Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Analytics

5/12/2006
08:30 AM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
50%
50%

Phishing Gets Phancy

Phishing scams are growing in sophistication, using Javascript to dupe users into giving up the goods

That vintage sofa might not be the only thing you end up grabbing on eBay.

Crafty (alebit sloppy) phishers were recently discovered this week leveraging an eBay feature in which sellers use Javascript in the item description, a feature eBay allows. What's new here among phishing attacks is the way the page renders, depending on the parameters in the request. Without any specific parameter, the item description simply reads "357473301."

The sophistication of phishing schemes also seem to be on the upswing, says Oliver Friedrichs, director of Symantec Security Response. "The use of Javascript and Ajax technologies enables scammers to create technically more convincing schemes," he says. Javascript's ability to handle some basic form and credit card format verification also spells trouble ahead.

According to analysts at Symantec who examined the phished auction item, passing a single parameter, jsc=sig, presents a realistic sign-in page displayed in eBay Phished Auction Item displayed in the screenshot on the right. Figure 2 is a screenshot of a normal eBay login page.

Figure 1: eBay phished auction item
The page looks similar to the eBay login page. Note the URL is not HTTPS, and the missing "Verisign Secured" logo that should be on the bottom right corner.

Figure 2: eBay normal login page
This is the authentic login page. Note the HTTPS in the nav bar and the "VeriSign Secured" logo on the bottom right corner.

As much as an issue for everyday consumers as it for the enterprise, phishing exposes unsuspecting users to identity theft, worms, Trojan downloads, and other malicious actions. Like it or not, phishing is an enterprise security problem because of the potential for loss of valuable, proprietary data.

This trend in email scams continues to gain momentum. The Anti-Phishing Working Group's Activity Trends Report for March 2006, shows a 336 percent increase in the number of unique phishing sites between March 2005 to March 2006. In that same timeframe, the number of unique phishing key loggers grew by 256 percent and the number of unique websites hosting the key loggers grew a whopping 829 percent.

"The actual attack wasn't terribly sophisticated because the scammer made a number of stupid mistakes. But they could easily have made it better," says Bill Shaw, VP for TOPPSoft Computer Solutions. While he suspected it was a phishing email when opening it, his curiosity led him to click through to a fake login page. How could he tell? "The login page is supposed to be a secure page," Shaw notes.

eBay's response
eBay actively combats phishing by educating its users and using technology. The top FAQ How do I know that an email is really from eBay? states unequivocally "eBay will never ask you to provide account numbers, passwords or other sensitive information through email… If you have any doubt that an email really is from eBay, open a new browser window, type www.ebay.com, and sign in." Experts recommend users not to click on links in email regardless of your doubts. You should always type in the address or use your bookmarks.

Shaw, who posted an email to the Full-Disclosure list on April 12 after notifying eBay of the problem, notes "The real issue is the unanswered question of how they [the scammers] managed to get the Javascript code into the auction listing. Ebay normally filters those things out for exactly this reason and this particular scammer managed to get it past the filters."

EBay spokesperson Catherine England, responds "eBay allows users to include Javascript in listings and we will continue to do so. We know some people will abuse that feature, but the risk is minimal and the benefit [of Javascript to users] is great."

Analysts from Symantec counter that Script-injection vulnerabilities like this one are typically viewed as low risk, which in most cases, is an accurate assessment. "However, this class of attack can allow an attacker to take malicious web-based actions in the context of a company's domain. In the case of this particular attack, the ability to render arbitrary JavaScript code allows the attacker to launch phishing attacks within the context of the actual eBay domain," Symantec officials said.

England claims that eBay has a tool bar that alerts users when they are being redirected to another site and when notified of the scam, the eBay team examines the auction to determine the nature of the problem, and if warranted, writes filters to detect malicious listings. She further asserts that "trying to do this more than once is really hard."

That's a pretty lofty claim, as of yesterday, the auction listing was still available, so we grabbed a snapshot. During our discussions with England for this story, we told her the item number and the auction was subsequently removed from eBay.

— Mike Fratto, Editor at Large, Dark Reading

Organizations mentioned in this story:

  • Anti-Phishing Working Group
  • eBay Inc. (Nasdaq: EBAY)
  • Symantec Corp. (Nasdaq: SYMC)
  • TOPPSoft Mike Fratto is a principal analyst at Current Analysis, covering the Enterprise Networking and Data Center Technology markets. Prior to that, Mike was with UBM Tech for 15 years, and served as editor of Network Computing. He was also lead analyst for InformationWeek Analytics ... View Full Bio

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Threaded  |  Newest First  |  Oldest First
    Data Leak Week: Billions of Sensitive Files Exposed Online
    Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/10/2019
    Lessons from the NSA: Know Your Assets
    Robert Lemos, Contributing Writer,  12/12/2019
    4 Tips to Run Fast in the Face of Digital Transformation
    Shane Buckley, President & Chief Operating Officer, Gigamon,  12/9/2019
    Register for Dark Reading Newsletters
    White Papers
    Video
    Cartoon
    Current Issue
    The Year in Security: 2019
    This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
    Flash Poll
    Rethinking Enterprise Data Defense
    Rethinking Enterprise Data Defense
    Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    CVE-2019-5252
    PUBLISHED: 2019-12-14
    There is an improper authentication vulnerability in Huawei smartphones (Y9, Honor 8X, Honor 9 Lite, Honor 9i, Y6 Pro). The applock does not perform a sufficient authentication in a rare condition. Successful exploit could allow the attacker to use the application locked by applock in an instant.
    CVE-2019-5235
    PUBLISHED: 2019-12-14
    Some Huawei smart phones have a null pointer dereference vulnerability. An attacker crafts specific packets and sends to the affected product to exploit this vulnerability. Successful exploitation may cause the affected phone to be abnormal.
    CVE-2019-5264
    PUBLISHED: 2019-12-13
    There is an information disclosure vulnerability in certain Huawei smartphones (Mate 10;Mate 10 Pro;Honor V10;Changxiang 7S;P-smart;Changxiang 8 Plus;Y9 2018;Honor 9 Lite;Honor 9i;Mate 9). The software does not properly handle certain information of applications locked by applock in a rare condition...
    CVE-2019-5277
    PUBLISHED: 2019-12-13
    Huawei CloudUSM-EUA V600R006C10;V600R019C00 have an information leak vulnerability. Due to improper configuration, the attacker may cause information leak by successful exploitation.
    CVE-2019-5254
    PUBLISHED: 2019-12-13
    Certain Huawei products (AP2000;IPS Module;NGFW Module;NIP6300;NIP6600;NIP6800;S5700;SVN5600;SVN5800;SVN5800-C;SeMG9811;Secospace AntiDDoS8000;Secospace USG6300;Secospace USG6500;Secospace USG6600;USG6000V;eSpace U1981) have an out-of-bounds read vulnerability. An attacker who logs in to the board m...