I am not sure if this is better served by incidents or bugtraq, but in any
event here it is. I frequently get the fake looking e-mails phishing for my
Paypal, eBay, and banking login/password information. Generally the links
to the spoofed webpages are just links to a fake page with a modified A HREF
tag. However, it appears someone has found that eBay's actual page has a
command to redirect to a specified webpage. While this shouldn't be a big
risk, it still poses a small one and is being actively exploitated.

The page actually appears to link to eBay and it does, the link below is the
one I received in my inbox recently.

http://cgi4.ebay.com/ws/eBayISAPI.dll?MfcISAPICommand=RedirectToDomain&DomainUrl=http%3A%2F%2F%32%31%31%2E%31%37%32%2E%39 %36%2E%37%2FUpdateCenter%2FLogin%2F%3FMfcISAPISess ion%3DAAJbaQqzeHAAeMWZlHhlWXS2AlBXVShqAhQRfhgTDrfe rHCURstpAisNRqAhQRfhgTDrferHCURstp
AisNRpAisNRqAhQRfhgTDrferHCUQRfqzeHAAeMWZlHhlWXh

Simply:

http://cgi4.ebay.com/ws/eBayISAPI.dll?MfcISAPICommand=RedirectToDomain&DomainUrl=www.website.com


Steven
steven@lovebug.org

I just tried this with my own URL, and eBay didn't forward me to some
other site. Perhaps they've plugged this already?

Josh Tolley
Raintree Systems, Inc.
http://www.raintreeinc.com
760 509 9000

Steven wrote:
> I am not sure if this is better served by incidents or bugtraq, but in
> any event here it is. I frequently get the fake looking e-mails
> phishing for my Paypal, eBay, and banking login/password information.
> Generally the links to the spoofed webpages are just links to a fake
> page with a modified A HREF tag. However, it appears someone has found
> that eBay's actual page has a command to redirect to a specified
> webpage. While this shouldn't be a big risk, it still poses a small one
> and is being actively exploitated.
>
> The page actually appears to link to eBay and it does, the link below is
> the one I received in my inbox recently.
>
> http://cgi4.ebay.com/ws/eBayISAPI.dll?MfcISAPICommand=RedirectToDomain&DomainUrl=http%3A%2F%2F%32%31%31%2E%31%37%32%2E%39 %36%2E%37%2FUpdateCenter%2FLogin%2F%3FMfcISAPISess ion%3DAAJbaQqzeHAAeMWZlHhlWXS2AlBXVShqAhQRfhgTDrfe rHCURstpAisNRqAhQRfhgTDrferHCURs
tpAisNRpAisNRqAhQRfhgTDrferHCUQRfqzeHAAeMWZlHhlWXh
>
>
> Simply:
>
> http://cgi4.ebay.com/ws/eBayISAPI.dll?MfcISAPICommand=RedirectToDomain&DomainUrl=www.website.com
>
>
>
> Steven
> steven@lovebug.org
>
>

Josh Tolley to "Steven":

[re-organized to sensible quoting order]
> > The page actually appears to link to eBay and it does, the link below is
> > the one I received in my inbox recently.
> >
> > http://cgi4.ebay.com/ws/eBayISAPI.dll?MfcISAPICommand=RedirectToDomain&DomainUrl=http%3A%2F%2F%32%31%31%2E%31%37%32%2E%39 %36%2E%37%2FUpdateCenter%2FLogin%2F%3FMfcISAPISess ion%3DAAJbaQqzeHAAeMWZlHhlWXS2AlBXVShqAhQRfhgTDrfe rHCURstpAisNRqAhQRfhgTDrferHCU
RstpAisNRpAisNRqAhQRfhgTDrferHCUQRfqzeHAAeMWZlHhlW Xh
> >
> >
> > Simply:
> >
> > http://cgi4.ebay.com/ws/eBayISAPI.dll?MfcISAPICommand=RedirectToDomain&DomainUrl=www.website.com
> >
> I just tried this with my own URL, and eBay didn't forward me to some
> other site. Perhaps they've plugged this already?

That's odd, because the original URL in the spam Steven reported (and
as seen here earlier) still works, as does the redirector with a
handful of arbitrary URLs I just plucked from memory.

At least, the redirector works if you put "http://" (or variously
encoded forms of the same) at the head of the URL. URLs of the form
"www.website.com" as suggested by Steven do not work.

In short, it does work so it's not fixed.

