Here's the code for the attacking link:
https://signin.ebay.com/ws/eBayISAPI.dll?
SignIn&UsingSSL=1&pUserId=&co_partnerId=2&siteid=0&ru=http%3A%2F%
2Fcgi4.ebay.com%2Fws%2FeBayISAPI.dll?MfcISAPICommand%3dRedirectToDomain%
26DomainUrl=http%3A%2F%2F127.0.0.1%2FeBayISAPI.php&pageType=1883
(hackerPC address changed to protect the stupid)
Note that the link sends you to Ebay's signin service! If you click on the link, you actually end up on Ebay's signin page! And clicking on the Certificate Info verifies that the actual SSL session is indeed being held with Ebay's normal signin service....so what's going on here?
The hacker is using Ebay's own scripts against them. Apparently the RedirectToDomain command is meant to pass the user credentials to the hacker's configured PC at 127.0.0.1 (real hacker address in the email!) where the script eBayISAPI.php is waiting for the user to arrive. Potentially, if eBay's login server is stupid enough, it will pass the user's credentials to the specified redirected URL.
This is a fairly sophisticated phishing attack. Potentially the hacker might not even end up getting your password. Maybe they get an internal authentication code for your eBay account that allows them to act as if they were logged in to your account, by passing those authenticated signals on to other eBay servers (in specially formatted HTTP requests).
While I've notifed eBay (at
1 comment:
Excellent heads up. Precisely the reason why I never click on email links.
Post a Comment