Saturday 3 December 2005

eBay's anti-phishing desk sucks

(EBAY)
I reported a phishing attack last week. Nothing new there, I do it a lot as part of my ongoing research into spam for FixingEmail.org and others.

A scammer put up a fake eBay site and sent spam encouraging people to go there. Predictably, it prompted for the user's eBay username and password. Both the email and the website were very credible-looking. Nothing new there, either.

Naturally, I reported the attack to spoof@ebay.com, expecting them to work with the host of the fake website to take it down quickly. Three days later, I received a reply, basically telling me I'm an idiot because this email was in fact sent by eBay.

Now, idiot I may be (and frequently am), but there's just no way the message could be legitimate. Consider the facts:

  • The email didn't include my eBay username
  • It wasn't sent to an email address that corresponds to an eBay account
  • The site puts up a signin page that's not encypted and isn't hosted at ebay.com
  • The site was hosted on a consumer cable TV connection
  • The site's domain contact information -- the whois data -- was obviously forged

If eBay can't tell the difference between their own messages and phishing, how's a poor consumer supposed to know?

A week after my report, the phishing website is still active.

If I was a victim of this eBay phish, I'd be hopping mad. It's vitally important for brands like eBay to run a fast-response "takedown" service, which can accurately identify phishing and work with hosts, registrars and ISPs to remove fraudsters from the Internet.

Update: for those of you asking for more details, I'm not going to post the phishing site directly, for fear of entrapping the gullible. However, if you're determined to research it, understand that I cannot warrant that the site is malware free. Unless you agree that you take full responsibility for your actions, do not go to www(dot)ebaychristmas(dot)net.

Yesterday, the site was hosted at RoadRunner -- cpe-065-190-247-092.triad.res.rr(dot)com -- but now it's somewhere in China. Looks like it might be hosted on a botnet. The domain was registered through Joker.com with a bogus email address.

Here's what eBay said:

Thank you for writing to eBay with your concern about this email. My name is [redacted], and I am happy to address your concerns. I can confirm that the message you received was an official email message sent on behalf of eBay. This message was sent because you indicated in your preferences that you wished to receive these types of messages. [followed by a description of how to check "My Messages"]
Followups to eBay and Joker.com have gone unanswered.

To the folks who wanted to contact me about this, see the Contact Me page (also linked over on the right column).

This blog post is now old news. Future updates will be in newer posts, so you probably should now go to the home page

Digg this Tags: , , .