] from March 1st.

    c|net : The problem [...] could be exploited by criminals to create an actual eBay link that redirects customers to a malicious site, the representative said.
    Heise: The emails, pretending to come from eBay, circulate on the net since February 12th. eBay was informed about it, however did not react so far.

    • That just seems really stupid, I mean all it would take is to temporarily remove the redirect feature from the code, or put a couple of regular expressions in there to only allow their hostnames to be used.

      It would take literally 2 minutes for them to fix this.

  • I received one of these over a week ago. It caught my eye more than the other phishing attempts because, after looking at the html, it did indeed send me to *.ebay.com. However deep in the url was a redirect to an IP address. They are using some mechanism within ebay itself to redirect traffic to other sites.

    So this exploit has been in use for a long time (relatively speaking) for the vulnerability to still be unpatched.

    Dan East
  • The biggest problem (Score:2, Interesting)

    by sheppos (633308)
    Is that ebay don't care. I've forwarded various emails like this to abuse, webmaster and postmaster and received completely unhelpful automated replies. I've been to the customer service pages on the site and emailed them... To receive completely unhelpful automated replies. Long story short - they don't care, I don't trust them.
  • I got one of those url redirector trojans like 1.5 months ago. How is that scrambling if its just in the news right now? :)
  • by hairykrishna (740240) on Saturday March 05, 2005 @09:47PM (#11856282)
    I'm a powerseller on UK eBay. This exploit was reported in the powerseller forum a couple of weeks ago.

    Seems that they're only 'scrambling' now there is media attention.

  • I recently [and despite my best thoughts on the matter] signed up for PayPal.

    I get dozens of "paypal" emails a day. Occasionally some ARE legit.

    I *NEVER* click on ANY links in emails for things like paypal/gmail/etc. [And yes, I'm smart enough to actually hover on the link to see the url or just see the source].

    You want to goto ebay? simple type

    "http://www.ebay.com"

    In your browser location bar... wanna login to paypal type

    "https://www.paypal.com"

    If you get a "notice" from "paypal" just login and s
    • Re:not hard (Score:4, Insightful)

      by fireheadca (853580) on Sunday March 06, 2005 @12:15AM (#11856981)
      In otherwords don't be stupid and just randomly enter your password in sites asking for "updates"...

      For some phishes, I take the time to login with fake
      id's and passwords making sure to insult the scumsucking bastards.
      Then I do a network lookup on them and try to
      email the corresponding isp. Very easy to do
      and protects others.

      Vigalantism at its best! Everyone do the same.
    • That method is completely ineffective if you are using a PC that's fallen to a hole in IE that lets in malware (there are many) that tweaks your HOSTS file to point www.paypal.com to some ip address in austria.

      This technique is currently used more by adware companies, to redirect google.com and soforth to their banner pages, but the phishers are using it too.
  • Ebay Idiocy (Score:2, Interesting)

    by fireheadca (853580)
    I was sent an e-mail from ebay:

    PASSWORD POLL

    When I create a password for any of my online
    accounts, I use:
    let me check, it's written beside my computer
    a combination of upper & lower case letters and numbers
    the same password for all my accounts
    the name of my child/pet/spouse/secret crush
    some variation on my name or user ID
    a random word from the dictionary
    123456 or abcdef
    the word "password"

    After contacting Customer Support I was
    informed that it was legit. !!!!

    I tried numerous

  • eBay left a forum Admin tool accessible to the Web, and several, if not hundreds of users's personal information such as their address, phone number, and Board violations were accessible to people with the correct URL to view this information.
  • At Least a Month Old (Score:4, Interesting)

    by ewhac (5844) on Sunday March 06, 2005 @05:15AM (#11857756) Homepage Journal
    I sent a note to eBay's fraud/abuse feedback channel about this on January 30th. So they can't claim they only just now found out about it.

    Below is a copy of what I sent them. The fraudulent email appears before my comment. (For some reason, it was reformatted to all lower-case.)

    _________________________________

    email header:
    from aw-confirm@ebay.com sun jan 30 14:42:29 2005

    email body:
    <html>
    <body>

    dear ebay community member,<br><br>
    <!--uee-->
    it has come to our attention that your ebay billing information records
    are out of date.<br>
    that requires you to update the billing information if you could please
    take 5-10 minutes out of your online experience and update your<br>
    billing records, you will not run into any future problems with ebay's
    online service.<br>
    however, failure to update your records will result in soon account
    termination. once you have updated your account records, your ebay<br>
    session will not be interrupted and will continue as normal. failure to
    update will result in cancellation of service, terms of service<br>
    (tos) violations or future billing problems.<br><br>

    to update and login to your ebay account, click on the link
    below:<br><br>
    <!--xr-->
    <a href=3d"http://cgi4.ebay.com/ws/ebayisapi.dll?mfci sapicommand=3dredirecttodomain&domainurl=3dhttp%3a %2f%2f%32%31%31%2e%32%33%33%2e%33%38%2e%37%3
    2%2fupdatecenter%2flogin%2f%3fmfcisapisession%3daa jbaqqzehaaemwzlhhlwxs2albxvshqahqrfhgtdrferhcurstp aisnrqahqrfhgtdrferhcurstpaisnrpaisnrqahqrfhgtdrfe rhcuqrfqzehaaemwzlhhlwxh">http://cgi4.ebay.com/ws/ </a><br>

    <br>

    thank you for using ebay!<br><br>

    **this is no-reply message. please do not reply to this email, as you
    will receive no response**
    <!--i36-->
    </body>
    </html>

    ------=_nextpart_000_0068_01c44e5d.dbc9229e--

    message: if i'm interpreting the url in the message correctly, it looks
    like you have a vulnerable redirector running somewhere. if so, you'll
    probably want to fix that.

    the above appears to be redirecting to the ip address 211.233.38.72,
    which 'whois' says is in korea.

    schwab

    --_----------=_9502205623000--

    ------=_nextparttm-000-25ddf14b-7467-4642-9e0d-8 cafc918baf3--

  • I once almosst fell victim to a phishing attack by foolisly clicking on a link in a mail. Fortunately I discovered that the url in the browser did not point to ebay.com.

    I forwarded the email to ebay and got an automated response giving some advice. The advice was neither acurate nor as good as it could be.

    The said they would never request a user password in an email. That is probably right, but is does not address emails linking to web sites. EBay's web site does ask for a password, and so do the bogus

"I got everybody to pay up front...then I blew up their planet." "Now why didn't I think of that?" -- Post Bros. Comics

Working...