eBay Scrambles to Fix Phishing Bug

Paul Laudanski writes "c|net is reporting that eBay is scrambling to fix a software glitch which opens doors to phishing attacks via one of its own valid URLs. "The flaw may have already allowed individuals to use one of eBay's URLs to trick unsuspecting parties into visiting malicious sites, the company representative said.""

In other news...

In other news, ex-hacker warns that social engineering (aka end-user profound dumbness) is the most serious security flaw of computer systems.

Re:In other news...

Offtopic? no.

The article is about ebay scrambling to fix something that could be used in social engineering.

ex-hacker warns that social engineering ... is the most serious security flaw of computer systems.

Steps to moderating:
1) READ
2) THINK
3) THINK SOME MORE
4) Moderate

Re:In other news...

slashdot editor gets the sack for making 5 dupes in 2 months

Re:In other news...

They should be, people are getting sick of them.

Re:In other news...

[ScrewMaster]

Yes, but remember that some number of moderators are in the parent poster's class of "profoundly dumb" users.

outlook! NOT GOOD

[thundercatslair]

I lost 100$ because of I thought it was ebay.

Re:outlook! NOT GOOD

A fool and his money...

Re:outlook! NOT GOOD

[BrianGa]

This is Outlook's fault?

Re:outlook! NOT GOOD

[CammieCrookston]

Will soon party!

Not the first time

[KingOfTheNerds]

This is not the first time this has happend to a huge company, in the summer of 2002 amazon had a similarly large security hole. Can consumers trust large companies anymore? I think so, but you are always taking your chances with security. Sometimes companies become so large that things get easily overlooked.

Re:Not the first time

[scsscs]

This is not a large security hole, its not even a medium sized security hole.

Re:Not the first time

[lonb]

"Can consumers trust large companies anymore?"
This is exactly the type of non-sensical question that frightens would be ascenders of the technology curve. First of all it begs the question, "large companies" versus who? Small companies? Do you think small companies are any more capable of defending themselves against attacks? Or even doing the type of advanced testing that can be done by large company with large company resources?

If not, are you then suggesting no one should do business at all? Obviously that is out the window. So what's the point here?

Large companies, online, are leading the way towards advanced web applications that are changing the way we live our lives and conduct business. And as the MS defector implied in his blog, web applications are living software. Changing in (almost) real-time to meet the needs of the market and security/functionality needs.

Phishing EBay

[BrianGa]

Can anyone enlighten me as to the benefit of phishing for EBay accounts? Assuming the ultimate goal is profit, what can the attacker really do with one, as long as the EBay account information isn't the same as the Paypal?

Re:Phishing EBay

[X0563511]

Lots of people use the same password for everything. If i were to net a bunch of Ebay account passwords, i could stand a decent chance of getting into the paypal accounts of at least a few of them.

Re:Phishing EBay

[rednip]

Conducting fraudulent auctions with you "good name", buying stuff and then not paying for it with your "good name". Many people depend on seller and buyer ratings and reports for clues as to how much to trust someone. It can be so valuable that some people have set up businesses in Ebay which captalize on their good seller's reputation.

Re:Phishing EBay

I'd say that the primary benefit would be to hijack an account that already has a high feedback rating. It's much easier to scam bidders when you've got a feedback rating of 10,000 positive comments!

Re:Phishing EBay

[wotevah]

As in my previous post, page two of the fake website asks for credit card. Since the sheep never wonder why a certain piece of private information is "required" on a form, I bet a lot of people actually filled that in too.

Re:Phishing EBay

[Bozzio]

This doesn't make sense! If this was the reason, then tracing the theif would only be a matter of determining the mailing information! The buyer would need to physically pick up the goods at one point or another.

Re:Phishing EBay

[KiloByte]

I guess that if you knocked on the first door in a bad part of your town, a helpful soul would help you for a small cut.

Re:Phishing EBay

[John+Miles]

Um, no, that's the whole thing... there aren't any goods to mail.

The idea is, I use your account to post an auction for an expensive piece of equipment with a glowing description stolen from another successful auction, photos courtesy of Google Image Search, and a Buy It Now price around 20% of retail. The victim hits the BIN button and, at my request, sends me a Western Union transfer to pay. That's the last anyone hears from me.

Typically this scam is operated from Internet cafes in Eastern European countries with twentieth-century technology and twelfth-century ethics.

Re:Phishing EBay

[MerlinTheWizard]

Don't assume that every hacking attempt has financial profit as a goal. Don't even assume that they always have a goal at all. Most of the time, just hacking "something big" is a nice endeavor in itself for the average hacker joe, or even for a bunch of them. Being able to "shake the big tree" is a power trip.

Re:Phishing EBay

[dleifelohcs]

I could, for example, list an automobile for sale. The ebay fees on an automobile alone would cost the lister a decent amount of money. Maybe there is no money in it for me (Mr. Joe Phisher) but I can screw a bunch of people over pretty easily.

Re:Phishing EBay

[dotgain]

It's you!?! I'm going to get you, you bastard!

Can you tell me more about the cafes? From your description so far I've narrowed it down to about 100,000 of them, can you give me any more clues?

Re:Phishing EBay

[Esion+Modnar]

...operated from Internet cafes in Eastern European countries...

I checked the domain registration of ws-confirm.info, said that the registrant was one Lenka Mackova, in Tucker, GA.

Phonebook search turned up a Lenka Mackova in SC. And the IP addresses for ws-confirm.info appeared to belong to yahoo.com.

