I came across an interesting phishing attempt the other day. I got an e-mail that wanted me to sign in to E-Bay for a "dispute resolution." The odd thing was, all the links actually went to E-Bay's sign in page. Well, that is odd for two reasons: 1) links in E-Bay e-mails don't usually link straight to the sign-in page (you are redirected there if you need to be signed in), and 2) if you are being "phished," the phishers don't link to the legitimate site. So, I investigated further and discovered that after you signed in on the legitimate sign-in page, it redirected you to the URL that the phisher had provided, which was a page that looked like the e-bay sign in page. It appears it was designed to convince you that you had mistyped your password and were being prompted again. This was especially scary for two reasons: 1) if you had checked the URL and the security certificate before you signed in, you might not check the second time and enter your information again, and 2) it was using E-Bay's own sign-in procedure to redirect you to a phishing page. I contacted E-Bay about this and suggested they lock down their redirector. They e-mailed me back the standard boiler-plate reply and said:
Thank you for writing to eBay regarding the email you received.
Emails such as this, commonly referred to as "spoof" or "phished"
messages, are sent in an attempt to collect sensitive personal or
financial information from the recipients.
The email you reported was not sent by eBay. We have reported this email
to the appropriate authorities.
In the future, be very cautious of any email that asks you to submit
information such as your credit card numbers or passwords. If you are
ever concerned about an email you receive from eBay, simply follow these
steps:
1. Open a new Web browser and type www.ebay.com into your browser
address field to go directly to the eBay site.
2. On eBay, sign into your account and click the "My eBay" button at the
top of the page.
3. Check the My Messages section located at the top of the My eBay page.
If an email affects your eBay account, it's now in My Messages. Any
email sent to your registered eBay email address from eBay or from
another eBay member via eBay's member-to-member communication system
will now appear in My Messages.
All very good advice, but it does not fix the problem that E-Bay's sign-in procedure can be used to catch people off guard and possible obtain their login credentials.
You can see an example of what happens by going
to this link. After you sign in, you will be redirected back to this post.
I hope E-Bay fixes this soon.
After my post about E-Bay's sign-in server being used to assist phishers, there was no reponse forthcoming. However, the article was read a few hundred times by various people. Eventually, it seems, the right person read the post (or my original e-mail
Tracked: Mar 04, 06:44
Izzy just alerted me to a 10-day old story on the tech news site "The Register" that points out the E-Bay hole I blogged about. I also blogged about the hole getting fixed.
Tracked: Mar 12, 07:58