Site designers wanting to implement universal redirector URLs such as
this (to simplify logging of their own offsite referrals??) should
limit the redirector to _only_ accept redirects from their own servers.
And no, using http's "Referer:" [sic] header is not, in general, good
enough for this, but would help eBay in the short-term against tricks
such as this phishing scam. Of course, the modern world of content
served by third-parties from arbitrarily many or few machines on quasi-
random IPs all round the globe, depending on load and so on, makes this
_much_ harder to do properly, but that's part of the price you pay for
using cheap ugly hacks such distributed content serving depends on...


Regards,

Nick FitzGerald

I just tried this out and it worked for me. I got a page asking for a
login name and made up a login name and password. After ``logging
in'', I got a page asking for my address, phone, CCN, bank information,
etc. (They ask for everything! ATM PIN, SSN, DOB, etc... who would
actually provide this to the real eBay!?)

After I submitted my fake data, it redirected me to the real eBay login.

Regards,
Jonathan Rockway

On 14 Feb 2005, at 1:08 PM, Josh Tolley wrote:

> I just tried this with my own URL, and eBay didn't forward me to some
> other site. Perhaps they've plugged this already?
>
> Josh Tolley
> Raintree Systems, Inc.
> http://www.raintreeinc.com
> 760 509 9000
>
> Steven wrote:
>> I am not sure if this is better served by incidents or bugtraq, but
>> in any event here it is. I frequently get the fake looking e-mails
>> phishing for my Paypal, eBay, and banking login/password information.
>> Generally the links to the spoofed webpages are just links to a fake
>> page with a modified A HREF tag. However, it appears someone has
>> found that eBay's actual page has a command to redirect to a
>> specified webpage. While this shouldn't be a big risk, it still
>> poses a small one and is being actively exploitated.
>> The page actually appears to link to eBay and it does, the link below
>> is the one I received in my inbox recently.
>> http://cgi4.ebay.com/ws/eBayISAPI.dll?
>> MfcISAPICommand=RedirectToDomain&DomainUrl=http%3A%2F%2F%32%31%31%2E%3
>> 1%37%32%2E%39%36%2E%37%2FUpdateCenter%2FLogin%2F%3 FMfcISAPISession%3DA
>> AJbaQqzeHAAeMWZlHhlWXS2AlBXVShqAhQRfhgTDrferHCURst pAisNRqAhQRfhgTDrfer
>> HCURstpAisNRpAisNRqAhQRfhgTDrferHCUQRfqzeHAAeMWZlH hlWXh Simply:
>> http://cgi4.ebay.com/ws/eBayISAPI.dll?
>> MfcISAPICommand=RedirectToDomain&DomainUrl=www.website.com Steven
>> steven@lovebug.org
>>
--
Jonathan Rockway <jrockw2@uic.edu>
http://www.uic.edu/~jrockw2/

You may want to be careful about following links like this. I have read that
part of the problem is, even if you load bogus information or no information
at all, these sites will drop keyloggers, Trojans, etc. on your machine.
Just their way of saying 'Thanks for dropping by'.... :(


Thomas T. Evans, III CCNA
Senior Network Manager
Hawk Corporation
ttevans@hawkcorp.net
216-267-7787 Ext. 500
Cell: 440-669-2526
Fax: 917-464-7241
President, MFG/Pro Midwest User Group

"The difference between genius and stupidity is genius has limits" -- Albert
Einstein


-----Original Message-----
From: Jonathan Rockway [mailto:jrockw2@uic.edu]
Sent: Monday, February 14, 2005 7:25 PM
To: bugtraq@securityfocus.com; Josh Tolley
Subject: Re: eBay Account Phishing with eBay Redirect

I just tried this out and it worked for me. I got a page asking for a
login name and made up a login name and password. After ``logging
in'', I got a page asking for my address, phone, CCN, bank information,
etc. (They ask for everything! ATM PIN, SSN, DOB, etc... who would
actually provide this to the real eBay!?)

After I submitted my fake data, it redirected me to the real eBay login.