Probably no connection... you can't trust whois info anyway. But ws-confirm.info still tries to redirect me to signin.ebay.com.

Re:Phishing EBay

Can you tell me more about the cafes? From your description so far I've narrowed it down to about 100,000 of them, can you give me any more clues?

My understanding is that Romania in particular is, like, crazy-wired. It's apparently up there with South Korea and other places that have benefited from serious Internet infrastructure investments. Unfortunately, a lot of stereotypes have some basis in reality, and it does appear that the dark side of Gypsy culture has discovered eBay.

That's the problem with e-mail correspondence.

[Sheetrock]

Companies are so quick to doll up their e-mails with the latest HTML -- images, links, and tables -- that their customers are getting used to using e-mail as a portal to company sites.

It should be a text-only medium, period. No attachments, no graphics, no opportunity to get someone to click before they think.

Re:That's the problem with e-mail correspondence.

[ThomasFlip]

Maybe for an ultra paranoid administrator it should, but email is used by regular everyday people who send photos, videos, files etc... and probably don't give two shits of a damn about bullet proof security. I can see your point, but I think the solution to that would be a completely separate software package designed scrictly for primitive communications (Not something the public is interested in).

Re:That's the problem with e-mail correspondence.

I thought the SCO lawsuit was the dumbest thing to ever be suggested, but then I read your post. Jesus H. Christ, what a stupid thing to say. Do you shake your rake at the neighborhood kids on their skateboards, old man? Hey, I have another idea that you might like, how about we just get rid of links altogether on the Internet, that way no phishing can ever happen! Perhaps in your lonely and cold little crevice under the bridge somebody might even disallow all images on web pages, that way there can be no question about the source of information. I have another idea. Why don't you put on some pants, get off the chair, and go look for another pale, misshapen fucktard to date! Yeah!

Re:That's the problem with e-mail correspondence.

[CammieCrookston]

I wonder if we could convince Microsoft to write an addon to Outlook Express that converts embedded gifs into ascii art before the email gets sent? Now that is something I could get behind.

Re:That's the problem with e-mail correspondence.

[Sheetrock]

Perhaps in your lonely and cold little crevice under the bridge somebody might even disallow all images on web pages, that way there can be no question about the source of information.

You'll be wanting to set your web browser to allow images from the originating server only if you've seen some of the abuses of <IMG SRC ...> I have. Unless you don't mind a malicious individual building some "interesting" web browsing history for you when you visit a public forum that lets anyone post images as part of their messages.

Re:That's the problem with e-mail correspondence.

Heh. I'm always a little hesitant to visit otherwise work-safe Photoshop contest threads on Fark for that very reason.

Re:That's the problem with e-mail correspondence.

[magiluke]

That's absolutely right!

I actually got about 7 of these fake e-mails from ebay. My instinct told me that they were fake, even though they took me to ebay's website.

The way I managed to figure out that they were fake was to go to ebay.com and try to find the page linked. When there was no mention at all of the linked page anywhere, I knew it was a fake. Just to make sure, I sent it to spoof@ebay.com, and they said it was fake!

Anyway, I'd suggest this method for following any links in any e-mail. I feel much safer doing it =)

Re:That's the problem with e-mail correspondence.

Only on Slashdot would something so Luddite get moderated up.

There are a lot of problems with 80-column fixed width text for email, the main one being the inability to separate form from content, something even basic HTML can do.

If people were forced to use a 1983 terminal compatible format for their email, they would quickly use something with a lot more potnetial for flash and pizazz.

The real problem is that email has no real authentication. If emails were, by habit, digitally signed, phishes would be a lot harder to pull off.

Re:That's the problem with e-mail correspondence.

[kurzweilfreak]

I can just imagine the viagra and cU/\/\ E471ng l0n3ly h0u23\/\/1f3 ads now... in new ascii art! u = 8==D hA haHA lolomfgwtfmatebbq!!11111ten u wif ci_a11is = 8========================D

Re:That's the problem with e-mail correspondence.

[JudgeFurious]

For everyone it should. They're just "regular everyday people" and don't give two shits about security (nevermind bullet proof security) right up until that moment when they call and say "I think I might have clicked something bad".

Fucktards. They deserve it. They don't deserve to have ultra paranoid administrators coming along behind them trying to clean up the mess they make. I've long complained about the balancing act we have to do trying to keep things secure at my place of employment but our management insists (I mean that, the literally insist) on being able to send anything and everything via email. They listen to nothing they're told by the people they pay to know about their network. Hell they'd keep every single mail message ever sent to them if we let them. The initial buttmonkey who set up Exchange 5.5 here never bothered to place any limits on their mailbox size. The database had to reach 16GB and shut us down before they would even consider letting us limit their mailbox size and even then it was like pulling teeth just getting these lazy fuckers to drag their mail from the inbox to a personal folder.

I hate users. I want them all dead. They slowly suck your brains out over time and I dread working here long enough to get that stupid.

They should be given text only email with a 256 character limit. No fuck that, they shouldn't even get that. They'd find some way to screw that up too.

Stick and a clay tablet. That's the ticket.

Re:That's the problem with e-mail correspondence.

[kurzweilfreak]

bah, that's what I get for not previewing first :-\ Shoulda been:

I can just imagine the viagra and cU/\/\ E471ng l0n3ly h0u23\/\/1f3 ads now... in new ascii art!

u = 8==D hA haHA lolomfgwtfmatebbq!!11111ten

u wif ci_a11is = 8========================D

Re:That's the problem with e-mail correspondence.

[28481k]

Without users, you lose your job as you're the adminstrator of the computing system in the office!

