E-bay's sign-in server can assist phishers

jjncj.com

Monday, February 19. 2007

Posted by Joshua Kugler in geek at 13:54 | Comment (1) | Trackbacks (2)

E-bay's sign-in server can assist phishers

I came across an interesting phishing attempt the other day. I got an e-mail that wanted me to sign in to E-Bay for a "dispute resolution." The odd thing was, all the links actually went to E-Bay's sign in page. Well, that is odd for two reasons: 1) links in E-Bay e-mails don't usually link straight to the sign-in page (you are redirected there if you need to be signed in), and 2) if you are being "phished," the phishers don't link to the legitimate site. So, I investigated further and discovered that after you signed in on the legitimate sign-in page, it redirected you to the URL that the phisher had provided, which was a page that looked like the e-bay sign in page. It appears it was designed to convince you that you had mistyped your password and were being prompted again. This was especially scary for two reasons: 1) if you had checked the URL and the security certificate before you signed in, you might not check the second time and enter your information again, and 2) it was using E-Bay's own sign-in procedure to redirect you to a phishing page. I contacted E-Bay about this and suggested they lock down their redirector. They e-mailed me back the standard boiler-plate reply and said:

Thank you for writing to eBay regarding the email you received.

Emails such as this, commonly referred to as "spoof" or "phished"
messages, are sent in an attempt to collect sensitive personal or
financial information from the recipients.

The email you reported was not sent by eBay. We have reported this email
to the appropriate authorities.

In the future, be very cautious of any email that asks you to submit
information such as your credit card numbers or passwords. If you are
ever concerned about an email you receive from eBay, simply follow these
steps:

1. Open a new Web browser and type www.ebay.com into your browser
address field to go directly to the eBay site.

2. On eBay, sign into your account and click the "My eBay" button at the
top of the page.

3. Check the My Messages section located at the top of the My eBay page.
If an email affects your eBay account, it's now in My Messages. Any
email sent to your registered eBay email address from eBay or from
another eBay member via eBay's member-to-member communication system
will now appear in My Messages.


All very good advice, but it does not fix the problem that E-Bay's sign-in procedure can be used to catch people off guard and possible obtain their login credentials.

You can see an example of what happens by going to this link. After you sign in, you will be redirected back to this post.

I hope E-Bay fixes this soon.
Defined tags for this entry: , , , ,
Related entries by tags:
Job Hunting
Appreciating the money-saving efforts
Blogs are like e-mail addreses...
Tipping the hat
Linux to have even better uptime
Trackbacks
Trackback specific URI for this entry
E-bay listened!
After my post about E-Bay's sign-in server being used to assist phishers, there was no reponse forthcoming. However, the article was read a few hundred times by various people. Eventually, it seems, the right person read the post (or my original e-mail
Weblog: jjncj.com
Tracked: Mar 04, 06:44
I made the Register!
Izzy just alerted me to a 10-day old story on the tech news site "The Register" that points out the E-Bay hole I blogged about. I also blogged about the hole getting fixed.
Weblog: jjncj.com
Tracked: Mar 12, 07:58
Comments
Display comments as (Linear | Threaded)
Allowing a redirect to be setup prior to login is a very bad practice. Most financial sites have finally stopped doing that despite 'user conveniance' factor.

The best someone can do in the mean time is to only type in URLs to sensitive sites by hand/use book marks and not sign in following a link.

I would say amazon is also a major culprit in this with their refferal system.
#1 Vlad on 2007-02-24 01:40 (Reply)
Add Comment

Enclosing asterisks marks text as bold (*word*), underscore are made via _word_.
Standard emoticons like :-) and ;-) are converted to images.
E-Mail addresses will not be displayed and will only be used for E-Mail notifications
 
 



Our Links

Calendar

Back December '18
Mon Tue Wed Thu Fri Sat Sun
          1 2
3 4 5 6 7 8 9
10 11 12 13 14 15 16
17 18 19 20 21 22 23
24 25 26 27 28 29 30
31            

The Good Blogs

I'm giving this a trial run. Right now, I'm only promoting Tech, Business, Venture Capital, and Auto categories, so hopefully the content will be pretty clean. If you see something that would not be in line with my standards of "family friendly," please contact me at once, and send along the URL of the offending article.

Technorati

Blog Information Profile for Pedahzur
Add to Technorati Favorites

Archives

Syndicate This Blog

Powered by

Serendipity PHP Weblog

Categories



All categories