Someone I know encountered a really sneaky eBay phish this weekend. It arrived through eBay’s official “Ask seller a question” system, and consisted of a simple request: Was his auction the same as the auction at the following About Me page?
The URL was a normal eBay URL of the form http://members.ebay.com/aboutme/_____. Pasting the link into another browser brought up the user’s About Me page… which consisted of a spoofed eBay login form that would submit the username and password to a page hosted at Yahoo.
So it not only came through eBay’s official messaging system, but the form appeared on eBay’s own website, meaning it bypasses many of the usual cues. It’s not a secured page, but use of SSL for login pages is still spotty enough that a user could easily miss that. And how many people have noticed that eBay only puts login forms on signin.ebay.com? You have a slightly better chance if you have a browser like Opera, which shows you the target* of a form when you hover over a button. If you think to look at it.
I went looking and found another sighting at Conor’s Web of Esoterica, which has a screenshot of the bogus form.
This reminds me a lot of the password-stealing flaw found in Firefox and IE last November. In that case, the problem was that it was possible for a MySpace user to put a fake login form in his profile, which would get filled out by an overeager password manager. The immediate solution there was for MySpace to prevent their users from posting forms with password fields. Once again, the problem is that a malicious eBay user is able to post a form that imitates eBay’s real login form, only here the intent is to fool the user into filling it out instead of the browser.
Until eBay improves the filter on their About Me page, the best solution is to only sign in from the eBay home page. If another page brings up a login form, don’t trust it.