eBay Scrambles to Fix Phishing Bug 131
Paul Laudanski writes "c|net is reporting that eBay is scrambling to fix a software glitch which opens doors to phishing attacks via one of its own valid URLs. "The flaw may have already allowed individuals to use one of eBay's URLs to trick unsuspecting parties into visiting malicious sites, the company representative said.""
In other news... (Score:1, Insightful)
Re:In other news... (Score:2)
outlook! NOT GOOD (Score:1, Funny)
Re:outlook! NOT GOOD (Score:1)
Re:outlook! NOT GOOD (Score:1)
Outlook Settings (Score:2)
I have my email client at home (Kmail) set to Text instead of HTML. It makes it easier to spot redirects and such, so phishing schemes are more obvious.
I don't use Outlook, so I don't know if it can be set to Text view for incoming messages. It would be very helpful for someone to post the steps needed to set Outlook for text view.
Re:Outlook Settings (Score:2)
I have rx'd probably 50 of these ebay phishing messages here. I forwarded the first couple of them to abuse at ebay, but never got a bounce or a reply other than the usual boilerplate , and came to the conclusion that officially, they could care less.
So why are they now, damned near 6 months later, finally admitting it?
--
Cheers, Gene
Re:Outlook Settings (Score:2)
You know I tried the same with the first couple phishing mails that I apparently received from banks with exactly the same result.
It's not that you would expect to get a personal thank you visit by their CIO, but at least something like an acknowledgement would indicate that they are at least interested.
What does that tell you? In all likeliness your bank doesn't give a flying fuck if you are ripped off. It's not their money and hassle after all.
Re:Outlook Settings (Score:2)
Who was the first moron to put HTML in mail clients? He deserves to rot in hell with those screwballs at M$ who gave Internet Mail and News the ability to post HTML Usenet messages.
Re:Outlook Settings (Score:2, Interesting)
EBAY FRAUD NON-SECURITY OVER 3 MONTHS LATE (Score:1)
HELLO??!! This HAS ALWAYS BEEN KNOWN ON THE SOAPBOX FORUM ON EBAY EVER SINCE NOVEMBER OF 2004. THE ONLY DIFFERENCE IS EBAY HASN'T BROADCAST/ACKNOWLEDEGED IT PUBLICLY UNTIL NOW.
THANX FOR NOTHING EBAY!! I'M GLAD I ALREADY WARNED MY OWN PEOPLE!! [geocities.com]
Not the first time (Score:2, Insightful)
Re:Not the first time (Score:1)
Re:Not the first time (Score:2, Insightful)
This is exactly the type of non-sensical question that frightens would be ascenders of the technology curve. First of all it begs the question, "large companies" versus who? Small companies? Do you think small companies are any more capable of defending themselves against attacks? Or even doing the type of advanced testing that can be done by large company with large company resources?
If not, are you then suggesting no one should do business at all? Obviousl
Phishing EBay (Score:3, Interesting)
Re:Phishing EBay (Score:5, Insightful)
Re:Phishing EBay (Score:3, Informative)
Re:Phishing EBay (Score:1)
Re:Phishing EBay (Score:2)
Re:Phishing EBay (Score:5, Informative)
The idea is, I use your account to post an auction for an expensive piece of equipment with a glowing description stolen from another successful auction, photos courtesy of Google Image Search, and a Buy It Now price around 20% of retail. The victim hits the BIN button and, at my request, sends me a Western Union transfer to pay. That's the last anyone hears from me.
Typically this scam is operated from Internet cafes in Eastern European countries with twentieth-century technology and twelfth-century ethics.
Re:Phishing EBay (Score:1)
Can you tell me more about the cafes? From your description so far I've narrowed it down to about 100,000 of them, can you give me any more clues?
Re:Phishing EBay (Score:2)
I checked the domain registration of ws-confirm.info, said that the registrant was one Lenka Mackova, in Tucker, GA.
Phonebook search turned up a Lenka Mackova in SC. And the IP addresses for ws-confirm.info appeared to belong to yahoo.com.
Probably no connection... you can't trust whois info anyway. But ws-confirm.info still tries to redirect me to signin.ebay.com.
Re:Phishing EBay (Score:3, Informative)
Fraud (Score:2)
Now the thing is, if your reputation sucks, nobody will do that for bigger ticket items. Some scammers pump their rating up by buying lots of small things, but peopel look for that now. So, if you manage to get a password for an account that has a long, real history on eBay, you can use it to scam people. They look at the f
Re:Phishing EBay (Score:1)
Re:Phishing EBay (Score:1)
That's the problem with e-mail correspondence. (Score:5, Insightful)
It should be a text-only medium, period. No attachments, no graphics, no opportunity to get someone to click before they think.
