eBay Scrambles to Fix Phishing Bug

Paul Laudanski writes "c|net is reporting that eBay is scrambling to fix a software glitch which opens doors to phishing attacks via one of its own valid URLs. "The flaw may have already allowed individuals to use one of eBay's URLs to trick unsuspecting parties into visiting malicious sites, the company representative said.""

Not the first time

[KingOfTheNerds]

This is not the first time this has happend to a huge company, in the summer of 2002 amazon had a similarly large security hole. Can consumers trust large companies anymore? I think so, but you are always taking your chances with security. Sometimes companies become so large that things get easily overlooked.

Re:Not the first time

[lonb]

"Can consumers trust large companies anymore?"
This is exactly the type of non-sensical question that frightens would be ascenders of the technology curve. First of all it begs the question, "large companies" versus who? Small companies? Do you think small companies are any more capable of defending themselves against attacks? Or even doing the type of advanced testing that can be done by large company with large company resources?

If not, are you then suggesting no one should do business at all? Obviously that is out the window. So what's the point here?

Large companies, online, are leading the way towards advanced web applications that are changing the way we live our lives and conduct business. And as the MS defector implied in his blog, web applications are living software. Changing in (almost) real-time to meet the needs of the market and security/functionality needs.

Phishing EBay

[BrianGa]

Can anyone enlighten me as to the benefit of phishing for EBay accounts? Assuming the ultimate goal is profit, what can the attacker really do with one, as long as the EBay account information isn't the same as the Paypal?

Re:Phishing EBay

[X0563511]

Lots of people use the same password for everything. If i were to net a bunch of Ebay account passwords, i could stand a decent chance of getting into the paypal accounts of at least a few of them.

Re:Phishing EBay

[rednip]

Conducting fraudulent auctions with you "good name", buying stuff and then not paying for it with your "good name". Many people depend on seller and buyer ratings and reports for clues as to how much to trust someone. It can be so valuable that some people have set up businesses in Ebay which captalize on their good seller's reputation.

Re:Phishing EBay

[wotevah]

As in my previous post, page two of the fake website asks for credit card. Since the sheep never wonder why a certain piece of private information is "required" on a form, I bet a lot of people actually filled that in too.

Re:Phishing EBay

[John+Miles]

Um, no, that's the whole thing... there aren't any goods to mail.

The idea is, I use your account to post an auction for an expensive piece of equipment with a glowing description stolen from another successful auction, photos courtesy of Google Image Search, and a Buy It Now price around 20% of retail. The victim hits the BIN button and, at my request, sends me a Western Union transfer to pay. That's the last anyone hears from me.

Typically this scam is operated from Internet cafes in Eastern European countries with twentieth-century technology and twelfth-century ethics.

That's the problem with e-mail correspondence.

[Sheetrock]

Companies are so quick to doll up their e-mails with the latest HTML -- images, links, and tables -- that their customers are getting used to using e-mail as a portal to company sites.

It should be a text-only medium, period. No attachments, no graphics, no opportunity to get someone to click before they think.

While my article might not have prevented this

[MichaelCrawford]

Use Validators and Load Generators to Test Your Web Applications is likely to help you find a lot of problems with your web software, and some of those problems would be security holes.

It is Free Documentation, under the GNU FDL.

It's at GoingWare's Bag of Programming Tricks.

Scrambling?

[Ulric]

Maybe they are scrambling, but it sure seems like it is still working:

http://cgi4.ebay.com/ws/eBayISAPI.dll?MfcISAPIComm and=RedirectToDomain&DomainUrl=http://siag.nu/

That's a link to ebay.com which redirects to siag.nu. And it doesn't look like a glitch, it looks like it's on purpose.

Re:Scrambling?

[derek_m]

Scrambling isnt even a slightly valid description.

Its been exploited in phishing attempts since at least Feb 16th: http://lists.surbl.org/pipermail/discuss/2005-Febr uary/004192.html

Quite why they thought running an open redirector was a good idea is anyones guess.

Re:Scrambling?

[Ulric]

It was reported on Bugtraq on Feb 13. Here: http://www.securityfocus.com/archive/1/390378/2005 -02-07/2005-02-13/0

Re:Scrambling?

