RE: eBay Account Phishing with eBay Redirect
You may want to be careful about following links like this. I have read that
part of the problem is, even if you load bogus information or no information
at all, these sites will drop keyloggers, Trojans, etc. on your machine.
Just their way of saying 'Thanks for dropping by'....    :(
Thomas T. Evans, III CCNA
Senior Network Manager
Hawk Corporation
ttevans@xxxxxxxxxxxx
216-267-7787 Ext. 500
Cell: 440-669-2526
Fax: 917-464-7241
President, MFG/Pro Midwest User Group
"The difference between genius and stupidity is genius has limits" -- Albert
Einstein
-----Original Message-----
From: Jonathan Rockway [mailto:jrockw2@xxxxxxx] 
Sent: Monday, February 14, 2005 7:25 PM
To: bugtraq@xxxxxxxxxxxxxxxxx; Josh Tolley
Subject: Re: eBay Account Phishing with eBay Redirect
I just tried this out and it worked for me.  I got a page asking for a  
login name and made up a login name and password.  After ``logging  
in'', I got a page asking for my address, phone, CCN, bank information,  
etc.  (They ask for everything!  ATM PIN, SSN, DOB, etc... who would  
actually provide this to the real eBay!?)
After I submitted my fake data, it redirected me to the real eBay login.
Regards,
Jonathan Rockway
On 14 Feb 2005, at 1:08 PM, Josh Tolley wrote:
> I just tried this with my own URL, and eBay didn't forward me to some  
> other site. Perhaps they've plugged this already?
>
> Josh Tolley
> Raintree Systems, Inc.
> http://www.raintreeinc.com
> 760 509 9000
>
> Steven wrote:
>> I am not sure if this is better served by incidents or bugtraq, but  
>> in any event here it is.  I frequently get the fake looking e-mails  
>> phishing for my Paypal, eBay, and banking login/password information.  
>>  Generally the links to the spoofed webpages are just links to a fake  
>> page with a modified A HREF tag.  However, it appears someone has  
>> found that eBay's actual page has a command to redirect to a  
>> specified webpage.  While this shouldn't be a big risk, it still  
>> poses a small one and is being actively exploitated.
>> The page actually appears to link to eBay and it does, the link below  
>> is the one I received in my inbox recently.
>> http://cgi4.ebay.com/ws/eBayISAPI.dll? 
>> MfcISAPICommand=RedirectToDomain&DomainUrl=http%3A%2F%2F%32%31%31%2E%3 
>> 1%37%32%2E%39%36%2E%37%2FUpdateCenter%2FLogin%2F%3FMfcISAPISession%3DA 
>> AJbaQqzeHAAeMWZlHhlWXS2AlBXVShqAhQRfhgTDrferHCURstpAisNRqAhQRfhgTDrfer 
>> HCURstpAisNRpAisNRqAhQRfhgTDrferHCUQRfqzeHAAeMWZlHhlWXh Simply:
>> http://cgi4.ebay.com/ws/eBayISAPI.dll? 
>> MfcISAPICommand=RedirectToDomain&DomainUrl=www.website.com Steven
>> steven@xxxxxxxxxxx
>>
-- 
Jonathan Rockway <jrockw2@xxxxxxx>
http://www.uic.edu/~jrockw2/