Re:That's the problem with e-mail correspondence. (Score:1)
Re:That's the problem with e-mail correspondence. (Score:2)
Fucktards. They deserve it. They don't deserve to have ultra paranoid administrators coming along behind them trying to clean up the mess they make. I've long complained about the balancing act we have to do trying to keep things secure at my place of employment but our manag
Re:That's the problem with e-mail correspondence. (Score:1)
I understand the paranoia of adminstrators and how annoying those viruses, trojans, scams can be, but you know people simply don't care about security and resources on computer unless they are directly because they think that nothing could happen to them! Just accept as it is, always educate people about the potential dangers, and ask for a holiday to see it crashes if they didn't follow your ideas.
(O
Re:That's the problem with e-mail correspondence. (Score:1, Insightful)
Re:That's the problem with e-mail correspondence. (Score:2)
You'll be wanting to set your web browser to allow images from the originating server only if you've seen some of the abuses of <IMG SRC ...> I have. Unless you don't mind a malicious individual building some "interesting" web browsing history for you when you visit a public forum that lets anyone post images as part
Re:That's the problem with e-mail correspondence. (Score:1)
Re:That's the problem with e-mail correspondence. (Score:1)
Re:That's the problem with e-mail correspondence. (Score:1)
I can just imagine the viagra and cU/\/\ E471ng l0n3ly h0u23\/\/1f3 ads now... in new ascii art!
u = 8==D hA haHA lolomfgwtfmatebbq!!11111ten
u wif ci_a11is = 8========================D
Re:That's the problem with e-mail correspondence. (Score:1)
I actually got about 7 of these fake e-mails from ebay. My instinct told me that they were fake, even though they took me to ebay's website.
The way I managed to figure out that they were fake was to go to ebay.com and try to find the page linked. When there was no mention at all of the linked page anywhere, I knew it was a fake. Just to make sure, I sent it to spoof@ebay.com, and they said it was fake!
Anyway, I'd suggest this method for following any links in any e-mail. I feel mu
Re:That's the problem with e-mail correspondence. (Score:2)
While my article might not have prevented this (Score:3, Informative)
It is Free Documentation, under the GNU FDL.
It's at GoingWare's Bag of Programming Tricks [goingware.com].
I am a shameless link whore, in fact, but... (Score:2)
By exposing bugs, you ninny! (Score:2)
Scrambling? (Score:5, Interesting)
http://cgi4.ebay.com/ws/eBayISAPI.dll?MfcISAPIComm and=RedirectToDomain&DomainUrl=http://siag.nu/ [ebay.com]
That's a link to ebay.com which redirects to siag.nu. And it doesn't look like a glitch, it looks like it's on purpose.
Re:Scrambling? (Score:1, Informative)
Here's the email, minus where the URL actually goes to:
eBay NewYears User Agreement Update
It's that time of year again! With 2005 now upon us, we have updated the eBay user agreement. As a result of the update, your account will be restricted until you have followed the link below and reconfirmed your contractual agreement with eBay. We apologize for any inconvience as a result of the update, but as a large e-commerce entit
Re:Scrambling? (Score:4, Informative)
Re:Scrambling? (Score:3, Informative)
Re:Scrambling? (Score:1)
Re:Scrambling? (Score:2)
Re:Scrambling? (Score:2)
When I type in a correct password (tried it first with an _incorrect_ password), this is what I get:
404 Not Found:
The requested URL /eBayISAPI.php was not found on this server.
And "this server" is, 62.193.211.236.
Now, only if there's a way to figure out who their ISP is and alert them about this phishing scheme....
PS. Of course, I changed my password immediately afterwards. I'm stupid, but not _that_ stupid.
Re:Scrambling? (Score:2, Informative)
Its been exploited in phishing attempts since at least Feb 16th: http://lists.surbl.org/pipermail/discuss/2005-Febr uary/004192.html [surbl.org]
Quite why they thought running an open redirector was a good idea is anyones guess.
Re:Scrambling? (Score:3, Informative)
Re:Scrambling? (Score:1)
Off-topic: Pathetic Writer (Score:1)
It's not a bug (Score:1, Funny)
In other news... (Score:5, Funny)
Each day, more and more people reads slashdot ... (Score:2)
Just noones actually RTFA.
Thanx, i'm here all week.
Working hard to stop fraud? (Score:4, Interesting)
Not to long ago, I had a co-worker defrauded. Yeah, he wasn't a bright one and really should have consulted me when even the slightest bit of doubt surfaced.
Long story short, it didn't take place on eBay, but originated through a compromised users account. In the end, eBay was fairly useless for help because they had the option to not deal with it.
If they were serious about working hard to stop this activity they could be a bit more pro-active.