I understand the paranoia of adminstrators and how annoying those viruses, trojans, scams can be, but you know people simply don't care about security and resources on computer unless they are directly because they think that nothing could happen to them! Just accept as it is, always educate people about the potential dangers, and ask for a holiday to see it crashes if they didn't follow your ideas. :)

(OK, the last sentence is intended to be funny. That would be the best to lose your job!)

Re:That's the problem with e-mail correspondence.

[maiden_taiwan]

You think that text-only email would prevent people from being fooled online? Let me introduce you to a fellow named Dave Rhodes....

While my article might not have prevented this

[MichaelCrawford]

Use Validators and Load Generators to Test Your Web Applications is likely to help you find a lot of problems with your web software, and some of those problems would be security holes.

It is Free Documentation, under the GNU FDL.

It's at GoingWare's Bag of Programming Tricks.

Scrambling?

[Ulric]

Maybe they are scrambling, but it sure seems like it is still working:

http://cgi4.ebay.com/ws/eBayISAPI.dll?MfcISAPIComm and=RedirectToDomain&DomainUrl=http://siag.nu/

That's a link to ebay.com which redirects to siag.nu. And it doesn't look like a glitch, it looks like it's on purpose.

Re:Scrambling?

Hey! What a coincidence! I just *just* got a fishing attack at my yahoo.com email.

Here's the email, minus where the URL actually goes to:

eBay NewYears User Agreement Update

It's that time of year again! With 2005 now upon us, we have updated the eBay user agreement. As a result of the update, your account will be restricted until you have followed the link below and reconfirmed your contractual agreement with eBay. We apologize for any inconvience as a result of the update, but as a large e-commerce entity we are required to receive an updated agreement at the beginning of each year.

After agreeing to the contract linked below, please feel free to check out some of the new auction styles for 2005. eBay now features pre-set auction details making selling easier than ever! Simply have eBay find your item, and it will present you with a preset information block regarding your product.

Here at eBay, we are constantly working harder to make your auctions this year better then ever. We will be continuously adding features to improve your eBay experience like never before, and your eBay account is a first row seat to the action! So dont let your account expire, update your settings today, its a simple process, and will only take a few moments. All accounts not verified by March 30, 2005, will be subject to deactivation, and it may be required to register again to continue using eBay services.

To update your account now, please follow the link below, validate your information, and confirm your acceptance of the updated agreement.

https://signin.ebay.com/ws/eBayISAPI.dll?UpdateA gr eement

Copyright © 2004 eBay Inc. All Rights Reserved.
Designated trademarks and brands are the property of their respective owners.
eBay and the eBay logo are trademarks of eBay Inc.
eBay is located at 2145 Hamilton Avenue, San Jose, CA 95125.

Re:Scrambling?

[derek_m]

Scrambling isnt even a slightly valid description.

Its been exploited in phishing attempts since at least Feb 16th: http://lists.surbl.org/pipermail/discuss/2005-Febr uary/004192.html

Quite why they thought running an open redirector was a good idea is anyones guess.

Re:Scrambling?

Er, i don't see a redirect in that URL.

Re:Scrambling?

[Ulric]

It was reported on Bugtraq on Feb 13. Here: http://www.securityfocus.com/archive/1/390378/2005 -02-07/2005-02-13/0

Re:Scrambling?

[ericspinder]

Ok, I'm not your parent poster, but I got it too. He didn't re-add the link, which was lost in the paste https://signin.ebay.com/ws/eBayISAPI.dll?SignIn&Us ingSSL=1&pUserId=&co_partnerId=2&siteid=0&ru=http% 3A%2F%2Fcgi4.ebay.com%2Fws%2FeBayISAPI.dll?MfcISAP ICommand%3dRedirectToDomain%26DomainUrl=http%3A%2F %2F62.193.211.236%2FeBayISAPI.php&pageType=1883, and it still works! Just for the really incredable stupid... this is the Phishing attack. The page is a valid Ebay sign in page, but the action will send you to the phisher's site. I'm not sure what they do there, I'd guess that they just say that your password was invalid and to try again. Anyone got a throw away Ebay account they would like to try on it?

Re:Scrambling?

My employer (can't say who, but you've probably done business with us) has had open redirectors exposed for years. The problem was reported to our internal security group at least a year ago. Security wanted to fix it, but like ebay, if it were fixed it would break a thousand different things, the existence of half of which have been forgotten.

These things are all over the internet, too; Yahoo, for example, has had at least three different ones open for ages and has openly declined to fix them.

It's not that difficult to fix -- just use HMAC authentication on the URL -- but to do it you have to find every legitimate reference and either add it to a list of exceptions or add the HMAC hash. For a big company with a large sprawling technical infrastructure, that can be near impossible until the cost of abuse rises above the cost of breaking things.

Re:Scrambling?

I deliberately didn't post the link. I was thinking I would only be compounding the problem if I started spreading the link around.

Re:Scrambling?

[Adam9]

The problem is that there is no throwaway Ebay account since they require a checking account and/or credit card to create your Ebay account.

Re:Scrambling?

OK, I know this is completely unrelated to the ebay phish problem, but I have been having problems with Pathetic Writer in Fedora Core Three. My problems are:

* PW doesn't seem to see a porpotional font. This causes any non-courier font to look ugly in the PW window.

* There are problems with PW hanging or crashing.

I've tried both the Xaw and the Xaw3d toolkits; same problem in both versions.

