clever eBay phishing attach

Looking through spam can be an awful chore but it can also be quite interesting. Today I found a scary eBay phishing attack – it is so good that even I might fall into this trap, on a bad day. Not from an E-mail, mind you – we're automatically more suspicious of links in E-mails – but if this link was on a website, or inside an eBay auction..?

Here is a screenshot of the HTML E-mail opened in Opera, showing the text and actual target of the link:

So it's a plain, old HTML link. The text is https://signin.ebay.com/ws/eBayISAPI.dll?SignIn&CaseID#Suspension and the address it points to is http://signin.ebay.com/ws/eBayISAPI.dll?SignInMCAlert&ru=http://www.clasos.com/eBayISAPI.dll/index.php.

At first glance this links seems perfectly fine: it points to the signin.ebay.com server and even uses HTTPS which is meant to be an extra verification that you'll get to the correct place or be warned. At second glance you might notice that the link address itself does not use https, and that the text of the link is shorter than the address. Still looks OK though, since the server name is correct..

Clicking that link takes me to the expected eBay sign in page. All safe and fine, still on the eBay server with encrypted communication. Your login details are encrypted and sent to eBay – and then eBay sees the "redirect URL" argument in the original query string. "ru=" is of course meant to take you back to the auction you were trying to bid on after the login, or something like that. However, the inital phishing link set "ru" to http://www.clasos.com/eBayISAPI.dll/index.php so that's where you're sent to after login, and it shows you this very familiar-looking page:

If you aren't alert enough to check the address bar again before trying to log in, you've been phished!

This means that pretty much any website that has a "redirect" feature accepting random URLs can be exploited in similar ways. It's not that hard for eBay to resolve this issue, but it's a slow task since they need to go through all scripts that can output redirect instructions and add checks that the redirect is pointing to a valid page. Meanwhile I'm afraid that this phish is going to catch more than a few users. It's so simple, and clever.

I used to think that Opera's new fraud warning feature was protection for newbies and less technical users. When I look at the tools and tricks the phishers use I think antiphishing might save even a power user like myself one day.

Advertisements

5 thoughts on “clever eBay phishing attach

  1. My phishy warningsphishy email format (including generic greeting, request for personal information and the sense of urgency); it mentions "your registered name is included to show this message originated from eBay" :), was it really ?the forged link: surely the `Link alert` userjs will notify even the most tired user  EDIT: forgot that JS is not available for the email clientthe procedure: so you login on eBay, and then you're redirected to login again ? You look up at the address bar…Checking the padlock when logging in should be second nature. The wand's golden border on the login form elements should also comfort 😉

  2. Dan: power users are likely to know what distinguishes a scam E-mail. The scary thought is that the link might not be in an E-mail! Say I write a blog post complaining about my bike's light running down the battery too often, and somebody comments saying "Hey there, funny I should come across this now because I'm just running an eBay auction for my excellent bike parts. Here's a link: …". Making eBay itself send you to the scam site is still pretty clever..

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s