eBay Redirect Becomes Phishing Tool
Online auctioneer eBay, a prime target for phishing schemes, has been used as an unwitting accomplice. A flaw in eBay's server configuration paves the way for spoofing attacks when a specially crafted URL (Example), which is a valid eBay link, is used to redirect users to a malicious Web site.
eBay was made aware of the issue several days ago, but has not yet corrected the problem, which can be used to exploit the trust relationship between eBay and its users.
Phishing is the designation given to a class of socially engineered attacks -- generally carried out via e-mail -- that steal consumers' passwords, credit card numbers and other personally identifiable information.
According to examples viewed by BetaNews, the eBay redirect has been used by phishers to make fake Web pages including login forms, defacements, false press releases and other sham Web sites.
"It certainly adds some credibility to phishing e-mails. But scammers have used other types of URL re-direction for a long time," noted Brian McWilliams, author of Spam Kings.
"At the moment, I guess it would be wise to tell the user to look at the URL before and after they click. Just to be extra sure," commented Internet security expert Jeremiah Grossman. "The problem is the redirect landed the user on an 'IP addressed' page. Is the average user really expected to make a good decision here? I believe phishing is a problem that needs a solution well beyond people looking at URLs. It's obviously not working."
In response to inquiries, an eBay spokesperson told BetaNews, "We are aware of it and we have a fix rolling out in the next few days."
"The fact that it is eBay increases the risk of someone taking advantage of the issue," said Grossman.
Recently, the technology industry teamed up with law enforcement to crack down on phishing by establishing the Digital PhishNet program, which opens a direct line of communication so that cyber criminals can be quickly identified and detained.
Software and Internet companies have responded by adding anti-phishing features into e-mail clients and security software. There are also industry organizations that are devoted to routing out phishers, such as the Anti-Phishing Working Group.
Nate Mook contributed to this report.