Right now, there just isn't a usable Microsoft Wordpad replacement for Linux without at least one incredibly frustrating bug that makes the software nay-to-unusable for me. AbiWord 2.x has problems with extremely slow scrolling times; AbiWord 1.x (which, while having ugly fonts, didn't have this problem) barely compiles after much fiddling and doesn't run at all on FC3; OpenOffice (both 1.1.x and the 2.0 beta) has problems with changing the font to this ugly default font if I hit the right arrow or down arrow key at the end of the document; PW has problems as described above.

Maybe Ted won't have all these problems.

Re:Scrambling?

I stupidly clicked that link and my browser automatically signed me in because it thought it was an ebay login. I immediately changed my ebay pass but now i also have to go around and change my other passes that were the same =/

Re:Scrambling?

[novakyu]

Anyone got a throw away Ebay account they would like to try on it?

When I type in a correct password (tried it first with an _incorrect_ password), this is what I get:

404 Not Found:

The requested URL /eBayISAPI.php was not found on this server.

And "this server" is, 62.193.211.236.

Now, only if there's a way to figure out who their ISP is and alert them about this phishing scheme....

PS. Of course, I changed my password immediately afterwards. I'm stupid, but not _that_ stupid.

Re:Scrambling?

[BrianGa]

They didn't when I joined in 1997.

Re:Scrambling?

PS. Of course, I changed my password immediately afterwards. I'm stupid, but not _that_ stupid.

Not that stupid?!? What if the first thing the phishing web site does is log in as you and change your password? At the very least, it would be inconvinent trying to get it reset.

Re:Scrambling?

Thank you Mr. Jim Nelson of 2204 Roanoak Lane, Bartlesville, CN, Our keylogger is functioning perfectly and thank you for the account information. Have a nice day.

Re:Scrambling?

[imroy]

I've never had a credit card in my life and I signed up with eBay (Australia) probably a year or so ago. PayPal probably wants your CC though.

Re:Scrambling?

It seems you have found something there.

That IP points to jialinda.com and belongs to some guy in france (according to whois). The hosting company is matrix-comm.biz. That company hosts over 13500 domains according to http://www.webhosting.info/webhosts/reports/MATRIX -COMM.BIZ, but has no website itself. The only meaningful entry in google points to Casablanca as headquarter.

It seems some group in Algeria is after some serious money.

Re:Scrambling?

[pruss]

I got an email with one of these urls at least a week ago or more. I can't believe this is taking them so long to fix. Surely it can't take more than a couple of hours to put together a white list of domains.

It's not a bug

It's a pheature.

In other news...

Slashdot Scrambles to Fix Dupes

Working hard to stop fraud?

[Cylix]

Maybe they changed their stance.

Not to long ago, I had a co-worker defrauded. Yeah, he wasn't a bright one and really should have consulted me when even the slightest bit of doubt surfaced.

Long story short, it didn't take place on eBay, but originated through a compromised users account. In the end, eBay was fairly useless for help because they had the option to not deal with it.

If they were serious about working hard to stop this activity they could be a bit more pro-active.

Now, I'm not damning them completely, not so long ago I had someone disappear after a transacation. It took a few weeks to get my money back, but in the end the issue was resolved.

They really need to abandon email entirely and just eliminate the elements they can't control. At the very least leave external notifications off by default.

Otherwise, an alright service, but plagued with problems any high profile commerce sight would suffer.

i recieved some spam

for a perported ebay site wanting me to logon & etc...

i never use fleabay (ebay) so it was deleted unopened since i figure since i dont use ebay it had to be a "spam scam"...

Re:i recieved some spam

Well aren't you clever...

Recommended Reading: Quality Web Systems

[MichaelCrawford]

I haven't read it yet, but it's review at the Association of C and C++ Users says it's good. It emphasizes the importance of validating any data received over the network, especially not to trust it.

[ Buy at Powell's City of Books]

Outlook Settings

[wasted]

Outlook (like many mail clients,) displays HTML by default, which makes it easier to hide redirects.

I have my email client at home (Kmail) set to Text instead of HTML. It makes it easier to spot redirects and such, so phishing schemes are more obvious.

I don't use Outlook, so I don't know if it can be set to Text view for incoming messages. It would be very helpful for someone to post the steps needed to set Outlook for text view.

Re:Outlook Settings

You can't. There is a "text" setting in 2003, but it just flattens the HTML rather than showing your the text/plain part.

Re:Outlook Settings

[Almost-Retired]

Likewise, kmail to the rescue.

I have rx'd probably 50 of these ebay phishing messages here. I forwarded the first couple of them to abuse at ebay, but never got a bounce or a reply other than the usual boilerplate , and came to the conclusion that officially, they could care less.

So why are they now, damned near 6 months later, finally admitting it?

--
Cheers, Gene

Re:Outlook Settings

Dear Retard, They're not "admitting" to a previously known phishing scheme -- they have made their customers aware of the problem for a long time. The article, if you'd bother to read it or the summary, clearly states that there's a flaw in ebay's own system that is opening door for phishing.

Re:Outlook Settings

[MightyMartian]

Pah! I use Pine. All you guys with your smancy-fancy GUI email programs that you have to turn HTML rendering off.

Who was the first moron to put HTML in mail clients? He deserves to rot in hell with those screwballs at M$ who gave Internet Mail and News the ability to post HTML Usenet messages.

Re:Outlook Settings

[Storlek]

I wouldn't be so sure of Pine's security just because it doesn't handle HTML:

Warning: The pine software has had several remote vulnerabilities discovered in the past, which allowed remote attackers to execute arbitrary code as users on the local system, by the action of sending a specially-prepared email. All such known problems have been fixed, but the pine code is written in a very insecure style and the FreeBSD Security Officer believes there are likely to be other undiscovered vulnerabilities. You install pine at your own risk.

