Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Analytics

5/12/2006
08:30 AM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
50%
50%

Phishing Gets Phancy

Phishing scams are growing in sophistication, using Javascript to dupe users into giving up the goods

That vintage sofa might not be the only thing you end up grabbing on eBay.

Crafty (alebit sloppy) phishers were recently discovered this week leveraging an eBay feature in which sellers use Javascript in the item description, a feature eBay allows. What's new here among phishing attacks is the way the page renders, depending on the parameters in the request. Without any specific parameter, the item description simply reads "357473301."

The sophistication of phishing schemes also seem to be on the upswing, says Oliver Friedrichs, director of Symantec Security Response. "The use of Javascript and Ajax technologies enables scammers to create technically more convincing schemes," he says. Javascript's ability to handle some basic form and credit card format verification also spells trouble ahead.

According to analysts at Symantec who examined the phished auction item, passing a single parameter, jsc=sig, presents a realistic sign-in page displayed in eBay Phished Auction Item displayed in the screenshot on the right. Figure 2 is a screenshot of a normal eBay login page.

Figure 1: eBay phished auction item
The page looks similar to the eBay login page. Note the URL is not HTTPS, and the missing "Verisign Secured" logo that should be on the bottom right corner.

Figure 2: eBay normal login page
This is the authentic login page. Note the HTTPS in the nav bar and the "VeriSign Secured" logo on the bottom right corner.

As much as an issue for everyday consumers as it for the enterprise, phishing exposes unsuspecting users to identity theft, worms, Trojan downloads, and other malicious actions. Like it or not, phishing is an enterprise security problem because of the potential for loss of valuable, proprietary data.

This trend in email scams continues to gain momentum. The Anti-Phishing Working Group's Activity Trends Report for March 2006, shows a 336 percent increase in the number of unique phishing sites between March 2005 to March 2006. In that same timeframe, the number of unique phishing key loggers grew by 256 percent and the number of unique websites hosting the key loggers grew a whopping 829 percent.

"The actual attack wasn't terribly sophisticated because the scammer made a number of stupid mistakes. But they could easily have made it better," says Bill Shaw, VP for TOPPSoft Computer Solutions. While he suspected it was a phishing email when opening it, his curiosity led him to click through to a fake login page. How could he tell? "The login page is supposed to be a secure page," Shaw notes.

eBay's response
eBay actively combats phishing by educating its users and using technology. The top FAQ How do I know that an email is really from eBay? states unequivocally "eBay will never ask you to provide account numbers, passwords or other sensitive information through email… If you have any doubt that an email really is from eBay, open a new browser window, type www.ebay.com, and sign in." Experts recommend users not to click on links in email regardless of your doubts. You should always type in the address or use your bookmarks.

Shaw, who posted an email to the Full-Disclosure list on April 12 after notifying eBay of the problem, notes "The real issue is the unanswered question of how they [the scammers] managed to get the Javascript code into the auction listing. Ebay normally filters those things out for exactly this reason and this particular scammer managed to get it past the filters."

EBay spokesperson Catherine England, responds "eBay allows users to include Javascript in listings and we will continue to do so. We know some people will abuse that feature, but the risk is minimal and the benefit [of Javascript to users] is great."

Analysts from Symantec counter that Script-injection vulnerabilities like this one are typically viewed as low risk, which in most cases, is an accurate assessment. "However, this class of attack can allow an attacker to take malicious web-based actions in the context of a company's domain. In the case of this particular attack, the ability to render arbitrary JavaScript code allows the attacker to launch phishing attacks within the context of the actual eBay domain," Symantec officials said.

England claims that eBay has a tool bar that alerts users when they are being redirected to another site and when notified of the scam, the eBay team examines the auction to determine the nature of the problem, and if warranted, writes filters to detect malicious listings. She further asserts that "trying to do this more than once is really hard."

That's a pretty lofty claim, as of yesterday, the auction listing was still available, so we grabbed a snapshot. During our discussions with England for this story, we told her the item number and the auction was subsequently removed from eBay.

— Mike Fratto, Editor at Large, Dark Reading

Organizations mentioned in this story:

  • Anti-Phishing Working Group
  • eBay Inc. (Nasdaq: EBAY)
  • Symantec Corp. (Nasdaq: SYMC)
  • TOPPSoft Mike Fratto is a principal analyst at Current Analysis, covering the Enterprise Networking and Data Center Technology markets. Prior to that, Mike was with UBM Tech for 15 years, and served as editor of Network Computing. He was also lead analyst for InformationWeek Analytics ... View Full Bio

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Newest First  |  Oldest First  |  Threaded View
    Navigating Security in the Cloud
    Diya Jolly, Chief Product Officer, Okta,  12/4/2019
    Register for Dark Reading Newsletters
    White Papers
    Video
    Cartoon Contest
    Write a Caption, Win a Starbucks Card! Click Here
    Latest Comment: "The security team seem to be taking SiegeWare seriously" 
    Current Issue
    Navigating the Deluge of Security Data
    In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
    Flash Poll
    Rethinking Enterprise Data Defense
    Rethinking Enterprise Data Defense
    Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    CVE-2019-16770
    PUBLISHED: 2019-12-05
    A poorly-behaved client could use keepalive requests to monopolize Puma's reactor and create a denial of service attack. If more keepalive connections to Puma are opened than there are threads available, additional connections will wait permanently if the attacker sends requests frequently enough.
    CVE-2019-19609
    PUBLISHED: 2019-12-05
    The Strapi framework before 3.0.0-beta.17.8 is vulnerable to Remote Code Execution in the Install and Uninstall Plugin components of the Admin panel, because it does not sanitize the plugin name, and attackers can inject arbitrary shell commands to be executed by the execa function.
    CVE-2019-16768
    PUBLISHED: 2019-12-05
    Exception messages from internal exceptions (like database exception) are wrapped by \Symfony\Component\Security\Core\Exception\AuthenticationServiceException and propagated through the system to UI. Therefore, some internal system information may leak and be visible to the customer. A validation m...
    CVE-2012-1105
    PUBLISHED: 2019-12-05
    An Information Disclosure vulnerability exists in the Jasig Project php-pear-CAS 1.2.2 package in the /tmp directory. The Central Authentication Service client library archives the debug logging file in an insecure manner.
    CVE-2019-16769
    PUBLISHED: 2019-12-05
    Affected versions of this package are vulnerable to Cross-site Scripting (XSS). It does not properly mitigate against unsafe characters in serialized regular expressions. This vulnerability is not affected on Node.js environment since Node.js's implementation of RegExp.prototype.toString() backslash...