Feeds

Gone phishing with eBay

Why is there a naked woman in that Bentley?

Choosing a cloud hosting partner with confidence

There I was, on Monday night, scanning eBay for car bits. This is not a problem. I have this under complete control. I can give up buying worn out parts and rusty bits of bodywork at any time. Really.

Anyway, I spotted a real bargain, a 2007 Bentley Continental for 0.01 GBP. Since these usually retail for something in the region of £135,000 I felt that this represented a considerable saving.

Unusually for the vendor of such a prestigious vehicle, the listor had decided to post an image of a young lady in place of the car itself. I reasoned that perhaps this was his daughter and the picture was meant to show that his family also loved the car.

Screenshot showing the Bentley advert.

True, my theory didn’t entirely explain why she was naked to the waist but I clicked on the link anyway, hoping to acquire a bargain.

Several screens flashed before my eyes (unnervingly like my life going past) and then good old IE7 told me that I was about to be phished. It was quite correct, I was very phished (or, as we say in the UK, phished off). How come I could be browsing eBay one moment and phished the next?

Screenshot showing the phishing alert.

The URL is:

http://ww.eb4y.cgl-bin.confirm-verify.534413cfg5.valid.i8.com/main.html?

SignIn&co_partnerId=2&pUserId=&siteid=0&pageType=&pa1=&i1=&bshowgif=&Using

SSL=&ru=&pp=&pa2=&errmsg=&runame=&ruparams=&ruproduct=&sid=&favoritenav=&c

onfirm=&ebxPageType=&existingEmail=&isCheckout=&migrateVisitor=&SignIn&co

_partnerId=2&pUserId=&siteid=0&pageType=&pa1=&i1=&bshowgif=&UsingSSL=&ru=&

pp=&pa2=&errmsg=&runame=&ruparams=&ruproduct=&sid=&favoritenav=&confirm=&e

bxPageType=&existingEmail=&isCheckout=&migrateVisitor=

My journalistic instincts were, inevitably, hooked and I decided to investigate but first, I reported the incident to eBay to try to ensure that other poor fish were not landed in the same way. The time was 21:54.

The first step was to try to isolate the problem – was it my machine or eBay? I emailed one of my long suffering Reg. Developer editors (David Norfolk) who, despite the time, obligingly tried the same listing and got the same result. So, it could be malicious code on the PC but both David and I would have to be infected in the same way; possible, but unlikely.

By repeatedly pressing PrtScr I managed to obtain a screen shot of the listing itself as it flashed past.

Screenshot showing the listing itself.

For those without a microscope, the bottom of the screen reads as:

Screenshot showing detail from Figure 3.

We’ve blanked the identity of the ‘seller’ because it is highly likely that he/she is innocent and the account was hijacked (see the response from eBay below).

Question - How do you hijack an eBay account in order to go phishing?

Answer - By phishing.

(Dictionary definition of recursion - see recursion.)

A little more investigation showed that the listings weren’t just aimed at potential Bentley owners.

Screenshot showing more dud adverts.

At about 00:15 Tuesday morning the listings finally disappeared.

Naturally, we were keen to find out what had happened: we had some evidence, including the source code of the original page, so we contacted eBay. The company’s response was interesting. We first contacted it on Tuesday and, despite repeated requests, found it very difficult to get any hard information.

Eventually, on Friday afternoon, as we were going to press, we received the following:

“In this particular case, a genuine user's eBay account was taken over by fraudsters who attempted to use it to post fraudulent listings. eBay’s systems identified the fraudulent listing and eBay’s customer support team moved quickly to remove it from the site and restore the account to its rightful owner. eBay takes any threat to the security of its users extremely seriously and we also work closely with ISPs and law enforcement to bring down the spoof websites we identify."

It would appear that this statement corroborates what we observed; nevertheless it is worth examining the statement in detail.

For a start, whilst it is true to say “fraudsters who attempted ….. to post fraudulent listing”; more information is conveyed by the equally true statement “fraudsters who succeeded …. in posting fraudulent listings”.

Secondly, there is no information here about the eBay systems that identified the fraudulent listing. Is it simply the feedback from users or are there also algorithmic systems that prowl the system looking for naughtiness?

Let’s assume for a minute that eBay does have effective internal systems for detecting fraudulent listings. In that case it would be far, far better for the users of eBay if these ran proactively, before the listing was posted. If on the other hand eBay doesn’t have such systems and relies on user feedback to identify fraudulent listings, the implication is that we can expect fraudulent listings to be up for an unknown period of time before removal. As a user of eBay are you happy about this? I’m not.

Thirdly, it took eBay at least two hours to respond to this after it was reported. Do you consider this to be moving “quickly”?

As we were trying to find out exactly what had happened, an apparently related incident was also brewing.

The bottom line is that the evidence we have seen suggests that it may be possible for users to post listings on eBay that redirect off the site.

It ought to go without saying, but we’ll do it anyway. Be careful out there.

Internet Security Threat Report 2014

More from The Register

next story
FYI: OS X Yosemite's Spotlight tells Apple EVERYTHING you're looking for
It's on by default – didn't you read the small print?
Russian hackers exploit 'Sandworm' bug 'to spy on NATO, EU PCs'
Fix imminent from Microsoft for Vista, Server 2008, other stuff
Edward who? GCHQ boss dodges Snowden topic during last speech
UK spies would rather 'walk' than do 'mass surveillance'
Microsoft pulls another dodgy patch
Redmond makes a hash of hashing add-on
NOT OK GOOGLE: Android images can conceal code
It's been fixed, but hordes won't have applied the upgrade
'LulzSec leader Aush0k' found to be naughty boy not worthy of jail
15 months home detention leaves egg on feds' faces as they grab for more power
China is ALREADY spying on Apple iCloud users, claims watchdog
Attack harvests users' info at iPhone 6 launch
prev story

Whitepapers

Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Why and how to choose the right cloud vendor
The benefits of cloud-based storage in your processes. Eliminate onsite, disk-based backup and archiving in favor of cloud-based data protection.
Three 1TB solid state scorchers up for grabs
Big SSDs can be expensive but think big and think free because you could be the lucky winner of one of three 1TB Samsung SSD 840 EVO drives that we’re giving away worth over £300 apiece.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.