-- http://freebsd.active-venture.com/handbook/mail-ag ents.html#PINE-COMMAND

Who was the first moron to put HTML in mail clients?

I don't know for sure, but to hazard a guess, I think it might have been America Online. I remember seeing AOL e-mail with pretty (read: "annoying") colors on AOL before anyone else was doing it.

I'm not a net.historian by a long shot, though, so you should probably take that with a spoonful of salt. Google helpfully returns practically every page on the net when searching for "html" so it's fairly difficult to find anything of relevance.

Re:Outlook Settings

[CaptainZapp]

I forwarded the first couple of them to abuse at ebay

You know I tried the same with the first couple phishing mails that I apparently received from banks with exactly the same result.

It's not that you would expect to get a personal thank you visit by their CIO, but at least something like an acknowledgement would indicate that they are at least interested.

What does that tell you? In all likeliness your bank doesn't give a flying fuck if you are ripped off. It's not their money and hassle after all.

I found it last week

[ericspinder]

Got in as spam in my old honey pot, and I had a hard time sending to the company, as I didn't want to sign into their system to do it.

Finally I tried abuse@ebay, that sent back an automated reply and in that reply, I found the email spoof@ebay.com

I doubt if I'm the only person who found that scam, but I am glad that they seem to be taking action.

GPG

[SamMichaels]

Not just for ebay...but for everyone. Allow users to download the GPG key from inside their account and sign all the legit email.

I realize that this somewhat complicates things for Grandma and Aunt Agnes, but the general public is going to HAVE to learn to deal with it in an effective way. GPG is an effective way...and PGP Freeware for Windows/Outlook is pretty idiot proof.

Re:GPG

It's too bad you didn't take any steps to legitimize your own shady rip-off business, eh Sam?

For the uninformed:

http://www.dc.bbb.org/report.html?national=Y&com pi d=70003493

This guy ripped off who knows how many people, and yet he still has a set on him big enough to show his face in public.

About time...

[SCSi]

I believe ebay has know about this for a while but sat on it for some unknown reason: SURBL List gave first warning. Took them almost a month, not bad.

Re:About time...

[ryanjensen]

I reported this to spoof@ebay.com months ago when I first received it. I included my opinion that running an open redirect is utterly stupid and useless (why the hell would they do this anyway?). I received no response, as expected, but I am dismayed to see that the exploit is still available.

Ryan

Re:About time...

[herbierobinson]

I reported it a couple of weeks ago, too. It makes for a damn tricky phishing exploit. The URL has ebay.com in it, but had parameters further along that redirected it. They also obfuscated the redirect target by using escape characters. I might have been caught by it if they hadn't sent it to an e-mail address that only spammers use.

Re:About time...

[Basje]

I did send a mail too, on feb 6th, to abuse@ebay.com. In it I said: "This phishing uses an real ebay URL to seem legitimate". All I got was an automated response telling me to take several steps to report it to them.

When I received that, I dropped it. I wanted to report it, because I recognised the threat, but I don't want to jump through several hoops just to please them. Reporting to abuse@ is doing them a service. Some activity on their side is the least to expect.

spoof@ebay.com not as useful as it could be

[John+Miles]

Annoyingly, my ISP (Speakeasy) has stopped allowing its customers to forward phishing emails to spoof@ebay.com.

They are doing content filtering on outgoing mail, which is something I really wish they wouldn't do. I have no idea what aspect of the message triggers the filter, but any attempt to forward an HTML phishing mail without converting it to plaintext first (and losing the href fields that would allow eBay to shut down the phishing sites) yields "Server Response: '554 message permanently rejected, you may have a virus (#5.3.0)'."

All attempts to communicate my displeasure to Speakeasy's support department have met with the usual language barrier (I speak English, they speak Moronese). I simply could not find a way to convince them that I wasn't having trouble sending email in the general case. If anybody from Speakeasy is reading this, it would be nice if they got the clue bat after whoever implemented this filter. Customers need to be able to opt out of all content filters, both incoming and outgoing.

Re:spoof@ebay.com not as useful as it could be

[Tony-A]

You can laugh or you can cry. Somehow laughing's better, or at least I thought so.

Anybody's attempts to make the "internet safe" are going to be fairly ineffective at best. In this situation, you are willing to go to a little bit of trouble to try to put a stop to it. The phishers and other malware creators are willing to go to a lot more trouble to ensure it keeps on coming.

There's a reason that Linux comes off as being much more secure than Microsoft Windows. Microsoft tries to reassure it users that everything is safe when there is no way that it can be. As Microsoft tightens things up, it just means that the malware producers will have to work a bit harder.

Re:spoof@ebay.com not as useful as it could be

[imroy]

Sounds like they've setup a virus/spam filter on their outgoing email as well as incoming. The upside and goal is to stop viruses and spam being sent out by their clients. The downside, as you demonstrate, is that the same system stops these types of emails from being forwarded to people who can do something about these fraudulent emails. One wonders how/why you received the email in the first place, but you can't forward it. Bizarre.

Does eBay have a web form where you can input emails instead of forwarding them? My other suggestion would be to get a webmail account (Yahoo, Gmail, even Hotmail) and use that to forward the emails. Just hope they don't have similarly configured filters :)

Re:spoof@ebay.com not as useful as it could be

[John+Miles]

I don't know if they do any incoming filtering or not; I don't use my @speakeasy.net account for anything. There are definitely no viruses in the mail, just classical phishing content (eBay logos and such). They are just naively assuming that anyone who sends that type of traffic is either a criminal or a spam zombie.

