eBay Scrambles to Fix Phishing Bug

Paul Laudanski writes "c|net is reporting that eBay is scrambling to fix a software glitch which opens doors to phishing attacks via one of its own valid URLs. "The flaw may have already allowed individuals to use one of eBay's URLs to trick unsuspecting parties into visiting malicious sites, the company representative said.""

Phishing EBay

[BrianGa]

Can anyone enlighten me as to the benefit of phishing for EBay accounts? Assuming the ultimate goal is profit, what can the attacker really do with one, as long as the EBay account information isn't the same as the Paypal?

Scrambling?

[Ulric]

Maybe they are scrambling, but it sure seems like it is still working:

http://cgi4.ebay.com/ws/eBayISAPI.dll?MfcISAPIComm and=RedirectToDomain&DomainUrl=http://siag.nu/ [ebay.com]

That's a link to ebay.com which redirects to siag.nu. And it doesn't look like a glitch, it looks like it's on purpose.

Working hard to stop fraud?

[Cylix]

Maybe they changed their stance.

Not to long ago, I had a co-worker defrauded. Yeah, he wasn't a bright one and really should have consulted me when even the slightest bit of doubt surfaced.

Long story short, it didn't take place on eBay, but originated through a compromised users account. In the end, eBay was fairly useless for help because they had the option to not deal with it.

If they were serious about working hard to stop this activity they could be a bit more pro-active.

Now, I'm not damning them completely, not so long ago I had someone disappear after a transacation. It took a few weeks to get my money back, but in the end the issue was resolved.

They really need to abandon email entirely and just eliminate the elements they can't control. At the very least leave external notifications off by default.

Otherwise, an alright service, but plagued with problems any high profile commerce sight would suffer.

GPG

[SamMichaels]

Not just for ebay...but for everyone. Allow users to download the GPG key from inside their account and sign all the legit email.

I realize that this somewhat complicates things for Grandma and Aunt Agnes, but the general public is going to HAVE to learn to deal with it in an effective way. GPG is an effective way...and PGP Freeware for Windows/Outlook is pretty idiot proof.

About time...

[SCSi]

I believe ebay has know about this for a while but sat on it for some unknown reason: SURBL List gave first warning [surbl.org]. Took them almost a month, not bad.

The biggest problem

[sheppos]

Is that ebay don't care. I've forwarded various emails like this to abuse, webmaster and postmaster and received completely unhelpful automated replies. I've been to the customer service pages on the site and emailed them... To receive completely unhelpful automated replies. Long story short - they don't care, I don't trust them.

Ebay Idiocy

[fireheadca]

I was sent an e-mail from ebay:

PASSWORD POLL

When I create a password for any of my online
accounts, I use:
let me check, it's written beside my computer
a combination of upper & lower case letters and numbers
the same password for all my accounts
the name of my child/pet/spouse/secret crush
some variation on my name or user ID
a random word from the dictionary
123456 or abcdef
the word "password"

After contacting Customer Support I was
informed that it was legit. !!!!

I tried numerous times to point this out but
Customer service with ebay can sometimes be a
struggle. I take it they assume everybody is
an idiot.
Even Ebay Phishes. Go figure.

At Least a Month Old

[ewhac]

I sent a note to eBay's fraud/abuse feedback channel about this on January 30th. So they can't claim they only just now found out about it.

Below is a copy of what I sent them. The fraudulent email appears before my comment. (For some reason, it was reformatted to all lower-case.)

_________________________________

email header:
from aw-confirm@ebay.com sun jan 30 14:42:29 2005

email body:
<html>
<body>

dear ebay community member,<br><br>
<!--uee-->
it has come to our attention that your ebay billing information records
are out of date.<br>
that requires you to update the billing information if you could please
take 5-10 minutes out of your online experience and update your<br>
billing records, you will not run into any future problems with ebay's
online service.<br>
however, failure to update your records will result in soon account
termination. once you have updated your account records, your ebay<br>
session will not be interrupted and will continue as normal. failure to
update will result in cancellation of service, terms of service<br>
(tos) violations or future billing problems.<br><br>

to update and login to your ebay account, click on the link
below:<br><br>
<!--xr-->
<a href=3d"http://cgi4.ebay.com/ws/ebayisapi.dll?mfci sapicommand=3dredirecttodomain&domainurl=3dhttp%3a %2f%2f%32%31%31%2e%32%33%33%2e%33%38%2e%37%3
2%2fupdatecenter%2flogin%2f%3fmfcisapisession%3daa jbaqqzehaaemwzlhhlwxs2albxvshqahqrfhgtdrferhcurstp aisnrqahqrfhgtdrferhcurstpaisnrpaisnrqahqrfhgtdrfe rhcuqrfqzehaaemwzlhhlwxh">http://cgi4.ebay.com/ws/ </a><br>

<br>

thank you for using ebay!<br><br>

**this is no-reply message. please do not reply to this email, as you
will receive no response**
<!--i36-->
</body>
</html>

------=_nextpart_000_0068_01c44e5d.dbc9229e--

message: if i'm interpreting the url in the message correctly, it looks
like you have a vulnerable redirector running somewhere. if so, you'll
probably want to fix that.

the above appears to be redirecting to the ip address 211.233.38.72,
which 'whois' says is in korea.

schwab

--_----------=_9502205623000--

------=_nextparttm-000-25ddf14b-7467-4642-9e0d-8 cafc918baf3--

Re:Outlook Settings

[Storlek]

I wouldn't be so sure of Pine's security just because it doesn't handle HTML:

Warning: The pine software has had several remote vulnerabilities discovered in the past, which allowed remote attackers to execute arbitrary code as users on the local system, by the action of sending a specially-prepared email. All such known problems have been fixed, but the pine code is written in a very insecure style and the FreeBSD Security Officer believes there are likely to be other undiscovered vulnerabilities. You install pine at your own risk.

-- http://freebsd.active-venture.com/handbook/mail-ag ents.html#PINE-COMMAND [active-venture.com]

Who was the first moron to put HTML in mail clients?

I don't know for sure, but to hazard a guess, I think it might have been America Online. I remember seeing AOL e-mail with pretty (read: "annoying") colors on AOL before anyone else was doing it.

I'm not a net.historian by a long shot, though, so you should probably take that with a spoonful of salt. Google helpfully returns practically every page on the net when searching for "html" so it's fairly difficult to find anything of relevance.