Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Analytics

5/12/2006
08:30 AM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Phishing Gets Phancy

Phishing scams are growing in sophistication, using Javascript to dupe users into giving up the goods

That vintage sofa might not be the only thing you end up grabbing on eBay.

Crafty (alebit sloppy) phishers were recently discovered this week leveraging an eBay feature in which sellers use Javascript in the item description, a feature eBay allows. What's new here among phishing attacks is the way the page renders, depending on the parameters in the request. Without any specific parameter, the item description simply reads "357473301."

The sophistication of phishing schemes also seem to be on the upswing, says Oliver Friedrichs, director of Symantec Security Response. "The use of Javascript and Ajax technologies enables scammers to create technically more convincing schemes," he says. Javascript's ability to handle some basic form and credit card format verification also spells trouble ahead.

According to analysts at Symantec who examined the phished auction item, passing a single parameter, jsc=sig, presents a realistic sign-in page displayed in eBay Phished Auction Item displayed in the screenshot on the right. Figure 2 is a screenshot of a normal eBay login page.

Figure 1: eBay phished auction item
The page looks similar to the eBay login page. Note the URL is not HTTPS, and the missing "Verisign Secured" logo that should be on the bottom right corner.

Figure 2: eBay normal login page
This is the authentic login page. Note the HTTPS in the nav bar and the "VeriSign Secured" logo on the bottom right corner.

As much as an issue for everyday consumers as it for the enterprise, phishing exposes unsuspecting users to identity theft, worms, Trojan downloads, and other malicious actions. Like it or not, phishing is an enterprise security problem because of the potential for loss of valuable, proprietary data.

This trend in email scams continues to gain momentum. The Anti-Phishing Working Group's Activity Trends Report for March 2006, shows a 336 percent increase in the number of unique phishing sites between March 2005 to March 2006. In that same timeframe, the number of unique phishing key loggers grew by 256 percent and the number of unique websites hosting the key loggers grew a whopping 829 percent.

"The actual attack wasn't terribly sophisticated because the scammer made a number of stupid mistakes. But they could easily have made it better," says Bill Shaw, VP for TOPPSoft Computer Solutions. While he suspected it was a phishing email when opening it, his curiosity led him to click through to a fake login page. How could he tell? "The login page is supposed to be a secure page," Shaw notes.

eBay's response
eBay actively combats phishing by educating its users and using technology. The top FAQ How do I know that an email is really from eBay? states unequivocally "eBay will never ask you to provide account numbers, passwords or other sensitive information through email… If you have any doubt that an email really is from eBay, open a new browser window, type www.ebay.com, and sign in." Experts recommend users not to click on links in email regardless of your doubts. You should always type in the address or use your bookmarks.

Shaw, who posted an email to the Full-Disclosure list on April 12 after notifying eBay of the problem, notes "The real issue is the unanswered question of how they [the scammers] managed to get the Javascript code into the auction listing. Ebay normally filters those things out for exactly this reason and this particular scammer managed to get it past the filters."

EBay spokesperson Catherine England, responds "eBay allows users to include Javascript in listings and we will continue to do so. We know some people will abuse that feature, but the risk is minimal and the benefit [of Javascript to users] is great."

Analysts from Symantec counter that Script-injection vulnerabilities like this one are typically viewed as low risk, which in most cases, is an accurate assessment. "However, this class of attack can allow an attacker to take malicious web-based actions in the context of a company's domain. In the case of this particular attack, the ability to render arbitrary JavaScript code allows the attacker to launch phishing attacks within the context of the actual eBay domain," Symantec officials said.

England claims that eBay has a tool bar that alerts users when they are being redirected to another site and when notified of the scam, the eBay team examines the auction to determine the nature of the problem, and if warranted, writes filters to detect malicious listings. She further asserts that "trying to do this more than once is really hard."

That's a pretty lofty claim, as of yesterday, the auction listing was still available, so we grabbed a snapshot. During our discussions with England for this story, we told her the item number and the auction was subsequently removed from eBay.

— Mike Fratto, Editor at Large, Dark Reading

Organizations mentioned in this story:

  • Anti-Phishing Working Group
  • eBay Inc. (Nasdaq: EBAY)
  • Symantec Corp. (Nasdaq: SYMC)
  • TOPPSoft Mike Fratto is a principal analyst at Current Analysis, covering the Enterprise Networking and Data Center Technology markets. Prior to that, Mike was with UBM Tech for 15 years, and served as editor of Network Computing. He was also lead analyst for InformationWeek Analytics ... View Full Bio

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Oldest First  |  Newest First  |  Threaded View
    Commentary
    Ransomware Is Not the Problem
    Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
    Edge-DRsplash-11-edge-ask-the-experts
    How Can I Test the Security of My Home-Office Employees' Routers?
    John Bock, Senior Research Scientist,  6/7/2021
    News
    New Ransomware Group Claiming Connection to REvil Gang Surfaces
    Jai Vijayan, Contributing Writer,  6/10/2021
    Register for Dark Reading Newsletters
    White Papers
    Video
    Cartoon Contest
    Write a Caption, Win an Amazon Gift Card! Click Here
    Latest Comment: Zero Trust doesn't have to break your budget!
    Current Issue
    The State of Cybersecurity Incident Response
    In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
    Flash Poll
    How Enterprises are Developing Secure Applications
    How Enterprises are Developing Secure Applications
    Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    CVE-2021-34812
    PUBLISHED: 2021-06-18
    Use of hard-coded credentials vulnerability in php component in Synology Calendar before 2.4.0-0761 allows remote attackers to obtain sensitive information via unspecified vectors.
    CVE-2021-34808
    PUBLISHED: 2021-06-18
    Server-Side Request Forgery (SSRF) vulnerability in cgi component in Synology Media Server before 1.8.3-2881 allows remote attackers to access intranet resources via unspecified vectors.
    CVE-2021-34809
    PUBLISHED: 2021-06-18
    Improper neutralization of special elements used in a command ('Command Injection') vulnerability in task management component in Synology Download Station before 3.8.16-3566 allows remote authenticated users to execute arbitrary code via unspecified vectors.
    CVE-2021-34810
    PUBLISHED: 2021-06-18
    Improper privilege management vulnerability in cgi component in Synology Download Station before 3.8.16-3566 allows remote authenticated users to execute arbitrary code via unspecified vectors.
    CVE-2021-34811
    PUBLISHED: 2021-06-18
    Server-Side Request Forgery (SSRF) vulnerability in task management component in Synology Download Station before 3.8.16-3566 allows remote authenticated users to access intranet resources via unspecified vectors.