Sneaky eBay phishing

I’ve seen lots of phishing scams, but this one is particularly clever and has a lesson for us folks developing web apps.

The email was formatted better than many phishing scams, but had the common fingerprint of “you need to update your account information”. Out of curiousity, I took a look at the link they were directing me to:

—–://signin.ebay.com/ws/eBayISAPI.dll?SignIn&UsingSSL=1&pUserId=&ru=http://servlet.ebay.com/ForumController?dest=—-://217.159.171.237/.aw-cgi/eBayISAPI.dll/ebay/login.html

(I’ve yanked the https from the beginning so that no one accidentally gets caught from this site.)

At first, I was very confused. The link was actually going to eBay! Unless someone had hacked eBay’s DNS servers (not very likely), then signin.ebay.com is an eBay machine. The trick is this (http blocked out again):

dest=—-://217.159.171.237/

eBay’s signin page allows (or allowed, I didn’t try it), arbitrary redirection. So, you login on the real eBay page, and then get bumped over to the phisher’s site. On the plus side, the phisher will have to ask for your username/password again, because I’m pretty sure that eBay is not just going to send that along blithely to some random destination. Being forced to sign in twice is, well, fishy. I don’t know how many people would recognize that, though.

Moral of the story: if you’re implementing a signin page using redirects, which is a very common thing, make sure that you’re only redirecting back to your domain.