Comments on: eBay scrambles to fix phishing bug
Criminals could use software bug to create a valid eBay link in scam to rip off people's identity info, auction giant says.
Most Popular
Latest tech news headlines
- Box office sales outpace disc sales in 2009
January 5, 2010 10:11 AM PST
- Live coverage of Google's Android phone announcement
January 5, 2010 10:08 AM PST
- Lexar midrange pro memory cards reach 32GB
January 5, 2010 10:02 AM PST
- See all headlines
RSS Feeds
Add headlines from CNET News to your homepage or feedreader.
More feeds available in our RSS feed index.
- Markets
Related quotes
- Detecting phising
- by March 5, 2005 4:31 AM PST
- I take a small exception to the idea that 'it is hard to detect a phishing scam'. It is incredibly simple. If the email asks for information that a person never provided to the company when setting up an account then it is a fraudulent email and not at all hard to detect. Perhaps the real problem is that consumers need to educate themselves instead of just obliviously clicking on every URL that comes their way.
- Like this Reply to this comment
-
-
- It's not necessarily that simple
- by March 6, 2005 12:59 PM PST
- Clayton Miner said, "If the email asks for information that a
- Like this View reply
Processing -
(3 Comments)person never provided to the company when setting up an
account then it is a fraudulent email and not at all hard to
detect." The problem is, this isn't always what happens -- in
many cases, phishing scam e-mails will ask the end user to re-
confirm data that they DID in fact supply to the company when
they initially set their account up. The problem is, there are
many web-related services that do legitimately ask users to
periodically reconfirm their information (although typically, such
sites will pre-populate the web form with the data that they
already have -- this way, the end user can only change the data
that needs to be changed).
I personally have received a phishing scam e-mail which
specifically uses the security exploit documented in this C|Net
article! The e-mail very nearly fooled me, but there were telltale
signs that it was bogus. The people putting these e-mail
messages together are very clever, and they are getting more
clever every day.
The real story here is that eBay had a gaping security hole that
should have been closed years ago. Allowing someone to
specify a redirection URL inside a legitimate eBay URL is a
serious security flaw, and eBay should have either disallowed
redirection to sites in other domains, or at the very least, they
should have instituted some kind of white-list policy prohibiting
redirection to any site not on their white-list.