Now, I'm not damning them completely, not so long ago I had someone disappear after a transacation. It took a few weeks to get my money back, but in the end the issue was resolved.
They really need to abandon email entirely and just eliminate the elements they can't control. At the very least leave external notifications off by default.
Otherwise, an alright service, but plagued with problems any high profile commerce sight would suffer.
Recommended Reading: Quality Web Systems (Score:2)
[ Buy at Powell's City of Books [powells.com]]
How is that wrong? (Score:2)
I posted the book because I felt it would be genuinely useful to the people reading this story.
If you're such a hero, why don't you log in under your real name, like I do.
I found it last week (Score:4, Informative)
Finally I tried abuse@ebay, that sent back an automated reply and in that reply, I found the email spoof@ebay.com
I doubt if I'm the only person who found that scam, but I am glad that they seem to be taking action.
spoof@ebay.com not as useful as it could be (Score:4, Informative)
They are doing content filtering on outgoing mail, which is something I really wish they wouldn't do. I have no idea what aspect of the message triggers the filter, but any attempt to forward an HTML phishing mail without converting it to plaintext first (and losing the href fields that would allow eBay to shut down the phishing sites) yields "Server Response: '554 message permanently rejected, you may have a virus (#5.3.0)'."
All attempts to communicate my displeasure to Speakeasy's support department have met with the usual language barrier (I speak English, they speak Moronese). I simply could not find a way to convince them that I wasn't having trouble sending email in the general case. If anybody from Speakeasy is reading this, it would be nice if they got the clue bat after whoever implemented this filter. Customers need to be able to opt out of all content filters, both incoming and outgoing.
Re:spoof@ebay.com not as useful as it could be (Score:2)
Anybody's attempts to make the "internet safe" are going to be fairly ineffective at best. In this situation, you are willing to go to a little bit of trouble to try to put a stop to it. The phishers and other malware creators are willing to go to a lot more trouble to ensure it keeps on coming.
There's a reason that Linux comes off as being much more secure than Microsoft Windows. Microsoft tries to reassure it users that ev
Re:spoof@ebay.com not as useful as it could be (Score:2)
Sounds like they've setup a virus/spam filter on their outgoing email as well as incoming. The upside and goal is to stop viruses and spam being sent out by their clients. The downside, as you demonstrate, is that the same system stops these types of emails from being forwarded to people who can do something about these fraudulent emails. One wonders how/why you received the email in the first place, but you can't forward it. Bizarre.
Does eBay have a web form where you can input emails instead of forwar
Re:spoof@ebay.com not as useful as it could be (Score:2)
I didn't try to forward it to my Hotmail or GMail accounts, because I assumed that Speakeasy's SMTP server would still refuse to accept the message. eBay does have web forms, but they're bu
GPG (Score:5, Interesting)
I realize that this somewhat complicates things for Grandma and Aunt Agnes, but the general public is going to HAVE to learn to deal with it in an effective way. GPG is an effective way...and PGP Freeware for Windows/Outlook is pretty idiot proof.
About time... (Score:2, Interesting)
Re:About time... (Score:3, Informative)
Ryan
Re:About time... (Score:2)
When I received that, I dropped it. I wanted to report it, because I recognised the threat, but I don't want to jump through several hoops just to please them. Reporting to abuse@ is doing them a service. Some activity on their side is the least to expect.
Re:About time... (Score:2)
Legal liability for eBay? (Score:2)
As soon as they were notified, and failed to act (Score:2)
Maybe an expensive lawsuit, and I expect only a lawsuit, will eBay and their partner-in-crime, PayPal, start paying attention to security.
Scam link (Score:3, Informative)
The link in the scam email eventually redirects to this IP address in France, *after* ebay verifies your login. Incidentally, the one I received came through a server in Korea.
http://62.193.217.91/eBayISAPI.php [62.193.217.91]
Page two asks for your credit card, which answers the questions about the benefits of ebay phishing.
Re:Scam link (Score:2)
The server is hosted by amen.fr, a company specializing in cheap hosting that does not have an especially bad name. It is likely that things are very automated there, and that it is possible for someone to sign up for an account, pay some money, host the scam for a couple of weeks, gain much more money this way, and then run away.
I was a bit surprised to see this scam is done from France, becaus
My advice... (Score:5, Insightful)
Bookmark all the financial sites you use, and whenever you receive emails with such "friendly" links, use your bookmark instead, to log in to the site. If it was important, you will see it on the next page there.
I never click on the links even when I know they are legit (to avoid forming a habit).
Re:My advice... (Score:1)
Re:My advice... (Score:2)
Re:My advice... (Score:2)
I'd say go further [this relies on trusting your DNS and installed CA certs] just type the URL manually. They're usually short and it can save you a lot of hassle.