I didn't try to forward it to my Hotmail or GMail accounts, because I assumed that Speakeasy's SMTP server would still refuse to accept the message. eBay does have web forms, but they're buried in a maze of twisty links that takes all day to navigate, and I'm only willing to go to so much trouble to help them with their security issues.

Legal liability for eBay?

[PornMaster]

At what point does enabling fraud get to the point of legal liability?

Scam link

[wotevah]

The link in the scam email eventually redirects to this IP address in France, *after* ebay verifies your login. Incidentally, the one I received came through a server in Korea.

http://62.193.217.91/eBayISAPI.php

Page two asks for your credit card, which answers the questions about the benefits of ebay phishing.

Re:Scam link

[boa13]

The link in the scam email eventually redirects to this IP address in France, *after* ebay verifies your login.

The server is hosted by amen.fr, a company specializing in cheap hosting that does not have an especially bad name. It is likely that things are very automated there, and that it is possible for someone to sign up for an account, pay some money, host the scam for a couple of weeks, gain much more money this way, and then run away.

I was a bit surprised to see this scam is done from France, because once someone files a lawsuit, there's a rather good chance the culprit is found. There's certainly plenty of countries where setting up such a fraud is safer. However, come to think of it, as long as nobody files anything, the culprit doesn't have to worry much. Since the emails and pages are in English, there are fewer chances that French people are defrauded and go to justice because of that.

Anway, I've just sent a polite email to amen.fr, asking them to at least close the offending web site. Hope this helps.

SELF-SERVING SPAMMER

The links are irrelevant. The fact that it is under GNU FDL doesn't make it anymore relevant. And to put it in your sig so you can spam for a book store with your referrer id later on... desparate.

SELF-SERVING SPAMMER

See here.

I am a shameless link whore, in fact, but...

[MichaelCrawford]

... that doesn't mean my article is irrelevant. If you actually read it, you would see why it will likely help the web application programmers reading this story who wonder what eBay's problems might mean for their own businesses.

Re:I am a shameless link whore, in fact, but...

How does a validator or a load generator help find security holes?

Totally irrelevant to this story, mang.

My advice...

[wotevah]

...has always been to never click on emailed links pertaining to anything important, especially banking and such.

Bookmark all the financial sites you use, and whenever you receive emails with such "friendly" links, use your bookmark instead, to log in to the site. If it was important, you will see it on the next page there.

I never click on the links even when I know they are legit (to avoid forming a habit).

Re:My advice...

[nilbog]

Too bad mothers of the world don't read slashdot and find helpful tips like this...

Re:My advice...

[EnronHaliburton2004]

To bad banks of the world don't read Slashdot to find helpful tips like this.

Re:My advice...

[tomstdenis]

Can't bookmarks be inserted via jscript/activex?

I'd say go further [this relies on trusting your DNS and installed CA certs] just type the URL manually. They're usually short and it can save you a lot of hassle.

Tom

How is that wrong?

[MichaelCrawford]

Did you read the review of the book at the ACCU? I learned about it because I might get some contract work writing web applications, and wanted to brush up.

I posted the book because I felt it would be genuinely useful to the people reading this story.

If you're such a hero, why don't you log in under your real name, like I do.

Re:How is that wrong?

The only reason you're logging in under your real name is so that you can whore your link out in your sig, you stupid advertiser piece of shit. Go fuck yourself, and take your ads with you.

page two

Page two:

http://62.193.217.91/eBayISAPI2.php

Go at it.

Re:page two

Use these test CC numbers, it'll pass the luhn check on the site and make them waste time processing the CC number. Apparently whatever processor they're using (it takes more time when you enter a test number than a random bad number, so some processing is happening) is set to test mode, so it appears that they're taking them.

4111111111111111
5555555555554444
378282246310 005
6011111111111117

I get phishing emails everyday - eBay and PayPal

I tried to email both companies but they don't make it easy to report these security problems.

they suck and i won't be using PayPal or ebay anymore

Hooray for eBay and c|net - or not?

[Lars+T.]

Google-Translated Heise Newsticker article from March 1st.

c|net : The problem [...] could be exploited by criminals to create an actual eBay link that redirects customers to a malicious site, the representative said.
Heise: The emails, pretending to come from eBay, circulate on the net since February 12th. eBay was informed about it, however did not react so far.

Re:Hooray for eBay and c|net - or not?

[DiD+Roe]

That just seems really stupid, I mean all it would take is to temporarily remove the redirect feature from the code, or put a couple of regular expressions in there to only allow their hostnames to be used.

It would take literally 2 minutes for them to fix this.

Got these

I get around 3-5 of these e-mails (from "ebay") a day. They tell me that there is a problem with my billing account or something like that. They want me to go and "change" my credit card number. But the best part about it is that I have never ever shopped at ebay.

~Alan

As soon as they were notified, and failed to act

[MichaelCrawford]

I think the thing to do at this point is to find someone who sufferred actual damages, and help get a lawsuit started.

Maybe an expensive lawsuit, and I expect only a lawsuit, will eBay and their partner-in-crime, PayPal, start paying attention to security.

By exposing bugs, you ninny!

[MichaelCrawford]

Most security holes aren't simple dumbshit design flaws like the ebay redirector, but programming errors like the failure to check boundary conditions.

Re:By exposing bugs, you ninny!

