March 09, 2005

DANGEROUS NEW PHISHING ATTACKS: A new phishing email with the following URL is being sent around - it appears to use Ebay's own servers to redirect the user information to the hacker's PC.... Although the link in the email is expressed simply: https://signin.ebay.com/ws/eBayISAPI.dll?UpdateAgreement

Here's the code for the attacking link:

https://signin.ebay.com/ws/eBayISAPI.dll?
SignIn&UsingSSL=1&pUserId=&co_partnerId=2&siteid=0&ru=http%3A%2F%
2Fcgi4.ebay.com%2Fws%2FeBayISAPI.dll?MfcISAPICommand%3dRedirectToDomain%
26DomainUrl=http%3A%2F%2F127.0.0.1%2FeBayISAPI.php&pageType=1883
(hackerPC address changed to protect the stupid)

Note that the link sends you to Ebay's signin service! If you click on the link, you actually end up on Ebay's signin page! And clicking on the Certificate Info verifies that the actual SSL session is indeed being held with Ebay's normal signin service....so what's going on here?
The hacker is using Ebay's own scripts against them. Apparently the RedirectToDomain command is meant to pass the user credentials to the hacker's configured PC at 127.0.0.1 (real hacker address in the email!) where the script eBayISAPI.php is waiting for the user to arrive. Potentially, if eBay's login server is stupid enough, it will pass the user's credentials to the specified redirected URL.

This is a fairly sophisticated phishing attack. Potentially the hacker might not even end up getting your password. Maybe they get an internal authentication code for your eBay account that allows them to act as if they were logged in to your account, by passing those authenticated signals on to other eBay servers (in specially formatted HTTP requests).

While I've notifed eBay (at spoof@ebay.com), there's a lesson in secure web application design in how this email attack works, and web designers should pay heed to the weaknesses and vulnerabilities inherent in passing credentials from server to server in 'custom' login scripts/scenarios. At a very minimum, checks should be made to ensure the machine you're passing to is on a pre-approved list. A secure channel should be used if at all possible (client PKI certificates!)


1 comment:

Len said...

Excellent heads up. Precisely the reason why I never click on email links.