in Internet

Can't Even Trust Ebay's Servers Anymore

eBay Phishing scams, eh?

This is a clever one.

The eBay site is redirecting requests to external domains. An attacker can build a querystring that will cause a valid ebay.com domain to redirect to an attacker’s page:

http://cgi4.ebay.com/ws/eBayISAPI.dll?MfcISAPICommand=RedirectToDomain&DomainUrl=http://www.attackers-domain.com/malware/

All they need do is obfuscate the URL to hide what is really happening, like so:

http://cgi4.ebay.com/ws/eBayISAPI.dll?MfcISAPICommand=RedirectToDomain&DomainUrl=%68%74%74%70%3A%2F%2F%68%6F%6D%65%2E%64%75%72%64%6C%65%2E%63%6F%6D%2F%76%61%72%73%2E%61%73%70

That’ll point to http://home.durdle.com. Looks more like an eBay page though, right?

Of course people need to be vigilant about what emails are asking them to do, the one that prompted me to investigate this was asking me to “confirm my account details” so was obviously fake. Well, obvious to me, I know a good number of people who would have seen a valid eBay URL and diligently followed the instructions.

Perhaps eBay need some validation on their RedirectToDomain command, or at the very least they could check for an HTTP referrer, so that it would only work if you were following a link from within an eBay page.

Update: eBay are dumber than a bag of hammers, and completely miss the point. See the comments for updates. Also check the thread I spawned on Dave Farber‘s Interesting People mailing list.

  1. Just figured this one out as well and emailed their fraud department. Then googled for ebay redirecttodomain to see who else had figured it out.

    Sadly…. not many!

  2. What if eBay sent all of their emails with a digital ID? I know Verisign offers that product to folks. Is that feasible? It certainly seems like it might be. It will take a firm like eBay doing this to make it acceptable for others to follow. Just an idea.

  3. eBay seem not to care a jot about how much of a problem this is for the wider Internet community. I reported it to their abuse department, and got back a stock reply which completely missed the point of what I was telling them:

    Emails such as this, commonly referred to as “spoof” or “phished”
    messages and are sent in an attempt to collect sensitive personal or
    financial information from the recipients. The email you reported was
    not sent by eBay. We have reported this email to the appropriate
    authorities.

    In the future, we ask that you be very cautious of any email that asks
    you to submit information such as your credit card number or your email
    password. eBay will never ask you for sensitive personal information
    such as passwords, bank account or credit card numbers, Personal
    Identification Numbers (PINs), or Social Security numbers in an email.
    If you ever need to provide sensitive information to us, please open a
    new Web browser, type http://www.ebay.com into your browser address field, and
    click on the “site map” link located at the top the page to access the
    eBay page you need.

    I got another one just this morning, which again failed to understand the crux of the matter:

    Hello Howard,

    Thank you for writing back.

    Unfortunately, email sent through eBay’s Email Forwarding System (EFS)
    cannot be blocked as eBay encourages open communication between trading
    partners. Communication is a defining key to success on eBay. However,
    we still encourage and ask that you report all unwelcome email you
    receive so that we can take the appropriate action if needed. We do not
    keep records of the emails sent through our system, so we rely on our
    members to keep us informed of any inappropriate use of the EFS.
    You should never respond to offers made by the seller to sell their item
    off eBay. Transactions that take place through eBay provide you access
    to valuable safety-related services including Feedback, free buyer
    protection, integrated payment, escrow, and dispute resolution.

    This completely misses the point! The email wasn’t sent through eBay’s EFS! It was sent via the spammers account (or probably a zombied proxy) but it WAS using eBay’s servers to make the URL seem legitimate.

    If eBay can’t even be bothered to read and understand the security issues that are reported to them for FREE by concerned users, what hope have we that their internal people are doing any better?

  4. Actually, the problem with this command is that you can use it to verify a valid eBay user name/password. The link in your evil email directs the output of the eBay login page to your evilsite.com. If not a valid eBay user, you get an login error. If eBay accepts the login, evilsite.com now has the valid eBay user name/password. Then ask for more info (credit card, etc) on your evilsite.com pages, using pages that look just like eBay’s signup pages.

    The result: a valid eBay user name and password, and probably other credit card info. A good haul for the phisherman!

  5. How infuriating. I’ve emailed eBay directly with recommendations for a fix (it’s a simple conditional test for the pathargument string RedirectToDomain — it is NOT used on the normal signin page. This is programming 101, for pete’s sake. I posted a similar whine on our FAQs — I think eBay won’t react until they have their first lawsuit for breech of customer privacy. How stupid.

Comments are closed.