Oh, great — there’s word on the IP mailing list that there’s now an eBay phishing scam that actually uses redirecting links which originate on eBay’s own servers, making it that much harder for lay people to know that they’re being taken for a ride.

To explain a little bit more: various web services have occasionally made use of scripts that redirect users to other locations. That is to say, the user visits a URL on website A, and a script running at that URL on website A does some bit of processing and then sends the user on to website B. They do this for any number of reasons; Yahoo does it to gather statistics on how many people use the entries in their directories, Movable Type does it to try to prevent comment spammers from gaining too much worth in search engine listings, and Google does it for a bit of both reasons. (You can hover over those three “does it” links to see that they all originate on the servers of the respective web services; you can click on them to see that they all take you back to this website.) Unfortunately, the nefarious elements of the web — spammers, multilevel marketers, and outright thieves — have taken advantage of these redirection services to try to make their scams look more legitimate; they bank on the fact that more people are likely to click on a google.com link than an im-a-scam-artist.info link. Some of the redirection services are designed so that it’s nearly impossible to take advantage of them in this manner (i.e., Movable Type); others are designed completely open, and any user can change the URL to change the site that sits as the final destination of the redirection. It’s the latter group that are open to exploitation by thieves and miscreants, and that have been a source of much consternation to IT security people for the past few years.

Well, we learned today that it turns out eBay is running its own open redirector, which means that those emails you get saying that you urgently need to go and “correct” your eBay password and billing information might have links with actual ebay.com addresses in them. This is obviously a cause for concern, and a sound reason to remember the advice that until the world figures out a good solution to problems just like this, it’s best to avoid clicking on any email links claiming to be from businesses that need to help you verify your account status, payment options, or any other financial information.


If you were a phisher, would you think it worth the bargain to tell eBay directly about every URL you use to phish their customers?

• Pinged by phil ringnalda dot com on Feb 23, 2005, 11:42 AM