Robert McMillan, IDG News Service
A sophisticated phishing attack has proven so successful, it has
tricked eBay's own fraud investigations team into endorsing it as
legitimate, according to an independent security consultant who
reported the attack to eBay.
In late November, Richi Jennings received a fraudulent e-mail message
containing the subject line "Christmas is Coming on ebay.co.uk."
Offering him "great tips for successful Christmas selling," the
message directed him to the Web site ebaychristmas.net, which then
asked Jennings to enter his eBay user name and password, as well as
the name and password for his e-mail account.
Jennings reported the site to eBay on November 25, and four days later
he got a note back from the company's investigations team claiming
that the e-mail message was, in fact, "an official e-mail message sent
to you on behalf of e-Bay."
Jennings was dumfounded. He immediately wrote back to eBay pointing
out that the Web site being used was clearly fraudulent, but his
e-mail went unanswered.
eBay Changes Tune
On Monday, an eBay spokesperson confirmed that the e-mail message was
indeed part of a fraud, but she could not explain why it had initially
been identified as legitimate.
"I don't know the answer to that," said spokesperson Amanda
Pires. "I'm assuming right now it was just an error."
From their initial response, it appeared that eBay's investigators did not
take his concerns seriously, Jennings said.
"They never actually used the word idiot, but I felt like they were
calling me an idiot," he said. He believes that the e-mail message in
question bore such a close resemblance to a legitimate eBay message
that the company's investigators were simply tricked by the scam.
Pires said that eBay had, in fact, been working to take down the
phishing site since November 8, weeks before Jennings even contacted
the company.
Both Jennings and eBay agreed that the phony Web site has been set up
in such a way that it is extremely difficult to shut it down. The Web
site's server software is being hosted on a variety of different PCs
that appear to have been taken over by malicious "bot"
software. Whenever eBay succeeds in getting one of these servers shut
down, a new one pops up to take its place, Pires said.
"This is one of the cleverest [phishing attacks] I've seen in a
while," Jennings said.
Antifraud Efforts
EBay has also been trying to shut down the Web site by working with
the Internet registrar that was used to acquire the ebaychristmas.net
domain, Pires said. Despite these efforts, however, the site has
remained operational.
That registrar, which does business under the name Joker.com, has the
power to shut down the scam Web site, Jennings said. "If they were
taking their responsibilities seriously, the site would have been shut
down weeks ago," he said.
Joker.com did not respond to e-mail requests to comment for this
report.
EBay's gaffe shows how hard it has become to keep track of fraudsters,
said Rich Miller, an analyst with Internet services vendor Netcraft.
Netcraft, which offers a free antiphishing toolbar of its own,
classified more than 8,000 phishing sites in the month of November,
Miller said. "It's very had to keep straight what is legitimate and
what's not," he said.
As for Richi Jennings, though he doesn't have high regard for eBay's
investigators, he's willing to give them the benefit of the
doubt. It's possible, he said, that the company was simply overwhelmed
with questions about a legitimate e-mail message that closely
resembled the scam, and then made the mistake of assuming he was
writing about the same thing.
"Hopefully this was a false negative in a sea of correct answers,"
Jennings said.
Copyright 2005 PC World Communications, Inc.
NOTE: For more telecom/internet/networking/computer news from the
daily media, check out our feature 'Telecom Digest Extra' each day at
http://telecom-digest.org/td-extra/more-news.html . Hundreds of new
articles daily.
*** FAIR USE NOTICE. This message contains copyrighted material the
use of which has not been specifically authorized by the copyright
owner. This Internet discussion group is making it available without
profit to group members who have expressed a prior interest in
receiving the included information in their efforts to advance the
understanding of literary, educational, political, and economic
issues, for non-profit research and educational purposes only. I
believe that this constitutes a 'fair use' of the copyrighted material
as provided for in section 107 of the U.S. Copyright Law. If you wish
to use this copyrighted material for purposes of your own that go
beyond 'fair use,' you must obtain permission from the copyright
owner, in this instance, PC World Communications, Inc.
For more information go to:
http://www.law.cornell.edu/uscode/17/107.shtml
Robert McMillan (idg@telecom-digest.org)