Sneaky eBay phishing
I’ve seen lots of phishing scams, but this one is particularly clever and has a lesson for us folks developing web apps.
The email was formatted better than many phishing scams, but had the common fingerprint of “you need to update your account information”. Out of curiousity, I took a look at the link they were directing me to:
—–://signin.ebay.com/ws/eBayISAPI.dll?SignIn&UsingSSL=1&pUserId=&ru=http://servlet.ebay.com/ForumController?dest=—-://217.159.171.237/.aw-cgi/eBayISAPI.dll/ebay/login.html
(I’ve yanked the https from the beginning so that no one accidentally gets caught from this site.)
At first, I was very confused. The link was actually going to eBay! Unless someone had hacked eBay’s DNS servers (not very likely), then signin.ebay.com is an eBay machine. The trick is this (http blocked out again):
dest=—-://217.159.171.237/
eBay’s signin page allows (or allowed, I didn’t try it), arbitrary redirection. So, you login on the real eBay page, and then get bumped over to the phisher’s site. On the plus side, the phisher will have to ask for your username/password again, because I’m pretty sure that eBay is not just going to send that along blithely to some random destination. Being forced to sign in twice is, well, fishy. I don’t know how many people would recognize that, though.
Moral of the story: if you’re implementing a signin page using redirects, which is a very common thing, make sure that you’re only redirecting back to your domain.
Everyone should go to the web site and fill in bogus info. The more bogus info, the more likely the asshole will stop doing it.
Wow! Did you bring this to eBay’s attention? This is very sneaky and I understand why they are passing destination URL as parameter (to send user to page where he was required to login), I would have never imagined to use it in a destructive way. These crackers have real brains, wish they would put it to good use.
I didn’t report this to eBay, because it doesn’t appear to be straightforward to do so. Their “security center” just steps you through and then helps you to verify if an email is legit.
eBay has been hit by so many phishing scams that they have created a “message center” on their site and informed everyone that a real eBay communication will appear in your message center on eBay. If it’s not there, it’s not a real communication.
Hopefully, eBay’s users are following that guidance.
amazon.com often forces you to log in twice in a session. Say, if you want to update your account information and then if you want to view the status of current orders, you’ll have to log in both times.
Very frustrating.
FYI, this kind of vulnerability is called an “open redirect.”
http://news.netcraft.com/archives/2005/05/12/antifraud_open_redirect_detection_service.html
[OT] [META] Hunh. Apparently WordPress doesn’t like underscores in URLs. Instead it thinks that URLs can be partly italicized.
Let’s just hope that ICANN doesn’t approve domain names with tags
I have the Markdown plugin installed, and it’s possible that Markdown gets applied to comments as well as posts. [Here's a test](http://www.google.com) to find out.