Computer Crime Research Center


Trading on eBay becomes dangerous

Date: March 07, 2005
By: David Worthington

Online auctioneer eBay, the first aim for phishing con artists, has been used as an unwitting accomplice. A vulnerability in eBay's server configuration allows spoofing attacks when a specially crafted URL, which is a valid eBay link, is used to redirect users to a malicious Web site.

eBay was made aware of the issue several days ago, but has not yet corrected the problem, which can be used to exploit the trust relationship between eBay and its users.

According to examples viewed by BetaNews, the eBay redirect has been used by phishers to make fake Web pages including login forms, defacements, false press releases and other sham Web sites.

"At the moment, I guess it would be wise to tell the user to look at the URL before and after they click. Just to be extra sure," commented Internet security expert Jeremiah Grossman. "The problem is the redirect landed the user on an 'IP addressed' page. Is the average user really expected to make a good decision here? I believe phishing is a problem that needs a solution well beyond people looking at URLs. It's obviously not working."

In response to inquiries, an eBay spokesperson told BetaNews, "We are aware of it and we have a fix rolling out in the next few days."

Recently, the technology industry teamed up with law enforcement to crack down on phishing by establishing the Digital PhishNet program, which opens a direct line of communication so that cyber criminals can be quickly identified and detained.

Software and Internet companies have responded by adding anti-phishing features into e-mail clients and security software. There are also industry organizations that are devoted to routing out phishers, such as the Anti-Phishing Working Group.
Original article

Add comment  Email to a Friend

Copyright © 2001-2013 Computer Crime Research Center
CCRC logo