Phishy URL

The following URL appeared in today's email, obviously as part of some phishing attempt:

https://signin.ebay.com/ws/eBayISAPI.dll?SignIn&UsingSSL=1&pUserId=&co_partnerId=2&siteid=0&ru= http%3A%2F%2Fcgi4.ebay.com%2Fws%2FeBayISAPI.dll?MfcISAPICommand%3d RedirectToDomain%26DomainUrl= http%3A%2F%2F62.193.211.236%2FeBayISAPI.php&pageType=1883

If you want to try it out yourself, click here.

After casual examination, it looks like an attempt to make use of the eBay RedirectToDomain exploit that was originally posted on Bugtraq on Feb. 13, 2005. This one, however, startled me, because after clicking it I ended up on a genuine-looking secure eBay login page, with a valid certificate. This is not what I expect to get when I visit such a phishy-looking URL.

As far as I am able to tell, the certificate is valid, and it is valid because eBay in this specific case ignores the phisherman's redirect request. However, I think it is just bad practice on eBay's part to actually accept an incoming URL with a lot of trailing bogus material as a legitimate entry point to a secure login page, even if it ignores the bogus bits and serves the user a genuine page. This practice will make it simpler for the phishers to fool users into being un-critical about the URLs they click on, and not all bogus URLs will misfire like this one.

By the way, the orginal RedirectToDomain problem reported on BuqTraq is not fixed (see the first example below), but redirecting a secure page in a similar fashion does not appear to work any more (see second example). Whether it ever worked is anybody's guess.

Two examples:

  1. Unsecure redirect. This uses eBays internal RedirectToDomain to redirect from eBay to my webpage. The redirect works, but the URL gives the game away. (Postscript, Nov. 2006: It no longer works - eBay has finally fixed this.)
  2. Secure page redirect. A similar exploit, but redirects from a secure eBay page to my home page. This does not appear to work.