« Captcha Gotcha | Main | (More Than) Seven "Dirty" Email Words »

May 22, 2006

If I hadn't seen it myself, I wouldn't have believed it.

I was perusing one of the eBay categories I check daily. At the top of the regular listings (meaning it was freshly added) was an item that was clearly out of the category. According to the time remaining, the listing had been there for almost one hour.

When I clicked the link to open the auction detail page in a new window, the new window opened not to the item detailed listing, but to an eBay login screen. I thought this odd, and then glanced at the browser's Address bar. I had been redirected to a phishing site hosted in Utah—directly from a link in a real eBay category listing page!

I'm really, really glad I use a Macintosh, because visiting that bogus page with a PC might have put my computer at risk for malware installation without my permission. I could have handed my machine over to a botnet. The source code I received didn't have any malware loaders in it, but a sensible crook would limit sending such loaders to browsers identifying themselves as Internet Explorer on Windows.

How did that redirection happen? I couldn't go back to check because within the minute or so that transpired, eBay had managed to pull the listing. Clicking the link led to an "invalid auction" page.

I can only assume that the eBay "seller" had managed to include either a meta-refresh tag (if eBay's system allows that, which I doubt) or perhaps managed to get some JavaScript into the listing details that automatically redirects visitors to the phishing page.

Chances are that the "seller" had used an account that had been previously phished to add the listings to who-knows-how-many eBay category listings. Alas, I imagine that their phishing haul for the hour or so these listings were alive was pretty good because unlike phishing email messages, this trick reached right into active eBay users who probably thought nothing of entering their usernames and passwords into the lookalike screen. Submissions went to a remailing service hosted in the Czech Republic (and eventually to whoever has access to account ID 42277, wherever he may be).

I hope eBay figures out the technique that this crook used to put the redirector into the listing and filters out those attempts in the future. If we can't even trust links at otherwise trusted Web sites, where does that leave us? Up a creek without an auction paddle.