The latest eBay phishing scam: uses redirect in the URL; appears as a secure eBay-logoed page. Beware!!

Ah… (checks email)… ooh, another email “from eBay”. But of course. From [email protected]? Why naturally! What the hell, I thought, let’s see what they’ve done.

And there it is, even including a Habeas antispam header. Great – something more to report.

Got reading. And they’ve got the breezy style of these things just right.

It’s that time of year again! With 2005 now upon us, we have updated the eBay user agreement.

Uh-huh. Waiting for the other shoe to drop.

As a result of the update, your account will be restricted until you have followed the link below and reconfirmed your contractual agreement with eBay. We apologize for any inconvience as a result of the update, but as a large e-commerce entity we are required to receive an updated agreement at the beginning of each year.

“Beginning” in this case being March 5. Which civilisation would that be? Mayan? Aztec?

So what’s the URL? It looks rather promising, even if you uncover the true URL – in my case by clicking on Eudora’s “blah blah blah” (it’s really called that) button, which shows you the actual URLs that clickable links are sending you to.

The link text says: https://signin.ebay.com/ws/eBayISAPI.dll?UpdateAgreement

The actual URL: https://signin.ebay.com/ws/eBayISAPI.dll?SignIn&UsingSSL=1&pUserId=&co_partnerId=2&siteid=0&ru=http%3A%2F%2Fcgi4.ebay.com%2Fws%2FeBayISAPI.dll?MfcISAPICommand%3dRedirectToDomain%26DomainUrl=http%3A%2F%2F62.193.217.91%2FeBayISAPI.php&pageType=1883 .

Be very careful with this link; I’ve not obscured it at all. See what it does? It starts with the real eBay URL, a secure one, and then near the end redirects you, obscuring it with lots of encoded characters (can you guess what http%3A%2F%2F comes up as? Can ya?).

It gets worse. That URL comes up as a secure page, with the eBay logo in the browser. It appears to load the eBay page. In fact what it does is load the page at http://62.193.217.91/ – yup, go take a look. (Unless it’s been killed now.)

If you ask me, that’s serious. I’ve fired off an email to [email protected] – we’ll have to hope someone is awake there.

The result is the same, though. Phishing scam. Originating from a PC in Korea at 211.59.86.44 since you ask, pointing to one in France at 62.193.217.91 (owned by Amen.fr).

A final thought: eBay could, and should, stop this. It’s SO easy. How: (1) change the images on its website, constantly. (2) block any display of those images outside the eBay site. I do think eBay bears a lot of responsibility for not proactively tackling this.

5 Comments

  1. >block any display of those images outside the eBay site.

    Yeah, because you can’t get round that with a screenshot & photoshop.

  2. Except that I said eBay should change the images on its site constantly. That would be hard to get round.

    The fake site is down right now – hard to say when it was removed though.

    Trouble of course being that these pages can be set up everywhere, and eBay is always playing catchup. Which is why it should stop the outgoing display of images. That would at least delay the phishers.

  3. The phishers are still phishing…that site is still up.

  4. Not to mention that this scammer is using EBAY’S OWN PROGRAM to redirect browsers to his site.

    eBayISAPI.dll (running on ebay) is slavishly redirecting users to systems outside Ebay’s domain. That is a world-class security hole if I’ve ever seen one. And no doubt about it, it’s Ebay’s fault.

    Eric

  5. Amen.fr is clearly a criminal entrprise–as of May 2005, the web site is still up. I’ve sent three complaints to them in the last week.

Comments are closed.