• Take 30 seconds to register your free account to access deals, post topics, and view exclusive content!

    Register Today

    Join the largest Oakley Forum on the web!

BEWARE - eBay Phishing Attacks picking up!

ry4wn

Oakley Beginner
2
53
I have seen a lot of reports about the new eBay XSS vulnerability and I received a suspicious e-mail from the same day the report was released. This is an e-mail spoofed from member@ebay.com and all the links are real accept for the item URL link. Now as an eBay powerseller I was inclined to respond to the request to inform the user that he had the wrong seller pegged for the transaction. I receive e-mails like this occasionally when eBay members contact me directly so everything looked right. This was a good spear phishing attempt, by spear fishing I mean that they had the right company name and e-mail address that I have on file with eBay! That is what makes this a "spear phishing" attack and very successful. How they received my personal information, I still don't know - possible that someone is out there selling eBay buyer/seller account information because you can't just get a seller/buyers e-mail unless you've completed a transaction with them. What might trick people into clicking on the link or trying to contact the buyer is that he is threatening first "You got my $500 2 weeks ago and there is no response from you .. I reported you to PayPal and if you don`t answer in 2 days i will contact FBI" so some users might be scared and login to see what is going on, other users might want to respond and call him an idiot. In either case if you click the link and login you will be phished. The phishing e-mail below:





ebay_XSS.png Like I said, it looks like the true eBay message page, or at least in a slightly previous version, eBay uses a different URI scheme now. Lets click the link, we'll use The Onion Router (TOR) and a Linux VM just to be safe and certain it isn't an exploit kit or drive-by-download.



ebay_phishing.png Now, if your an angry eBay seller looking to set this guy straight you might overlook the URL that has been inserted into your browser, but if you look closely you see the signin.ebay.com buuuuut there is no HTTPS and there is a "." after the .com meaning it is a subdomain name for the hostile site. The true link looks like this : hxxp://signin.ebay.com.218-435-434-562.218-435-434-562.nt1focnwdmowp9lcj1z.pwtoerk.com/cgi-bin/saw-cgi/ws/eBayISAPI.dll/?login_email=john@john.com So..........before you click on any link from you e-mail inbox from an eBay member, login to eBay first and see if it shows up in your "messages" which obviously it won't. Secondly, you can hover over the link in the e-mail and see right away that it is not truly eBay. Just a fair warning to all you sellers out there, I've been hearing non-stop that people are clicking this and putting their credentials in, if that is you - CHANGE YOUR PASSWORD IMMEDIATELY!

Reference:
HTML:
<a href="http://www.computersecurity.org/wp-admin/post.php?post=226&action=edit"> eBay Dangerous Spam Campaign going ong@>/a>
 
Back
Top