Slashdot Mirror
eBay Scrambles to Fix Phishing Bug
Paul Laudanski writes "c|net is reporting that eBay is scrambling to fix a software glitch which opens doors to phishing attacks via one of its own valid URLs. "The flaw may have already allowed individuals to use one of eBay's URLs to trick unsuspecting parties into visiting malicious sites, the company representative said.""
It should be a text-only medium, period. No attachments, no graphics, no opportunity to get someone to click before they think.
Try not. Do or do not, there is no try.
-- Dr. Spock, stardate 2822-3.
http://cgi4.ebay.com/ws/eBayISAPI.dll?MfcISAPIComm and=RedirectToDomain&DomainUrl=http://siag.nu/
That's a link to ebay.com which redirects to siag.nu. And it doesn't look like a glitch, it looks like it's on purpose.
Slashdot Scrambles to Fix Dupes
Maybe they changed their stance.
Not to long ago, I had a co-worker defrauded. Yeah, he wasn't a bright one and really should have consulted me when even the slightest bit of doubt surfaced.
Long story short, it didn't take place on eBay, but originated through a compromised users account. In the end, eBay was fairly useless for help because they had the option to not deal with it.
If they were serious about working hard to stop this activity they could be a bit more pro-active.
Now, I'm not damning them completely, not so long ago I had someone disappear after a transacation. It took a few weeks to get my money back, but in the end the issue was resolved.
They really need to abandon email entirely and just eliminate the elements they can't control. At the very least leave external notifications off by default.
Otherwise, an alright service, but plagued with problems any high profile commerce sight would suffer.
"You should always go to other people's funerals; otherwise, they won't come to yours." -- Yogi Berra
Finally I tried abuse@ebay, that sent back an automated reply and in that reply, I found the email spoof@ebay.com
I doubt if I'm the only person who found that scam, but I am glad that they seem to be taking action.
The grass is only greener, if you don't take care of your own lawn.
Not just for ebay...but for everyone. Allow users to download the GPG key from inside their account and sign all the legit email.
I realize that this somewhat complicates things for Grandma and Aunt Agnes, but the general public is going to HAVE to learn to deal with it in an effective way. GPG is an effective way...and PGP Freeware for Windows/Outlook is pretty idiot proof.
Lots of people use the same password for everything. If i were to net a bunch of Ebay account passwords, i could stand a decent chance of getting into the paypal accounts of at least a few of them.
For large sets, this will be our guide even unto death, for the LORD will work for each type of data it is applied to...
Annoyingly, my ISP (Speakeasy) has stopped allowing its customers to forward phishing emails to spoof@ebay.com.
They are doing content filtering on outgoing mail, which is something I really wish they wouldn't do. I have no idea what aspect of the message triggers the filter, but any attempt to forward an HTML phishing mail without converting it to plaintext first (and losing the href fields that would allow eBay to shut down the phishing sites) yields "Server Response: '554 message permanently rejected, you may have a virus (#5.3.0)'."
All attempts to communicate my displeasure to Speakeasy's support department have met with the usual language barrier (I speak English, they speak Moronese). I simply could not find a way to convince them that I wasn't having trouble sending email in the general case. If anybody from Speakeasy is reading this, it would be nice if they got the clue bat after whoever implemented this filter. Customers need to be able to opt out of all content filters, both incoming and outgoing.
Dahlmann tightly grips the knife, which he may have no idea how to use, and steps out into the plain.
Bookmark all the financial sites you use, and whenever you receive emails with such "friendly" links, use your bookmark instead, to log in to the site. If it was important, you will see it on the next page there.
I never click on the links even when I know they are legit (to avoid forming a habit).
Um, no, that's the whole thing... there aren't any goods to mail.
The idea is, I use your account to post an auction for an expensive piece of equipment with a glowing description stolen from another successful auction, photos courtesy of Google Image Search, and a Buy It Now price around 20% of retail. The victim hits the BIN button and, at my request, sends me a Western Union transfer to pay. That's the last anyone hears from me.
Typically this scam is operated from Internet cafes in Eastern European countries with twentieth-century technology and twelfth-century ethics.
Dahlmann tightly grips the knife, which he may have no idea how to use, and steps out into the plain.
Seems that they're only 'scrambling' now there is media attention.
"Physics is to math as sex is to masturbation." -R. Feynman
In otherwords don't be stupid and just randomly enter your password in sites asking for "updates"...
For some phishes, I take the time to login with fake
id's and passwords making sure to insult the scumsucking bastards.
Then I do a network lookup on them and try to
email the corresponding isp. Very easy to do
and protects others.
Vigalantism at its best! Everyone do the same.
Below is a copy of what I sent them. The fraudulent email appears before my comment. (For some reason, it was reformatted to all lower-case.)
_________________________________
email header:
from aw-confirm@ebay.com sun jan 30 14:42:29 2005
email body:
<html>
<body>
dear ebay community member,<br><br>
<!--uee-->
it has come to our attention that your ebay billing information records
are out of date.<br>
that requires you to update the billing information if you could please
take 5-10 minutes out of your online experience and update your<br>
billing records, you will not run into any future problems with ebay's
online service.<br>
however, failure to update your records will result in soon account
termination. once you have updated your account records, your ebay<br>
session will not be interrupted and will continue as normal. failure to
update will result in cancellation of service, terms of service<br>
(tos) violations or future billing problems.<br><br>
to update and login to your ebay account, click on the linki sapicommand=3dredirecttodomain&domainurl=3dhttp%3a %2f%2f%32%31%31%2e%32%33%33%2e%33%38%2e%37%3a jbaqqzehaaemwzlhhlwxs2albxvshqahqrfhgtdrferhcurstp aisnrqahqrfhgtdrferhcurstpaisnrpaisnrqahqrfhgtdrfe rhcuqrfqzehaaemwzlhhlwxh">http://cgi4.ebay.com/ws/ </a><br>
below:<br><br>
<!--xr-->
<a href=3d"http://cgi4.ebay.com/ws/ebayisapi.dll?mfc
2%2fupdatecenter%2flogin%2f%3fmfcisapisession%3da
<br>
thank you for using ebay!<br><br>
**this is no-reply message. please do not reply to this email, as you
will receive no response**
<!--i36-->
</body>
</html>
------=_nextpart_000_0068_01c44e5d.dbc9229e--
message: if i'm interpreting the url in the message correctly, it looks
like you have a vulnerable redirector running somewhere. if so, you'll
probably want to fix that.
the above appears to be redirecting to the ip address 211.233.38.72,
which 'whois' says is in korea.
schwab
--_----------=_9502205623000--
------=_nextparttm-000-25ddf14b-7467-4642-9e0d-8 cafc918baf3--
Editor, A1-AAA AmeriCaptions