[ericspinder]

Ok, I'm not your parent poster, but I got it too. He didn't re-add the link, which was lost in the paste https://signin.ebay.com/ws/eBayISAPI.dll?SignIn&Us ingSSL=1&pUserId=&co_partnerId=2&siteid=0&ru=http% 3A%2F%2Fcgi4.ebay.com%2Fws%2FeBayISAPI.dll?MfcISAP ICommand%3dRedirectToDomain%26DomainUrl=http%3A%2F %2F62.193.211.236%2FeBayISAPI.php&pageType=1883, and it still works! Just for the really incredable stupid... this is the Phishing attack. The page is a valid Ebay sign in page, but the action will send you to the phisher's site. I'm not sure what they do there, I'd guess that they just say that your password was invalid and to try again. Anyone got a throw away Ebay account they would like to try on it?

Re:Scrambling?

[Adam9]

The problem is that there is no throwaway Ebay account since they require a checking account and/or credit card to create your Ebay account.

In other news...

Slashdot Scrambles to Fix Dupes

Working hard to stop fraud?

[Cylix]

Maybe they changed their stance.

Not to long ago, I had a co-worker defrauded. Yeah, he wasn't a bright one and really should have consulted me when even the slightest bit of doubt surfaced.

Long story short, it didn't take place on eBay, but originated through a compromised users account. In the end, eBay was fairly useless for help because they had the option to not deal with it.

If they were serious about working hard to stop this activity they could be a bit more pro-active.

Now, I'm not damning them completely, not so long ago I had someone disappear after a transacation. It took a few weeks to get my money back, but in the end the issue was resolved.

They really need to abandon email entirely and just eliminate the elements they can't control. At the very least leave external notifications off by default.

Otherwise, an alright service, but plagued with problems any high profile commerce sight would suffer.

I found it last week

[ericspinder]

Got in as spam in my old honey pot, and I had a hard time sending to the company, as I didn't want to sign into their system to do it.

Finally I tried abuse@ebay, that sent back an automated reply and in that reply, I found the email spoof@ebay.com

I doubt if I'm the only person who found that scam, but I am glad that they seem to be taking action.

GPG

[SamMichaels]

Not just for ebay...but for everyone. Allow users to download the GPG key from inside their account and sign all the legit email.

I realize that this somewhat complicates things for Grandma and Aunt Agnes, but the general public is going to HAVE to learn to deal with it in an effective way. GPG is an effective way...and PGP Freeware for Windows/Outlook is pretty idiot proof.

About time...

[SCSi]

I believe ebay has know about this for a while but sat on it for some unknown reason: SURBL List gave first warning. Took them almost a month, not bad.

Re:About time...

[ryanjensen]

I reported this to spoof@ebay.com months ago when I first received it. I included my opinion that running an open redirect is utterly stupid and useless (why the hell would they do this anyway?). I received no response, as expected, but I am dismayed to see that the exploit is still available.

Ryan

spoof@ebay.com not as useful as it could be

[John+Miles]

Annoyingly, my ISP (Speakeasy) has stopped allowing its customers to forward phishing emails to spoof@ebay.com.

They are doing content filtering on outgoing mail, which is something I really wish they wouldn't do. I have no idea what aspect of the message triggers the filter, but any attempt to forward an HTML phishing mail without converting it to plaintext first (and losing the href fields that would allow eBay to shut down the phishing sites) yields "Server Response: '554 message permanently rejected, you may have a virus (#5.3.0)'."

All attempts to communicate my displeasure to Speakeasy's support department have met with the usual language barrier (I speak English, they speak Moronese). I simply could not find a way to convince them that I wasn't having trouble sending email in the general case. If anybody from Speakeasy is reading this, it would be nice if they got the clue bat after whoever implemented this filter. Customers need to be able to opt out of all content filters, both incoming and outgoing.

Scam link

[wotevah]

The link in the scam email eventually redirects to this IP address in France, *after* ebay verifies your login. Incidentally, the one I received came through a server in Korea.

http://62.193.217.91/eBayISAPI.php

Page two asks for your credit card, which answers the questions about the benefits of ebay phishing.

My advice...

[wotevah]

...has always been to never click on emailed links pertaining to anything important, especially banking and such.

Bookmark all the financial sites you use, and whenever you receive emails with such "friendly" links, use your bookmark instead, to log in to the site. If it was important, you will see it on the next page there.

I never click on the links even when I know they are legit (to avoid forming a habit).

The biggest problem

[sheppos]

Is that ebay don't care. I've forwarded various emails like this to abuse, webmaster and postmaster and received completely unhelpful automated replies. I've been to the customer service pages on the site and emailed them... To receive completely unhelpful automated replies. Long story short - they don't care, I don't trust them.