Oh boy! Yes, validators and load generators sure will help expose those!

Can you post a list of sites you may have worked on? I'd like to avoid them.

taking things personally

You are taking things a bit too personally. What happened, did you just recommend your company to "enrich the user experience" by sending friendly multimedia messages to your customer base and are now afraid it wouldn't bode too well if your boss sees this ?

Re:taking things personally

Didn't I tell you to put some pants on, little girl? Crawl back under that bridge! Why don't you tell us your real name so we can make sure you don't ever get another job in the technology business. Dipshit. You can be the new postertroll for Trojans instead.

Fraud

[Sycraft-fu]

One way to try and scam some money out of people is to pretend to sell something on eBay, and never deliver. SOP is for the buyer to pay beofre the seller ships the item, so it can work.

Now the thing is, if your reputation sucks, nobody will do that for bigger ticket items. Some scammers pump their rating up by buying lots of small things, but peopel look for that now. So, if you manage to get a password for an account that has a long, real history on eBay, you can use it to scam people. They look at the feedback, see a reputable person, and get duped.

Saw this a week ago.

[Dan+East]

I received one of these over a week ago. It caught my eye more than the other phishing attempts because, after looking at the html, it did indeed send me to *.ebay.com. However deep in the url was a redirect to an IP address. They are using some mechanism within ebay itself to redirect traffic to other sites.

So this exploit has been in use for a long time (relatively speaking) for the vulnerability to still be unpatched.

Dan East

The biggest problem

[sheppos]

Is that ebay don't care. I've forwarded various emails like this to abuse, webmaster and postmaster and received completely unhelpful automated replies. I've been to the customer service pages on the site and emailed them... To receive completely unhelpful automated replies. Long story short - they don't care, I don't trust them.

Re:The biggest problem

[/dev/trash]

Yes, they should hire one guy to wirte personal emails to everyone who sends mail to postmaster@ebay.com.

Re:The biggest problem

[sheppos]

Yes, sorry I'm wrong, they should just ignore everyone. Thanks fsck I don't do business with you.

Re:The biggest problem

[/dev/trash]

You should do busines with me, I'd answer your questions personally and without a form letter.

Don't shoot the messenger, Ebay is a faceless Corporation.

Phishers don't have international support.

[ThreeDayMonk]

I get them too. I do, however, use eBay, but the Belgian site, so anything that doesn't come from ebay.be is fake. In addition, as all my legitimate eBay emails come in French, it's very easy to spot a phish.

These phishers really need to get their acts together and start supporting international users. There's a whole untapped market out there!

scrambles?

[Hohlraum]

I got one of those url redirector trojans like 1.5 months ago. How is that scrambling if its just in the news right now? :)

This was reported a while ago

[hairykrishna]

I'm a powerseller on UK eBay. This exploit was reported in the powerseller forum a couple of weeks ago.

Seems that they're only 'scrambling' now there is media attention.

not hard

[tomstdenis]

I recently [and despite my best thoughts on the matter] signed up for PayPal.

I get dozens of "paypal" emails a day. Occasionally some ARE legit.

I *NEVER* click on ANY links in emails for things like paypal/gmail/etc. [And yes, I'm smart enough to actually hover on the link to see the url or just see the source].

You want to goto ebay? simple type

"http://www.ebay.com"

In your browser location bar... wanna login to paypal type

"https://www.paypal.com"

If you get a "notice" from "paypal" just login and see your account first hand...

In otherwords don't be stupid and just randomly enter your password in sites asking for "updates"...

That and the quality of phishes are very low. I'd say a good majority don't use SSL [though they put SSL padlocks on the page] and quite a few have HTML errors [like missing images or malformed layouts]. ...

Tom

Re:not hard

[fireheadca]

In otherwords don't be stupid and just randomly enter your password in sites asking for "updates"...

For some phishes, I take the time to login with fake
id's and passwords making sure to insult the scumsucking bastards.
Then I do a network lookup on them and try to
email the corresponding isp. Very easy to do
and protects others.

Vigalantism at its best! Everyone do the same.

Re:not hard

[v1]

That method is completely ineffective if you are using a PC that's fallen to a hole in IE that lets in malware (there are many) that tweaks your HOSTS file to point www.paypal.com to some ip address in austria.

This technique is currently used more by adware companies, to redirect google.com and soforth to their banner pages, but the phishers are using it too.

Each day, more and more people reads slashdot ...

[GNUALMAFUERTE]

The slashdot effect is going to dissapear.
Just noones actually RTFA.

Thanx, i'm here all week.

hit a nerve, eh ?

haha

sad for customers but..

[Stanneh]

Im very sad for ebay users who might be effected by this but seriously i am OVER joy'd with this news to hear that Ebay are actually getting up off their fat asses and doing something.

misspelling

Not on Firefox, and at any rate, even on IE I don't think they can do more than just "add a bookmark". If I bookmarked my sites I know where they sit in the list, and are probably in a category like "Financials" or something. JS-added bookmarks probably sit at the end of the list so it would be quite obvious.

I'd do that rather than risk misspelling/not remembering the URL which might happen if I have to type it less often.

Re:misspelling

[tomstdenis]

I actually use the autocomplete of moz to type in addresses ;-) but I can see how something like typing "paypla.com" or something could be exploited.

Tom

Ebay Idiocy

[fireheadca]

I was sent an e-mail from ebay:

PASSWORD POLL

When I create a password for any of my online
accounts, I use:
let me check, it's written beside my computer
a combination of upper & lower case letters and numbers
the same password for all my accounts
the name of my child/pet/spouse/secret crush
some variation on my name or user ID
a random word from the dictionary
123456 or abcdef
the word "password"

After contacting Customer Support I was
informed that it was legit. !!!!

