Jeremy Stein - Journal

« »

Brilliant Ebay Spoof

Last night, I received a brilliant ebay spoof email. I was informed that my account had been compromised and I needed to confirm my account information. The correct link to signin.ebay.com was in the email. It took me a few minutes to realize that the link, while it read “http://signin.ebay.com/aw-cgi/eBayISAPI.dll?etc” actually went to “http://signin.ebay.com-update.us/aw-cgi/eBayISAPI.dll?etc” or something like that. The email included warnings about email spoofs and instructed the user to look for “https://signin.ebay.com” in the address bar and the padlock in the lower right corner of the browser (Internet Explorer).

I clicked on the link. It brought me to this “ebay” page. Take a look at it. The address bar shows “https://signin.ebay.com”. There is the padlock in the lower right corner. I must be on an ebay site. But I wasn’t. I was actually at “https://s.p2.hostingprod.com/@com-userverify.us/ssl/eBayISAPI.php…”. You can see the last part of the URL off to the right part of the address bar. The ebay url is actually a bit of text from the page that has been positioned over top of the address bar. You can see how it’s a few pixels off in my browser (IE 6 on XP).

Wow! These guys are smart. It took me a while to figure out what they were doing. They took the ebay signin page and added some clever Javascript to position text over the address bar in IE. How could a non-technical user be expected to recognize this as fraudulent? The ebay web site directs users to always look for the address bar to begin with “http://signin.ebay.com/”. And it does! The sacred address bar has been violated. And they even made it a secure connection. Brilliant. Wickedly brilliant.

Actually, I left out a few details in the above account. The first thing I did was to report the email to ebay. I believe I sent it to them within an hour of it being sent out. Ebay responded immediately that it was not from them. I assume they had quite a few people working late last night. The link no longer works this morning. Also, I neglected to mention that my spam filter identified the email as an ebay spoof and didn’t want me to see it. And, even when I bypassed that and read the message from my spam folder, Mozilla Firefox didn’t succumb to the trick. However, I’m not going to spend any time praising the virtues of Mozilla on this one. I’m sure that if Mozilla had 95% of the market share, ebay spoofs would exploit defects in Mozilla rather than those in IE. But in any case, the point remains that Mozilla users didn’t get spoofed.

The thing that most puzzles me is how someone who is clearly talented could spend so much creative energy committing a felony. I hope they get to mull over that question in prison.

June 15, 2004 2 Comments.

2 Comments

  1. Mark A. Hershberger replied:

    This is quite clever. Wonder if I can find a use for it.

    (Now that I’m back to using nnrss in emacs, I’ve subscribed to your feed.)

    June 15th, 2004 at 2:26 pm. Permalink.

  2. mike replied:

    Thank for explaining that. I received the same thing today and could not figure out how they managed to get https in the address.

    The only differences are the lack of a favicon and a slightly different font on a MAC.

    Regards

    Mike

    July 7th, 2005 at 2:50 am. Permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *