How to Avoid Falling Into the Phishing Hole

You never can defend yourself too much while online.

A PC World reader alerted me to a flaw on eBay's Web site that enabled a scam designed to trick people into handing over their personal information. eBay promptly patched the flaw last week, but experts I spoke with are wondering how long the fix will hold.

The flaw allowed a scammer to use an increasingly common type of attack called cross-site scripting, or XSS, to redirect people from an eBay listing to a spoofed eBay site. Though eBay may have plugged the hole for now, experts say, similar problems have surfaced in the past on eBay and other sites, and it's a safe bet they will again. The problem is not going away, and it will continue to cause visitors to eBay and other sites trouble for the foreseeable future.

How It Worked

This is a spoofed eBay listing that encouraged interested parties to contact the seller directly. Look closely at the address bar, and you'll notice that the site is not eBay.com.
This is a spoofed eBay listing that encouraged interested parties to contact the seller directly. Look closely at the address bar, and you'll notice that the site is not eBay.com.
On a tip from a PC World reader, I reviewed the scam before eBay canceled the auction that it keyed to. Once potential victims were taken to the fake, or spoofed, eBay site, anyone interested in the item in the auction--a 1961 Volkswagen Microbus--was encouraged to e-mail the scammer directly at 4naffairs@yahoo.com to proceed with the sale.

According to security experts, such attacks are a very common and effective way of tricking Internet users into visiting fake sites.

"Any site that accepts user-generated content has likely had to patch their site for this flaw," says Bill Pennington, vice president of services at WhiteHat Security. Pennington says his company finds nearly 600 instances of cross-site scripting flaws on the Web every day.

Can the Vulnerability Be Fixed?

For eBay's part, it says that it constantly monitors its site for security problems and corrects them as quickly as they are found. "As soon as we became aware of this scheme, we changed some of the code on our site. So this scheme, and ones like it, can no longer be effective," says Nichola Sharpe, an eBay spokesperson.

And eBay is far from alone when it comes to being a target of this type of attack. Similar attacks on major sites like Amazon.com, MySpace.com, Verisign, and even the United States National Security Agency's Web site have been documented.

Security experts say cross-site scripting is part of doing business on the Internet. "There is no one fix [for Web sites] to solve this problem," says Ken Dunham, security expert with VeriSign iDefense Security Intelligence Service. He says finding and patching cross-scripting flaws is like a game of Whack-A-Mole, with new flaws popping up all the time.

In the example found on eBay, the cross-site scripting exploit first inserted malicious JavaScript code into the auction listing description. Next, when users visited the rigged eBay auction, the JavaScript directed the users' Internet Explorer or Firefox browser to instantaneously forward the users to a spoofed Web page that looked exactly like an eBay auction page.

eBay says it now prevents JavaScript on its site from forwarding visitors to third-party sites automatically. However, experts say, hackers can easily modify JavaScript code to once again trigger the same behavior.

recommended for you

101 Fantastic Freebies

Read more »

Subscribe to the Security Watch Newsletter

Comments