gonzo
08-17-2006, 11:56 PM
A new tactic (which we have dubbed VPTH) has hit eBay hard the last couple of days. Unfortunately it's a really clever way to get lots of eBay uids/passwords AND it's very viral so it appears to be growing at an exponential rate.
Here's how the bad guys do it:
1. They use normal Phishing techniques to get an ebayer's uid/pwd (preferably a seller with some good feedback).
2. They post toins of malicious listing to popular categories. In the listings they:
Use something like porn imagery to draw heavy click-through to the listing
Turn on every eBay bonus feature you can imagine: bold, highlight, gallery plus, featured plus, etc. (hey they aren't paying so why not?!)
Lots of timese these are 1 day auctions so they are indexed quick and TnS doesn't have much time to a) find and b) react.
Now here's the trick - they put in the listing some malicious javascript that redirects anyone that clicks on the listing to a page at badguy.com that is 100% identical to an eBay login page and it says: "To view this item you must login".3. Now the bad guys have tons of BUYER userid's and logins, which they then use to get into paypal accounts, launch more auctions and cause general mayhem.
4. Some of these are so clever you can't find which listing is doing it. They'll post a porn listing and then 10 regular ones all with the javascript in there. A seller saw one yesterday that seemed to infect every listing in the category - it somehow was changing the search results pages around.
In the last two weeks this scheme is happening more and more frequently. Yesterday the entire shoe category was full of these things.
Here's a real world example from yesterday (the black boxes are mine as this is a family oriented blog)->
http://ebaystrategies.blogs.com/ebay_strategies/images/porn_phishing.jpg (http://ebaystrategies.blogs.com/.shared/image.html?/photos/uncategorized/porn_phishing.jpg)
If you saw this and clicked on the first listing, then entered your user ID and password, you can say goodbye to your ebay identity, potentially your paypal plus your account would be harvested for emails and you would be on every spammers list very quickly. Most likely your password would be immediately changed (I'm sure they have spiders for this) and your account added to the hijacked list, then more listings would be introduced from your account (this is where the geometrical progression/viral part of the scheme comes in).
Here's how the bad guys do it:
1. They use normal Phishing techniques to get an ebayer's uid/pwd (preferably a seller with some good feedback).
2. They post toins of malicious listing to popular categories. In the listings they:
Use something like porn imagery to draw heavy click-through to the listing
Turn on every eBay bonus feature you can imagine: bold, highlight, gallery plus, featured plus, etc. (hey they aren't paying so why not?!)
Lots of timese these are 1 day auctions so they are indexed quick and TnS doesn't have much time to a) find and b) react.
Now here's the trick - they put in the listing some malicious javascript that redirects anyone that clicks on the listing to a page at badguy.com that is 100% identical to an eBay login page and it says: "To view this item you must login".3. Now the bad guys have tons of BUYER userid's and logins, which they then use to get into paypal accounts, launch more auctions and cause general mayhem.
4. Some of these are so clever you can't find which listing is doing it. They'll post a porn listing and then 10 regular ones all with the javascript in there. A seller saw one yesterday that seemed to infect every listing in the category - it somehow was changing the search results pages around.
In the last two weeks this scheme is happening more and more frequently. Yesterday the entire shoe category was full of these things.
Here's a real world example from yesterday (the black boxes are mine as this is a family oriented blog)->
http://ebaystrategies.blogs.com/ebay_strategies/images/porn_phishing.jpg (http://ebaystrategies.blogs.com/.shared/image.html?/photos/uncategorized/porn_phishing.jpg)
If you saw this and clicked on the first listing, then entered your user ID and password, you can say goodbye to your ebay identity, potentially your paypal plus your account would be harvested for emails and you would be on every spammers list very quickly. Most likely your password would be immediately changed (I'm sure they have spiders for this) and your account added to the hijacked list, then more listings would be introduced from your account (this is where the geometrical progression/viral part of the scheme comes in).