Online auctioneer eBay, a prime target for phishing schemes, has been used as an unwitting accomplice. A flaw in eBays server configuration paves the way for spoofing attacks when a specially crafted URL, which is a valid eBay link, is used to redirect users to a malicious Web site.
eBay was made aware of the issue several days ago, but has not yet corrected the problem, which can be used to exploit the trust relationship between eBay and its users.
Phishing is the designation given to a class of socially engineered attacks—generally carried out via e-mail—that steal consumers passwords, credit card numbers and other personally identifiable information.
According to examples viewed by BetaNews, the eBay redirect has been used by phishers to make fake Web pages including login forms, defacements, false press releases and other sham Web sites.
“It certainly adds some credibility to phishing e-mails. But scammers have used other types of URL redirection for a long time,” said Brian McWilliams, author of “Spam Kings.”
“At the moment, I guess it would be wise to tell the user to look at the URL before and after they click. Just to be extra sure,” said Internet security expert Jeremiah Grossman.
“The problem is the redirect landed the user on an IP addressed page. Is the average user really expected to make a good decision here? I believe phishing is a problem that needs a solution well beyond people looking at URLs. Its obviously not working.”