March 4, 2005 2:53 PM PST

eBay scrambles to fix phishing bug

eBay is fighting to repair a software glitch that opens the door to phishing attacks using one of its own legitimate URLs.

The online auction giant is working on a fix for the problem, and it hopes to distribute that fix among its Web pages in the next several days, a company representative said on Friday. The problem, described by the company as a "software bug," could be exploited by criminals to create an actual eBay link that redirects customers to a malicious site, the representative said.

Related feature
Have you been phished?
Check here to see whether an e-mail that appears to be from your bank or an online merchant is actually an attempt to defraud you.

eBay is one of the most popular targets of phishing schemes, which typically use e-mail messages that look like they come from a trusted service provider to dupe people into visiting a malicious Web site. The fraudulent site appears to be legitimate, but has been set up to steal the victim's personal information, such as a credit card number, which could then be used to commit identity fraud.

The company, based in San Jose, Calif., has repeatedly warned its customers not to respond to such e-mails, and has even adopted a messaging system to eliminate the need for most e-mail correspondence with its registered members.

This latest phishing issue for eBay differs in that it uses a legitimate URL to hook victims and send them to a malicious site. The flaw may have already allowed individuals to use one of eBay's URLs to trick unsuspecting parties into visiting malicious sites, the company representative said.

It is becoming significantly harder to discern phishing attempts from legitimate e-mail and Web pages, eBay spokesman Hani Durzy said in previous interviews with CNET News.com. He said that the company is working hard to put down fraudulent e-mail campaigns and sites before consumers can be tricked into giving over their data.

"We've done a lot in the eBay community to try and educate people how to identify a phishing e-mail or site, but it's becoming increasingly harder to do so just by eyeballing something," Durzy said. "Because education only goes so far, we're also working on technology solutions that could help protect against these kind of attacks."

The number of phishing threats aimed at the company have "exploded" over the last year or so, Durzy noted. He has indicated his belief that the problem is not likely to slow down anytime soon.

"People have become more aware of phishing, but the bad guys have become much better at it, so it's not going to go away overnight," Durzy said. "The key for us is really about educating Internet users to protect themselves in the same ways they do offline."

3 comments

Join the conversation!
Add your comment
Detecting phising
I take a small exception to the idea that 'it is hard to detect a phishing scam'. It is incredibly simple. If the email asks for information that a person never provided to the company when setting up an account then it is a fraudulent email and not at all hard to detect. Perhaps the real problem is that consumers need to educate themselves instead of just obliviously clicking on every URL that comes their way.
Posted by (1 comment )
Reply Link Flag
It's not necessarily that simple
Clayton Miner said, "If the email asks for information that a
person never provided to the company when setting up an
account then it is a fraudulent email and not at all hard to
detect." The problem is, this isn't always what happens -- in
many cases, phishing scam e-mails will ask the end user to re-
confirm data that they DID in fact supply to the company when
they initially set their account up. The problem is, there are
many web-related services that do legitimately ask users to
periodically reconfirm their information (although typically, such
sites will pre-populate the web form with the data that they
already have -- this way, the end user can only change the data
that needs to be changed).

I personally have received a phishing scam e-mail which
specifically uses the security exploit documented in this C|Net
article! The e-mail very nearly fooled me, but there were telltale
signs that it was bogus. The people putting these e-mail
messages together are very clever, and they are getting more
clever every day.

The real story here is that eBay had a gaping security hole that
should have been closed years ago. Allowing someone to
specify a redirection URL inside a legitimate eBay URL is a
serious security flaw, and eBay should have either disallowed
redirection to sites in other domains, or at the very least, they
should have instituted some kind of white-list policy prohibiting
redirection to any site not on their white-list.
Posted by (2 comments )
Link Flag
 

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot

Discussions

Shared

RSS Feeds

Add headlines from CNET News to your homepage or feedreader.