Slashdot Mirror
eBay Scrambles to Fix Phishing Bug
Paul Laudanski writes "c|net is reporting that eBay is scrambling to fix a software glitch which opens doors to phishing attacks via one of its own valid URLs. "The flaw may have already allowed individuals to use one of eBay's URLs to trick unsuspecting parties into visiting malicious sites, the company representative said.""
http://cgi4.ebay.com/ws/eBayISAPI.dll?MfcISAPIComm and=RedirectToDomain&DomainUrl=http://siag.nu/
That's a link to ebay.com which redirects to siag.nu. And it doesn't look like a glitch, it looks like it's on purpose.
Maybe they changed their stance.
Not to long ago, I had a co-worker defrauded. Yeah, he wasn't a bright one and really should have consulted me when even the slightest bit of doubt surfaced.
Long story short, it didn't take place on eBay, but originated through a compromised users account. In the end, eBay was fairly useless for help because they had the option to not deal with it.
If they were serious about working hard to stop this activity they could be a bit more pro-active.
Now, I'm not damning them completely, not so long ago I had someone disappear after a transacation. It took a few weeks to get my money back, but in the end the issue was resolved.
They really need to abandon email entirely and just eliminate the elements they can't control. At the very least leave external notifications off by default.
Otherwise, an alright service, but plagued with problems any high profile commerce sight would suffer.
"You should always go to other people's funerals; otherwise, they won't come to yours." -- Yogi Berra
Not just for ebay...but for everyone. Allow users to download the GPG key from inside their account and sign all the legit email.
I realize that this somewhat complicates things for Grandma and Aunt Agnes, but the general public is going to HAVE to learn to deal with it in an effective way. GPG is an effective way...and PGP Freeware for Windows/Outlook is pretty idiot proof.
Below is a copy of what I sent them. The fraudulent email appears before my comment. (For some reason, it was reformatted to all lower-case.)
_________________________________
email header:
from aw-confirm@ebay.com sun jan 30 14:42:29 2005
email body:
<html>
<body>
dear ebay community member,<br><br>
<!--uee-->
it has come to our attention that your ebay billing information records
are out of date.<br>
that requires you to update the billing information if you could please
take 5-10 minutes out of your online experience and update your<br>
billing records, you will not run into any future problems with ebay's
online service.<br>
however, failure to update your records will result in soon account
termination. once you have updated your account records, your ebay<br>
session will not be interrupted and will continue as normal. failure to
update will result in cancellation of service, terms of service<br>
(tos) violations or future billing problems.<br><br>
to update and login to your ebay account, click on the linki sapicommand=3dredirecttodomain&domainurl=3dhttp%3a %2f%2f%32%31%31%2e%32%33%33%2e%33%38%2e%37%3a jbaqqzehaaemwzlhhlwxs2albxvshqahqrfhgtdrferhcurstp aisnrqahqrfhgtdrferhcurstpaisnrpaisnrqahqrfhgtdrfe rhcuqrfqzehaaemwzlhhlwxh">http://cgi4.ebay.com/ws/ </a><br>
below:<br><br>
<!--xr-->
<a href=3d"http://cgi4.ebay.com/ws/ebayisapi.dll?mfc
2%2fupdatecenter%2flogin%2f%3fmfcisapisession%3da
<br>
thank you for using ebay!<br><br>
**this is no-reply message. please do not reply to this email, as you
will receive no response**
<!--i36-->
</body>
</html>
------=_nextpart_000_0068_01c44e5d.dbc9229e--
message: if i'm interpreting the url in the message correctly, it looks
like you have a vulnerable redirector running somewhere. if so, you'll
probably want to fix that.
the above appears to be redirecting to the ip address 211.233.38.72,
which 'whois' says is in korea.
schwab
--_----------=_9502205623000--
------=_nextparttm-000-25ddf14b-7467-4642-9e0d-8 cafc918baf3--
Editor, A1-AAA AmeriCaptions