I tried numerous times to point this out but
Customer service with ebay can sometimes be a
struggle. I take it they assume everybody is
an idiot.
Even Ebay Phishes. Go figure.

Last year, when they upgraded their Boards...

[saskboy]

eBay left a forum Admin tool accessible to the Web, and several, if not hundreds of users's personal information such as their address, phone number, and Board violations were accessible to people with the correct URL to view this information.

Off-topic: Pathetic Writer

[Ulric]

• If you installed from source using all defaults, the fonts will be defined by the file /usr/local/share/Mowitz/fonts.txt. If the file can't be found or lists fonts that don't exist, some ugly default font will be used. I'm guessing that FC3 doesn't have the fonts PW expects. You can use xlsfonts (if that's included with FC3) to find out.
• PW shouldn't hang or crash. I haven't released anything since 2003, but it Works For Me (tm) on the latest Slackware. I use it mostly to view Word files that colleagues insist on sending, not much for editing.

EBAY FRAUD NON-SECURITY OVER 3 MONTHS LATE

[spyware+scams_suck]

From the article, The problem, described by the company as a "software bug," could be exploited by criminals to create an actual eBay link that redirects customers to a malicious site,

HELLO??!! This HAS ALWAYS BEEN KNOWN ON THE SOAPBOX FORUM ON EBAY EVER SINCE NOVEMBER OF 2004. THE ONLY DIFFERENCE IS EBAY HASN'T BROADCAST/ACKNOWLEDEGED IT PUBLICLY UNTIL NOW.

THANX FOR NOTHING EBAY!! I'M GLAD I ALREADY WARNED MY OWN PEOPLE!!

At Least a Month Old

[ewhac]

I sent a note to eBay's fraud/abuse feedback channel about this on January 30th. So they can't claim they only just now found out about it.

Below is a copy of what I sent them. The fraudulent email appears before my comment. (For some reason, it was reformatted to all lower-case.)

_________________________________

email header:
from aw-confirm@ebay.com sun jan 30 14:42:29 2005

email body:
<html>
<body>

dear ebay community member,<br><br>
<!--uee-->
it has come to our attention that your ebay billing information records
are out of date.<br>
that requires you to update the billing information if you could please
take 5-10 minutes out of your online experience and update your<br>
billing records, you will not run into any future problems with ebay's
online service.<br>
however, failure to update your records will result in soon account
termination. once you have updated your account records, your ebay<br>
session will not be interrupted and will continue as normal. failure to
update will result in cancellation of service, terms of service<br>
(tos) violations or future billing problems.<br><br>

to update and login to your ebay account, click on the link
below:<br><br>
<!--xr-->
<a href=3d"http://cgi4.ebay.com/ws/ebayisapi.dll?mfci sapicommand=3dredirecttodomain&domainurl=3dhttp%3a %2f%2f%32%31%31%2e%32%33%33%2e%33%38%2e%37%3
2%2fupdatecenter%2flogin%2f%3fmfcisapisession%3daa jbaqqzehaaemwzlhhlwxs2albxvshqahqrfhgtdrferhcurstp aisnrqahqrfhgtdrferhcurstpaisnrpaisnrqahqrfhgtdrfe rhcuqrfqzehaaemwzlhhlwxh">http://cgi4.ebay.com/ws/ </a><br>

<br>

thank you for using ebay!<br><br>

**this is no-reply message. please do not reply to this email, as you
will receive no response**
<!--i36-->
</body>
</html>

------=_nextpart_000_0068_01c44e5d.dbc9229e--

message: if i'm interpreting the url in the message correctly, it looks
like you have a vulnerable redirector running somewhere. if so, you'll
probably want to fix that.

the above appears to be redirecting to the ip address 211.233.38.72,
which 'whois' says is in korea.

schwab

--_----------=_9502205623000--

------=_nextparttm-000-25ddf14b-7467-4642-9e0d-8 cafc918baf3--

Re:not hard - MOD UP

for those of us who have no karma!!!!!!

eBay could do more

[Cacadril]

I once almosst fell victim to a phishing attack by foolisly clicking on a link in a mail. Fortunately I discovered that the url in the browser did not point to ebay.com.

I forwarded the email to ebay and got an automated response giving some advice. The advice was neither acurate nor as good as it could be.

The said they would never request a user password in an email. That is probably right, but is does not address emails linking to web sites. EBay's web site does ask for a password, and so do the bogus sites.

It also gave the advice to always open a new browser, and type http://ebay.com/ in the url field. This is not bad, but by failing to tell why, you can be sure that a large fraction of the users will not understand the importance and meaning of this advice. They will click on email links and believe they have arrived at the same site the advice would take them, and continue from there.

There is a link at the bottom of the eBay home page titled "Security center". At the bottom of that page there is a link "Deterring identity theft", and that page repeats more or less the advices in the message I got. It says prominently "Never reply to emails that ask for personal information." It says nowhere "Never click a link in an email," which would be far more appropriate. They don't mention fraudulent web sites with a word on that page.

I think eBay is doing a very lousy effort to educate their users. Likely some marketing people have told them that if they place warnings prominently on the first page, more people will get the message that eBay trading is dangerous than the occasional reports in the press about people who has been victimized. It seems to me that eBay gives zero wheight to the suffering of the victims and all importance to their profit.

Regards.