clever eBay phishing attach
Tuesday, 19. December 2006, 12:11:30
Looking through spam can be an awful chore but it can also be quite interesting. Today I found a scary eBay phishing attack - it is so good that even I might fall into this trap, on a bad day. Not from an E-mail, mind you - we're automatically more suspicious of links in E-mails - but if this link was on a website, or inside an eBay auction..?
Here is a screenshot of the HTML E-mail opened in Opera, showing the text and actual target of the link:
So it's a plain, old HTML link. The text is https://signin.ebay.com/ws/eBayISAPI.dll?SignIn&CaseID#Suspension and the address it points to is http://signin.ebay.com/ws/eBayISAPI.dll?SignInMCAlert&ru=http://www.clasos.com/eBayISAPI.dll/index.php.
At first glance this links seems perfectly fine: it points to the signin.ebay.com server and even uses HTTPS which is meant to be an extra verification that you'll get to the correct place or be warned. At second glance you might notice that the link address itself does not use https, and that the text of the link is shorter than the address. Still looks OK though, since the server name is correct..
Clicking that link takes me to the expected eBay sign in page. All safe and fine, still on the eBay server with encrypted communication. Your login details are encrypted and sent to eBay - and then eBay sees the "redirect URL" argument in the original query string. "ru=" is of course meant to take you back to the auction you were trying to bid on after the login, or something like that. However, the inital phishing link set "ru" to http://www.clasos.com/eBayISAPI.dll/index.php so that's where you're sent to after login, and it shows you this very familiar-looking page:
If you aren't alert enough to check the address bar again before trying to log in, you've been phished!
This means that pretty much any website that has a "redirect" feature accepting random URLs can be exploited in similar ways. It's not that hard for eBay to resolve this issue, but it's a slow task since they need to go through all scripts that can output redirect instructions and add checks that the redirect is pointing to a valid page. Meanwhile I'm afraid that this phish is going to catch more than a few users. It's so simple, and clever.
I used to think that Opera's new fraud warning feature was protection for newbies and less technical users. When I look at the tools and tricks the phishers use I think antiphishing might save even a power user like myself one day.
Here is a screenshot of the HTML E-mail opened in Opera, showing the text and actual target of the link:
So it's a plain, old HTML link. The text is https://signin.ebay.com/ws/eBayISAPI.dll?SignIn&CaseID#Suspension and the address it points to is http://signin.ebay.com/ws/eBayISAPI.dll?SignInMCAlert&ru=http://www.clasos.com/eBayISAPI.dll/index.php.
At first glance this links seems perfectly fine: it points to the signin.ebay.com server and even uses HTTPS which is meant to be an extra verification that you'll get to the correct place or be warned. At second glance you might notice that the link address itself does not use https, and that the text of the link is shorter than the address. Still looks OK though, since the server name is correct..
Clicking that link takes me to the expected eBay sign in page. All safe and fine, still on the eBay server with encrypted communication. Your login details are encrypted and sent to eBay - and then eBay sees the "redirect URL" argument in the original query string. "ru=" is of course meant to take you back to the auction you were trying to bid on after the login, or something like that. However, the inital phishing link set "ru" to http://www.clasos.com/eBayISAPI.dll/index.php so that's where you're sent to after login, and it shows you this very familiar-looking page:
If you aren't alert enough to check the address bar again before trying to log in, you've been phished!
This means that pretty much any website that has a "redirect" feature accepting random URLs can be exploited in similar ways. It's not that hard for eBay to resolve this issue, but it's a slow task since they need to go through all scripts that can output redirect instructions and add checks that the redirect is pointing to a valid page. Meanwhile I'm afraid that this phish is going to catch more than a few users. It's so simple, and clever.
I used to think that Opera's new fraud warning feature was protection for newbies and less technical users. When I look at the tools and tricks the phishers use I think antiphishing might save even a power user like myself one day.
You must be logged in to write a comment. if you're not a registered member, please 
the forged link: surely the `Link alert` userjs will notify even the most tired userEDIT: forgot that JS is not available for the email clientChecking the padlock when logging in should be second nature. The wand's golden border on the login form elements should also comfort
By dantesoft, # 19. December 2006, 14:04:17
It was fixed within a week I think.
By Frenzie, # 19. December 2006, 14:21:39
By csant, # 19. December 2006, 19:25:04
There are of course many sneakier ways to phish for beginners, and they don't require URLs.
http://www.castlecops.com/p871231-Embedded_form_Phish_email_requires_no_forged_web_page.html
By dantesoft, # 19. December 2006, 19:39:02
Making eBay itself send you to the scam site is still pretty clever..
By hallvors, # 22. December 2006, 10:39:18