Fraudsters have exploited a flaw in the eBay web site that allows them to orchestrate phishing attacks using eBay's own Sign In page.
Registered users of eBay's popular online auction web site must sign in using a username and password in order to participate in bidding and listing of items. A new style of phishing attack reported through the Netcraft Toolbar community shows fraudsters exploiting flaws on the Sign In page and on another ancilliary page which results in victims being redirected to the fraudster's phishing site after they have logged in.
This particular attack starts off like many others, by sending thousands of emails that instruct victims to update their eBay account details by visiting a URL. However, that is where the similarity ends, because the URL in this case actually takes the victim to the genuine eBay Sign In page, hosted on signin.ebay.com. By including special parameters at the end of the URL, the fraudster has changed the behaviour of the Sign In page so that when a user successfully logs in, they will then be sent to the fraudster's phishing site via an open redirect hosted on servlet.ebay.com.
The eBay Toolbar reports that the maliciously modified Sign In page is a "Verified eBay Site". Conversely, the Netcraft Toolbar denies access to the modified page while still allowing access to genuine eBay Sign In pages.
The victim is more likely to trust the contents of the fraudster's site, because they have arrived there as a result of signing into eBay via a genuine eBay Sign In page. Because there is less reason to suspect anything is awry, the victim is more likely to surrender any sensitive details in the mistaken belief that they are really giving them to eBay.
Theft of eBay and PayPal accounts is of particular interest to fraudsters, as they can be used to launder money and list phony auctions for high value goods, piggy-backing off someone else's positive feedback.
Open Redirect Detection Service
Netcraft's Open Redirect Detection Service can perform an automatic search of a customer’s web sites to scan for problems such as these, on a daily basis, thereby promptly trapping redirects introduced by inadvertent web design and application development, and giving an excellent cost benefit.
Please contact us (firstname.lastname@example.org) indicating the sites and domains you control and wish to have tested.