As online auction sites have continued to proliferate beyond eBay, uBid and Yahoo, use of auction marketing tools has taken off as users of smaller services seek methods to get their items in front of more potential buyers’ eyeballs.
Unsurprisingly, as phishers continue to diversify their own efforts, they’ve caught on to auction marketing tools as yet another platform for luring unsuspecting users into handing over their credentials, as highlighted by experts with Symantec.
In a recent blog post, Symantec research Matthew Maniyara sketched out the process by which phishers are tapping into the power of (phony) auction marketing to expand their own business interests.
“Phishing attacks targeting the brands of online auction and shopping websites are common. [But] for better success rates, phishers are now trying alternate means to obtain the credentials of online auction customers by attacking legitimate brands providing auction-marketing tools,” Maniyara said.
Legitimate tools including auction item image hosting galleries, automatic inventory systems meant to notify sellers of stock shortages and a host of other online marketing services are seeing a lot of activity of late as phishers spoof their likenesses to deliver their threats, according to the expert.
Upon entering credentials onto the fake auction tools phishing sites, users are typically asked to verify back to the main online auction web site to obtain an access token.
Of course, when they follow through to that site, which warns them that if they do not get the token they will lose all access to the content they originally sought, they end up handing over any information they enter, which could include payment card data, to the attackers.
Beyond looking for typical visual cues that sites are phonies, Symantec recommends the people go the extra step and type the domain name of the auction tool brand directly in their browsers rather than following any links.
If not, bargain hunters just might end up getting more than they originally bargained for.
Follow eWeek Security Watch on Twitter at: eWeekSecWatch.
Matt Hines has been following the IT industry for over a decade as a reporter and blogger, and has been specifically focused on the security space since 2003, including a previous stint writing for eWeek and contributing to the Security Watch blog. Hines is currently employed as marketing communications manager at Core Security Technologies, a Boston-based maker of security testing software. The views expressed herein do not necessarily represent the views of Core Security, and neither the company, nor its products and services will be actively discussed in the blog. Please send news, research or tips to SecurityWatchBlog@gmail.com.