Ebay Phishing Scam Using Ebay's Own Servers

[David Farber <dave () farber net>]

------ Forwarded Message
From: Howard Durdle <howard () durdle com>
Date: Wed, 23 Feb 2005 09:12:01 +0000
To: <dave () farber net>
Subject: Ebay Phishing Scam Using Ebay's Own Servers


Dave,

A warning (for IP if you wish).

The eBay scammers are now using eBay's own servers to facilitate phishing
attacks.

This URL:
http://cgi4.ebay.com/ws/eBayISAPI.dll?MfcISAPICommand=RedirectToDomain&Domai
nUrl=%68%74%74%70%3A%2F%2F%62%6C%6F%67%2E%64%75%72%64%6C%65%2E%63%6F%6D%2F

Is served from the real ebay.com and will look quite valid to any user.

That escaped sequence of characters at the end is just my blog's domain
name: http://blog.durdle.com obfuscated.  The original email I received had
an attackers IP address encoded in the URL.  Anyone visiting that address
will first hit eBay's server before being bounced to my blog (or an
attacker's page).

So, we can't even trust URLs that are served from the real domain anymore.
eBay are aware but have no fix at the moment.

Best regards,

Howard Durdle

-- 
Howard Durdle
howard () durdle com
http://durdle.com


------ End of Forwarded Message


-------------------------------------
You are subscribed as lists-ip () insecure org
To manage your subscription, go to
  http://v2.listbox.com/member/?listname=ip

Archives at: http://www.interesting-people.org/archives/interesting-people/