This was reported a while ago

[hairykrishna]

I'm a powerseller on UK eBay. This exploit was reported in the powerseller forum a couple of weeks ago.

Seems that they're only 'scrambling' now there is media attention.

Ebay Idiocy

[fireheadca]

I was sent an e-mail from ebay:

PASSWORD POLL

When I create a password for any of my online
accounts, I use:
let me check, it's written beside my computer
a combination of upper & lower case letters and numbers
the same password for all my accounts
the name of my child/pet/spouse/secret crush
some variation on my name or user ID
a random word from the dictionary
123456 or abcdef
the word "password"

After contacting Customer Support I was
informed that it was legit. !!!!

I tried numerous times to point this out but
Customer service with ebay can sometimes be a
struggle. I take it they assume everybody is
an idiot.
Even Ebay Phishes. Go figure.

Re:not hard

[fireheadca]

In otherwords don't be stupid and just randomly enter your password in sites asking for "updates"...

For some phishes, I take the time to login with fake
id's and passwords making sure to insult the scumsucking bastards.
Then I do a network lookup on them and try to
email the corresponding isp. Very easy to do
and protects others.

Vigalantism at its best! Everyone do the same.

At Least a Month Old

[ewhac]

I sent a note to eBay's fraud/abuse feedback channel about this on January 30th. So they can't claim they only just now found out about it.

Below is a copy of what I sent them. The fraudulent email appears before my comment. (For some reason, it was reformatted to all lower-case.)

_________________________________

email header:
from aw-confirm@ebay.com sun jan 30 14:42:29 2005

email body:
<html>
<body>

dear ebay community member,<br><br>
<!--uee-->
it has come to our attention that your ebay billing information records
are out of date.<br>
that requires you to update the billing information if you could please
take 5-10 minutes out of your online experience and update your<br>
billing records, you will not run into any future problems with ebay's
online service.<br>
however, failure to update your records will result in soon account
termination. once you have updated your account records, your ebay<br>
session will not be interrupted and will continue as normal. failure to
update will result in cancellation of service, terms of service<br>
(tos) violations or future billing problems.<br><br>

to update and login to your ebay account, click on the link
below:<br><br>
<!--xr-->
<a href=3d"http://cgi4.ebay.com/ws/ebayisapi.dll?mfci sapicommand=3dredirecttodomain&domainurl=3dhttp%3a %2f%2f%32%31%31%2e%32%33%33%2e%33%38%2e%37%3
2%2fupdatecenter%2flogin%2f%3fmfcisapisession%3daa jbaqqzehaaemwzlhhlwxs2albxvshqahqrfhgtdrferhcurstp aisnrqahqrfhgtdrferhcurstpaisnrpaisnrqahqrfhgtdrfe rhcuqrfqzehaaemwzlhhlwxh">http://cgi4.ebay.com/ws/ </a><br>

<br>

thank you for using ebay!<br><br>

**this is no-reply message. please do not reply to this email, as you
will receive no response**
<!--i36-->
</body>
</html>

------=_nextpart_000_0068_01c44e5d.dbc9229e--

message: if i'm interpreting the url in the message correctly, it looks
like you have a vulnerable redirector running somewhere. if so, you'll
probably want to fix that.

the above appears to be redirecting to the ip address 211.233.38.72,
which 'whois' says is in korea.

schwab

--_----------=_9502205623000--

------=_nextparttm-000-25ddf14b-7467-4642-9e0d-8 cafc918baf3--

Re:Outlook Settings

[Storlek]

I wouldn't be so sure of Pine's security just because it doesn't handle HTML:

Warning: The pine software has had several remote vulnerabilities discovered in the past, which allowed remote attackers to execute arbitrary code as users on the local system, by the action of sending a specially-prepared email. All such known problems have been fixed, but the pine code is written in a very insecure style and the FreeBSD Security Officer believes there are likely to be other undiscovered vulnerabilities. You install pine at your own risk.

-- http://freebsd.active-venture.com/handbook/mail-ag ents.html#PINE-COMMAND

Who was the first moron to put HTML in mail clients?

I don't know for sure, but to hazard a guess, I think it might have been America Online. I remember seeing AOL e-mail with pretty (read: "annoying") colors on AOL before anyone else was doing it.

I'm not a net.historian by a long shot, though, so you should probably take that with a spoonful of salt. Google helpfully returns practically every page on the net when searching for "html" so it's fairly difficult to find anything of relevance.