That vintage sofa might not be the only thing you end up grabbing on eBay.

Crafty (alebit sloppy) phishers were recently discovered this week leveraging an eBay feature in which sellers use Javascript in the item description, a feature eBay allows. What's new here among phishing attacks is the way the page renders, depending on the parameters in the request. Without any specific parameter, the item description simply reads "357473301."

The sophistication of phishing schemes also seem to be on the upswing, says Oliver Friedrichs, director of Symantec Security Response. "The use of Javascript and Ajax technologies enables scammers to create technically more convincing schemes," he says. Javascript's ability to handle some basic form and credit card format verification also spells trouble ahead.

According to analysts at Symantec who examined the phished auction item, passing a single parameter, jsc=sig, presents a realistic sign-in page displayed in eBay Phished Auction Item displayed in the screenshot on the right. Figure 2 is a screenshot of a normal eBay login page.

Figure 1: eBay phished auction item The page looks similar to the eBay login page. Note the URL is not HTTPS, and the missing "Verisign Secured" logo that should be on the bottom right corner.

Figure 2: eBay normal login page This is the authentic login page. Note the HTTPS in the nav bar and the "VeriSign Secured" logo on the bottom right corner.

As much as an issue for everyday consumers as it for the enterprise, phishing exposes unsuspecting users to identity theft, worms, Trojan downloads, and other malicious actions. Like it or not, phishing is an enterprise security problem because of the potential for loss of valuable, proprietary data.

This trend in email scams continues to gain momentum. The Anti-Phishing Working Group's Activity Trends Report for March 2006, shows a 336 percent increase in the number of unique phishing sites between March 2005 to March 2006. In that same timeframe, the number of unique phishing key loggers grew by 256 percent and the number of unique websites hosting the key loggers grew a whopping 829 percent.

"The actual attack wasn't terribly sophisticated because the scammer made a number of stupid mistakes. But they could easily have made it better," says Bill Shaw, VP for TOPPSoft Computer Solutions. While he suspected it was a phishing email when opening it, his curiosity led him to click through to a fake login page. How could he tell? "The login page is supposed to be a secure page," Shaw notes.

eBay's response
eBay actively combats phishing by educating its users and using technology. The top FAQ How do I know that an email is really from eBay? states unequivocally "eBay will never ask you to provide account numbers, passwords or other sensitive information through email… If you have any doubt that an email really is from eBay, open a new browser window, type www.ebay.com, and sign in." Experts recommend users not to click on links in email regardless of your doubts. You should always type in the address or use your bookmarks.

Shaw, who posted an email to the Full-Disclosure list on April 12 after notifying eBay of the problem, notes "The real issue is the unanswered question of how they [the scammers] managed to get the Javascript code into the auction listing. Ebay normally filters those things out for exactly this reason and this particular scammer managed to get it past the filters."

EBay spokesperson Catherine England, responds "eBay allows users to include Javascript in listings and we will continue to do so. We know some people will abuse that feature, but the risk is minimal and the benefit [of Javascript to users] is great."

Analysts from Symantec counter that Script-injection vulnerabilities like this one are typically viewed as low risk, which in most cases, is an accurate assessment. "However, this class of attack can allow an attacker to take malicious web-based actions in the context of a company's domain. In the case of this particular attack, the ability to render arbitrary JavaScript code allows the attacker to launch phishing attacks within the context of the actual eBay domain," Symantec officials said.

England claims that eBay has a tool bar that alerts users when they are being redirected to another site and when notified of the scam, the eBay team examines the auction to determine the nature of the problem, and if warranted, writes filters to detect malicious listings. She further asserts that "trying to do this more than once is really hard."

That's a pretty lofty claim, as of yesterday, the auction listing was still available, so we grabbed a snapshot. During our discussions with England for this story, we told her the item number and the auction was subsequently removed from eBay.

— Mike Fratto, Editor at Large, Dark Reading

Organizations mentioned in this story: