Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Analytics

5/12/2006
08:30 AM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
50%
50%

Phishing Gets Phancy

Phishing scams are growing in sophistication, using Javascript to dupe users into giving up the goods

That vintage sofa might not be the only thing you end up grabbing on eBay.

Crafty (alebit sloppy) phishers were recently discovered this week leveraging an eBay feature in which sellers use Javascript in the item description, a feature eBay allows. What's new here among phishing attacks is the way the page renders, depending on the parameters in the request. Without any specific parameter, the item description simply reads "357473301."

The sophistication of phishing schemes also seem to be on the upswing, says Oliver Friedrichs, director of Symantec Security Response. "The use of Javascript and Ajax technologies enables scammers to create technically more convincing schemes," he says. Javascript's ability to handle some basic form and credit card format verification also spells trouble ahead.

According to analysts at Symantec who examined the phished auction item, passing a single parameter, jsc=sig, presents a realistic sign-in page displayed in eBay Phished Auction Item displayed in the screenshot on the right. Figure 2 is a screenshot of a normal eBay login page.

Figure 1: eBay phished auction item
The page looks similar to the eBay login page. Note the URL is not HTTPS, and the missing "Verisign Secured" logo that should be on the bottom right corner.

Figure 2: eBay normal login page
This is the authentic login page. Note the HTTPS in the nav bar and the "VeriSign Secured" logo on the bottom right corner.

As much as an issue for everyday consumers as it for the enterprise, phishing exposes unsuspecting users to identity theft, worms, Trojan downloads, and other malicious actions. Like it or not, phishing is an enterprise security problem because of the potential for loss of valuable, proprietary data.

This trend in email scams continues to gain momentum. The Anti-Phishing Working Group's Activity Trends Report for March 2006, shows a 336 percent increase in the number of unique phishing sites between March 2005 to March 2006. In that same timeframe, the number of unique phishing key loggers grew by 256 percent and the number of unique websites hosting the key loggers grew a whopping 829 percent.

"The actual attack wasn't terribly sophisticated because the scammer made a number of stupid mistakes. But they could easily have made it better," says Bill Shaw, VP for TOPPSoft Computer Solutions. While he suspected it was a phishing email when opening it, his curiosity led him to click through to a fake login page. How could he tell? "The login page is supposed to be a secure page," Shaw notes.

eBay's response
eBay actively combats phishing by educating its users and using technology. The top FAQ How do I know that an email is really from eBay? states unequivocally "eBay will never ask you to provide account numbers, passwords or other sensitive information through email… If you have any doubt that an email really is from eBay, open a new browser window, type www.ebay.com, and sign in." Experts recommend users not to click on links in email regardless of your doubts. You should always type in the address or use your bookmarks.

Shaw, who posted an email to the Full-Disclosure list on April 12 after notifying eBay of the problem, notes "The real issue is the unanswered question of how they [the scammers] managed to get the Javascript code into the auction listing. Ebay normally filters those things out for exactly this reason and this particular scammer managed to get it past the filters."

EBay spokesperson Catherine England, responds "eBay allows users to include Javascript in listings and we will continue to do so. We know some people will abuse that feature, but the risk is minimal and the benefit [of Javascript to users] is great."

Analysts from Symantec counter that Script-injection vulnerabilities like this one are typically viewed as low risk, which in most cases, is an accurate assessment. "However, this class of attack can allow an attacker to take malicious web-based actions in the context of a company's domain. In the case of this particular attack, the ability to render arbitrary JavaScript code allows the attacker to launch phishing attacks within the context of the actual eBay domain," Symantec officials said.

England claims that eBay has a tool bar that alerts users when they are being redirected to another site and when notified of the scam, the eBay team examines the auction to determine the nature of the problem, and if warranted, writes filters to detect malicious listings. She further asserts that "trying to do this more than once is really hard."

That's a pretty lofty claim, as of yesterday, the auction listing was still available, so we grabbed a snapshot. During our discussions with England for this story, we told her the item number and the auction was subsequently removed from eBay.

— Mike Fratto, Editor at Large, Dark Reading

Organizations mentioned in this story:

  • Anti-Phishing Working Group
  • eBay Inc. (Nasdaq: EBAY)
  • Symantec Corp. (Nasdaq: SYMC)
  • TOPPSoft Mike Fratto is a principal analyst at Current Analysis, covering the Enterprise Networking and Data Center Technology markets. Prior to that, Mike was with UBM Tech for 15 years, and served as editor of Network Computing. He was also lead analyst for InformationWeek Analytics ... View Full Bio

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Newest First  |  Oldest First  |  Threaded View
    Black Hat Q&A: Hacking a '90s Sports Car
    Black Hat Staff, ,  11/7/2019
    The Cold Truth about Cyber Insurance
    Chris Kennedy, CISO & VP Customer Success, AttackIQ,  11/7/2019
    6 Small-Business Password Managers
    Curtis Franklin Jr., Senior Editor at Dark Reading,  11/8/2019
    Register for Dark Reading Newsletters
    White Papers
    Video
    Cartoon Contest
    Current Issue
    7 Threats & Disruptive Forces Changing the Face of Cybersecurity
    This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
    Flash Poll
    Assessing Cybersecurity Risk in Today's Enterprise
    Assessing Cybersecurity Risk in Today's Enterprise
    Security leaders are struggling to understand their organizations risk exposure. While many are confident in their security strategies and processes, theyre also more concerned than ever about getting breached. Download this report today and get insights on how today's enterprises assess and perceive the risks they face in 2019!
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    CVE-2011-5271
    PUBLISHED: 2019-11-12
    Pacemaker before 1.1.6 configure script creates temporary files insecurely
    CVE-2014-3599
    PUBLISHED: 2019-11-12
    HornetQ REST is vulnerable to XML External Entity due to insecure configuration of RestEasy
    CVE-2014-7143
    PUBLISHED: 2019-11-12
    Python Twisted 14.0 trustRoot is not respected in HTTP client
    CVE-2018-18819
    PUBLISHED: 2019-11-12
    A vulnerability in the web conference chat component of MiCollab, versions 7.3 PR6 (7.3.0.601) and earlier, and 8.0 (8.0.0.40) through 8.0 SP2 FP2 (8.0.2.202), and MiVoice Business Express versions 7.3 PR3 (7.3.1.302) and earlier, and 8.0 (8.0.0.40) through 8.0 SP2 FP1 (8.0.2.202), could allow creat...
    CVE-2019-18658
    PUBLISHED: 2019-11-12
    In Helm 2.x before 2.15.2, commands that deal with loading a chart as a directory or packaging a chart provide an opportunity for a maliciously designed chart to include sensitive content such as /etc/passwd, or to execute a denial of service (DoS) via a special file such as /dev/urandom, via symlin...