A flaw has been discovered on eBay’s website that would have allowed fraudsters to successfully redirect the sign-on process to a phishing site.
Reported by British antiphishing outfit Netcraft, the clever scam apparently started with fraudsters sending e-mails asking eBay users to update their accounts. So far so normal, as such fake eBay e-mails are currently one of the phishing world’s persistent lines of attack.
Disarmingly, however, the link provided was genuine and led to the correct eBay sign-in page, signin.ebay.com. If users clicked on this, parameters embedded in the otherwise normal stream of characters at the end of the link actually redirected users away from the page after the sign-in page to a fake phishing page, via an open relay hosted at servlet.ebay.com.
The end result would have been that users gave away information allowing phishers to hijack their accounts, either as a way of laundering money or for launching fake auctions.
According to Netcraft’s Paul Mutton, the company first learned of the attack from users of its antiphishing toolbar — which stops the attack — and reported the flaw to eBay last week.
This is not the first time such an attack has been attempted on eBay users. In March, phishers launched an almost identical redirect-style attack, which spoofed the sign-on page itself. Mutton said he considered the latest attack more subtle as it manipulated the real sign-on page, and would therefore be harder for users to detect.
“I believe this new exploit is more serious because it is more convincing,” Mutton said. “It is something they can prevent by enforcing stricter coding conventions.” At the time of going to press, eBay was unavailable for comment.
The moral is not to click on links in e-mails just because they look genuine, a fairly disturbing conclusion as this is one of the main criteria people use.
Netcraft’s toolbar, a web browser plug-in for Microsoft’s Internet Explorer and Mozilla’s Firefox, is designed to protect against phishing websites, not least by analyzing the sort of characters used in this attack.