Regards,
Jonathan Rockway

On 14 Feb 2005, at 1:08 PM, Josh Tolley wrote:

> I just tried this with my own URL, and eBay didn't forward me to some
> other site. Perhaps they've plugged this already?
>
> Josh Tolley
> Raintree Systems, Inc.
> http://www.raintreeinc.com
> 760 509 9000
>
> Steven wrote:
>> I am not sure if this is better served by incidents or bugtraq, but
>> in any event here it is. I frequently get the fake looking e-mails
>> phishing for my Paypal, eBay, and banking login/password information.
>> Generally the links to the spoofed webpages are just links to a fake
>> page with a modified A HREF tag. However, it appears someone has
>> found that eBay's actual page has a command to redirect to a
>> specified webpage. While this shouldn't be a big risk, it still
>> poses a small one and is being actively exploitated.
>> The page actually appears to link to eBay and it does, the link below
>> is the one I received in my inbox recently.
>> http://cgi4.ebay.com/ws/eBayISAPI.dll?
>> MfcISAPICommand=RedirectToDomain&DomainUrl=http%3A%2F%2F%32%31%31%2E%3
>> 1%37%32%2E%39%36%2E%37%2FUpdateCenter%2FLogin%2F%3 FMfcISAPISession%3DA
>> AJbaQqzeHAAeMWZlHhlWXS2AlBXVShqAhQRfhgTDrferHCURst pAisNRqAhQRfhgTDrfer
>> HCURstpAisNRpAisNRqAhQRfhgTDrferHCUQRfqzeHAAeMWZlH hlWXh Simply:
>> http://cgi4.ebay.com/ws/eBayISAPI.dll?
>> MfcISAPICommand=RedirectToDomain&DomainUrl=www.website.com Steven
>> steven@lovebug.org
>>
--
Jonathan Rockway <jrockw2@uic.edu>
http://www.uic.edu/~jrockw2/

The flaw still exists, there is a demo and description of the redirect URL at http://habaneronetworks.com/viewArticle.php?ID=136

Ebay has been notified and is aware of the problem.

--
Jay Calvert
http://habaneronetworks.com

Actually Steven's example is supposed to be:
http://cgi4.ebay.com/ws/eBayISAPI.dll?MfcISAPICommand=3DRedirectToDomain&=
DomainUrl=3Dhttp://www.website.com=20

note the http:// prefix following the RedirectToDomain&DomainUrl=3D

As of Tuesday Feb 15 7am PST it still works (both examples).

PS Steven, For the "Place or Update Credit Card on File" page, =
post-login it states for the user to "Sing Out", you may want to change =
it to "Sign Out".=20

Israel Torres


-----Original Message-----
From: Josh Tolley [mailto:josh@raintreeinc.com]
Sent: Monday, February 14, 2005 11:08 AM
To: Steven
Cc: incidents@securityfocus.com; bugtraq@securityfocus.com
Subject: Re: eBay Account Phishing with eBay Redirect


I just tried this with my own URL, and eBay didn't forward me to some=20
other site. Perhaps they've plugged this already?

Josh Tolley
Raintree Systems, Inc.
http://www.raintreeinc.com
760 509 9000

Steven wrote:
> I am not sure if this is better served by incidents or bugtraq, but in =

> any event here it is. I frequently get the fake looking e-mails=20
> phishing for my Paypal, eBay, and banking login/password information. =

> Generally the links to the spoofed webpages are just links to a fake=20
> page with a modified A HREF tag. However, it appears someone has =
found=20
> that eBay's actual page has a command to redirect to a specified=20
> webpage. While this shouldn't be a big risk, it still poses a small =
one=20
> and is being actively exploitated.
>=20
> The page actually appears to link to eBay and it does, the link below =
is=20
> the one I received in my inbox recently.
>=20
> =
http://cgi4.ebay.com/ws/eBayISAPI.dll?MfcISAPICommand=3DRedirectToDomain&=
DomainUrl=3Dhttp%3A%2F%2F%32%31%31%2E%31%37%32%2E% 39%36%2E%37%2FUpdateCen=
ter%2FLogin%2F%3FMfcISAPISession%3DAAJbaQqzeHAAeMW ZlHhlWXS2AlBXVShqAhQRfh=
gTDrferHCURstpAisNRqAhQRfhgTDrferHCURstpAisNRpAisN RqAhQRfhgTDrferHCUQRfqz=
eHAAeMWZlHhlWXh=20
>=20
>=20
> Simply:
>=20
> =
http://cgi4.ebay.com/ws/eBayISAPI.dll?MfcISAPICommand=3DRedirectToDomain&=
DomainUrl=3Dwww.website.com=20
>=20
>=20
>=20
> Steven
> steven@lovebug.org
>=20
>=20