[Macpartners] Beware of "phishing" e-mails masquerading as legit broadcast from eBay, banks, etc...
Kerem B Limon
kerem.limon at MIT.EDU
Sun Feb 1 20:18:19 EST 2004
Folks--
(My apologies to viradmin members, as this is not exactly a virus.)
A family member forwarded the enclosed message when she became suspicious
as to whether it was actually from eBay. It turns out it wasn't. However,
most casual users aren't as careful, patient, or smart enough to even care
and would have fallen prey for this. You might want to keep an eye out for
(and alert your users, friends, and family) about the new "phishing" scams
going around.
This "phishing" (a la 'PHreak'-ified (of phone hacking fame) version of
'fishing' for unsuspecting users) basically refers to the attempt to
capture passwords and other confidential user info through third-party
sites masquerading as legit fronts for high-profile Web sites like eBay,
major banks, etc. It turns out that a bug in all versions of IE (since 3.0,
I believe) causes certain characters in a URL to not display in the address
bar. Any characters following this pseudo-illegal character are also not
displayed, so in effect the URL is truncated, but ONLY in the address bar.
The browser nonetheless goes to the full URL, fetches whatever is there,
and renders it. So, the malicious party embeds a link in an HTML-formatted
e-mail, something like
"http://legitsite.com<illegal_char>@fraudulantsite.com", and makes only the
"http://legitsite.com" part visible and clickable as the link text. When
the user innocently clicks on the link, they are taken to the full link,
but IE still displays only the first part. Thus, especially if the
fraudulent site is a well-crafted to copy the original (not difficult, and
they _are_), it *looks* like the real site, the address *looks*
correct...if it looks like a duck, if it quacks like a duck...you get the
point.
I took the e-mail she forwarded me and looked at the source, which had a
decent amount of JavaScript encapsulating the apparent link to
http://signin.ebay.comeBayISAPI.dllSignInssPageName=hh:sinUS which really
was a link to
http://signin.ebay.comeBayISAPI.dllSignInssPageName=hh:sinUS@cbhb.net/images/login.html
(sorry about the length). If you look at http://cbhb.net/images/login.html,
you'll see a fair replica of the eBay login page, indeed linking to other
legit eBay pages even.
There's no telling what an abuser might do with your confidential info. In
this case, for instance, the person who got the message has a reputable
business record/credit/feedback score on eBay. The scam artist could've
used the account to set up fake auctions, collect money (since most eBay
payments are made in advance) using the innocent party's good name, and
disappeared, not only making off with the loot, but ruining the victim's
reputation.
I've sent the same information to eBay's abuse line, along with whois info
on the linked domain, though I anticipate they've already received many
similar complaints. In fact, most sites are setting up warning areas for
these issues, including eBay (see
http://pages.ebay.com/education/spooftutorial/index.html), but the
likelihood of the typical users being aware or taking the time to check is
small.
There is more info on the "phishing" scam at
http://www.theregister.co.uk/content/55/34863.html and you can NewsGoogle
for "phishing".
Kerem
>From: "suspension at ebay.com" <suspension at ebay.com>
>To: [...]
>Subject: eBay Account Suspended
>Date: Sun, 1 Feb 2004 13:22:33 -0800
>MIME-Version: 1.0
>X-Priority: 3
>X-MSMail-Priority: Normal
>Reply-To: "suspension at ebay.com" <suspension at ebay.com>
>X-Mailer: Internet Mail Service
>Content-Type: multipart/alternative; boundary="----_NextPart_339795377369538"
>Content-Length: 4230
>
>
>
>
>Dear eBay User,
>
>We recently noticed one or more attempts to login into your eBay
>account from a foreign IP address and we have reasons to believe that
>your account has been hijacked by a third party without your
>authorization.
>
>
>In order to protect your sensitive information or unauthorized listings we
>temporarily suspended your account for further investigations. To
>reactivate your account, click on the link below and confirm your
>identity by completing the secure form that will appear.
>
>
>If you recently accessed your account while traveling, the unusual
>login attempts may have been initiated by you.
>
>Take our apologies for any inconvenience that this may cause.
>
>
>Thank you
>
>eBay Account Theft Prevention
>
>http://signin.ebay.com/aw-cgi/eBayISAPI.dll?SignIn&ssPageName=h:h:sin:US
>
>
>
>The log in attempt was made from:
>
>IP address: 205.188.211.167
>
>ISP host: afxs-d32a.blue.aol.com
>
>
>
>
>
>
>Announcements | Register | SafeHarbor (Rules &
>Safety) | Feedback Forum | About eBay
>
>Copyright © 1995-2003 eBay Inc. All Rights Reserved.
>Designated trademarks and brands are the property of their respective owners.
More information about the Macpartners
mailing list