Tom
Re:misspelling (Score:2)
Tom
Hooray for eBay and c|net - or not? (Score:2)
c|net : The problem [...] could be exploited by criminals to create an actual eBay link that redirects customers to a malicious site, the representative said.
Heise: The emails, pretending to come from eBay, circulate on the net since February 12th. eBay was informed about it, however did not react so far.
Re:Hooray for eBay and c|net - or not? (Score:1, Insightful)
It would take literally 2 minutes for them to fix this.
Saw this a week ago. (Score:2)
So this exploit has been in use for a long time (relatively speaking) for the vulnerability to still be unpatched.
Dan East
The biggest problem (Score:2, Interesting)
Re:The biggest problem (Score:2)
Re:The biggest problem (Score:1)
Re:The biggest problem (Score:2)
Don't shoot the messenger, Ebay is a faceless Corporation.
scrambles? (Score:1)
This was reported a while ago (Score:4, Insightful)
Seems that they're only 'scrambling' now there is media attention.
not hard (Score:2)
I get dozens of "paypal" emails a day. Occasionally some ARE legit.
I *NEVER* click on ANY links in emails for things like paypal/gmail/etc. [And yes, I'm smart enough to actually hover on the link to see the url or just see the source].
You want to goto ebay? simple type
"http://www.ebay.com"
In your browser location bar... wanna login to paypal type
"https://www.paypal.com"
If you get a "notice" from "paypal" just login and s
Re:not hard (Score:4, Insightful)
For some phishes, I take the time to login with fake
id's and passwords making sure to insult the scumsucking bastards.
Then I do a network lookup on them and try to
email the corresponding isp. Very easy to do
and protects others.
Vigalantism at its best! Everyone do the same.
Re:not hard (Score:2)
This technique is currently used more by adware companies, to redirect google.com and soforth to their banner pages, but the phishers are using it too.
Ebay Idiocy (Score:2, Interesting)
After contacting Customer Support I was
informed that it was legit. !!!!
I tried numerous
Last year, when they upgraded their Boards... (Score:2)
At Least a Month Old (Score:4, Interesting)
Below is a copy of what I sent them. The fraudulent email appears before my comment. (For some reason, it was reformatted to all lower-case.)
_________________________________
email header:
from aw-confirm@ebay.com sun jan 30 14:42:29 2005
email body:
<html>
<body>
dear ebay community member,<br><br>
<!--uee-->
it has come to our attention that your ebay billing information records
are out of date.<br>
that requires you to update the billing information if you could please
take 5-10 minutes out of your online experience and update your<br>
billing records, you will not run into any future problems with ebay's
online service.<br>
however, failure to update your records will result in soon account
termination. once you have updated your account records, your ebay<br>
session will not be interrupted and will continue as normal. failure to
update will result in cancellation of service, terms of service<br>
(tos) violations or future billing problems.<br><br>
to update and login to your ebay account, click on the linki sapicommand=3dredirecttodomain&domainurl=3dhttp%3a %2f%2f%32%31%31%2e%32%33%33%2e%33%38%2e%37%3a jbaqqzehaaemwzlhhlwxs2albxvshqahqrfhgtdrferhcurstp aisnrqahqrfhgtdrferhcurstpaisnrpaisnrqahqrfhgtdrfe rhcuqrfqzehaaemwzlhhlwxh">http://cgi4.ebay.com/ws/ </a><br>
below:<br><br>
<!--xr-->
<a href=3d"http://cgi4.ebay.com/ws/ebayisapi.dll?mfc
2%2fupdatecenter%2flogin%2f%3fmfcisapisession%3da
<br>
thank you for using ebay!<br><br>
**this is no-reply message. please do not reply to this email, as you
will receive no response**
<!--i36-->
</body>
</html>
------=_nextpart_000_0068_01c44e5d.dbc9229e--
message: if i'm interpreting the url in the message correctly, it looks
like you have a vulnerable redirector running somewhere. if so, you'll
probably want to fix that.
the above appears to be redirecting to the ip address 211.233.38.72,
which 'whois' says is in korea.
schwab
--_----------=_9502205623000--
------=_nextparttm-000-25ddf14b-7467-4642-9e0d-8 cafc918baf3--
eBay could do more (Score:1)
I forwarded the email to ebay and got an automated response giving some advice. The advice was neither acurate nor as good as it could be.
The said they would never request a user password in an email. That is probably right, but is does not address emails linking to web sites. EBay's web site does ask for a password, and so do the bogus
Phishers don't have international support. (Score:1)
These phishers really need to get their acts together and start supporting international users. There's a whole untapped market out there!