You never can defend yourself too much while online.
A PC World reader alerted me to a flaw on eBay’s Web site that enabled a scam designed to trick people into handing over their personal information. eBay promptly patched the flaw last week, but experts I spoke with are wondering how long the fix will hold.
The flaw allowed a scammer to use an increasingly common type of attack called cross-site scripting , or XSS, to redirect people from an eBay listing to a spoofed eBay site. Though eBay may have plugged the hole for now, experts say, similar problems have surfaced in the past on eBay and other sites, and it’s a safe bet they will again. The problem is not going away, and it will continue to cause visitors to eBay and other sites trouble for the foreseeable future.
How it worked
On a tip from a PC World reader, I reviewed the scam before eBay canceled the auction that it keyed to. Once potential victims were taken to the fake, or spoofed, eBay site, anyone interested in the item in the auction–a 1961 Volkswagen Microbus–was encouraged to e-mail the scammer directly at 4naffairs@yahoo.com to proceed with the sale. According to security experts, such attacks are a very common and effective way of tricking Internet users into visiting fake sites.
“Any site that accepts user-generated content has likely had to patch their site for this flaw,” says Bill Pennington, vice president of services at WhiteHat Security . Pennington says his company finds nearly 600 instances of cross-site scripting flaws on the Web every day.
Can the vulnerability be fixed?
For eBay’s part, it says that it constantly monitors its site for security problems and corrects them as quickly as they are found. “As soon as we became aware of this scheme, we changed some of the code on our site. So this scheme, and ones like it, can no longer be effective,” says Nichola Sharpe, an eBay spokesperson.
And eBay is far from alone when it comes to being a target of this type of attack. Similar attacks on major sites like Amazon.com, MySpace.com, Verisign, and even the United States National Security Agency’s Web site have been documented.
Security experts say cross-site scripting is part of doing business on the Internet. “There is no one fix [for Web sites] to solve this problem,” says Ken Dunham, security expert with VeriSign iDefense Security Intelligence Service . He says finding and patching cross-scripting flaws is like a game of Whack-A-Mole , with new flaws popping up all the time.
In the example found on eBay, the cross-site scripting exploit first inserted malicious JavaScript code into the auction listing description. Next, when users visited the rigged eBay auction, the JavaScript directed the users’ Internet Explorer or Firefox browser to instantaneously forward the users to a spoofed Web page that looked exactly like an eBay auction page.
eBay says it now prevents JavaScript on its site from forwarding visitors to third-party sites automatically. However, experts say, hackers can easily modify JavaScript code to once again trigger the same behavior.
Making contact with the scammer
When I e-mailed the person behind the scam and expressed interest in the fake auction of the 1961 Volkswagen Microbus, I received an e-mail from “Charles,” who wrote:
“I’m glad that you’re interested in my 1961 Volkswagen Bus/Vanagon Safari. Let me tell you all about this transaction. This was my brother’s car, he died and left me the car in his will, I’m selling so cheap because it brings bad memories…”
“Charles” said that the car was in excellent condition and was located in Augusta, Maine. If I was interested, “Charles” said, I could use an escrow service called Yahoo Finance to send him the money to buy the car and pay for its delivery.
For the record, while Yahoo does run a business and finance site called Yahoo Finance, Yahoo does not run an escrow service by the same name.
Next, “Charles” explained, once Yahoo Finance received the money, the car would shipped by FedEx through a service called Passport Auto Transport .
The next day I received an e-mail purporting to be from Yahoo Finance. It explained how the service would hold payment to “Charles” until both parties were satisfied with the transaction. The e-mail instructed me to send payment by a Western Union money transfer to a Yahoo Finance “agent” located in Miami.
When I requested to speak with “Charles” over the phone, as a prospective buyer, I never heard back from him. The site hosting the fake eBay page is registered to Ivan Iargomski in Saint Petersburg, Russia, according to domain name registration records. Messages to that e-mail address were not returned.
While eBay and other sites may struggle to prevent attackers from planting cross-site scripting traps on their pages, eBay users can decrease their odds of falling prey by installing the free eBay Toolbar . This browser add-on, which works only with Internet Explorer, alerts you if you’re redirected from eBay to a third-party Web site.