Actually Steven's example is supposed to be: http://cgi4.ebay.com/ws/eBayISAPI.dll?MfcISAPICommand=RedirectToDomain&DomainUrl=http://www.website.com note the http:// prefix following the RedirectToDomain&DomainUrl= As of Tuesday Feb 15 7am PST it still works (both examples). PS Steven, For the "Place or Update Credit Card on File" page, post-login it states for the user to "Sing Out", you may want to change it to "Sign Out". Israel Torres -----Original Message----- From: Josh Tolley [mailto:josh@xxxxxxxxxxxxxxx] Sent: Monday, February 14, 2005 11:08 AM To: Steven Cc: incidents@xxxxxxxxxxxxxxxxx; bugtraq@xxxxxxxxxxxxxxxxx Subject: Re: eBay Account Phishing with eBay Redirect I just tried this with my own URL, and eBay didn't forward me to some other site. Perhaps they've plugged this already? Josh Tolley Raintree Systems, Inc. http://www.raintreeinc.com 760 509 9000 Steven wrote: > I am not sure if this is better served by incidents or bugtraq, but in > any event here it is. I frequently get the fake looking e-mails > phishing for my Paypal, eBay, and banking login/password information. > Generally the links to the spoofed webpages are just links to a fake > page with a modified A HREF tag. However, it appears someone has found > that eBay's actual page has a command to redirect to a specified > webpage. While this shouldn't be a big risk, it still poses a small one > and is being actively exploitated. > > The page actually appears to link to eBay and it does, the link below is > the one I received in my inbox recently. > > http://cgi4.ebay.com/ws/eBayISAPI.dll?MfcISAPICommand=RedirectToDomain&DomainUrl=http%3A%2F%2F%32%31%31%2E%31%37%32%2E%39%36%2E%37%2FUpdateCenter%2FLogin%2F%3FMfcISAPISession%3DAAJbaQqzeHAAeMWZlHhlWXS2AlBXVShqAhQRfhgTDrferHCURstpAisNRqAhQRfhgTDrferHCURstpAisNRpAisNRqAhQRfhgTDrferHCUQRfqzeHAAeMWZlHhlWXh > > > Simply: > > http://cgi4.ebay.com/ws/eBayISAPI.dll?MfcISAPICommand=RedirectToDomain&DomainUrl=www.website.com > > > > Steven > steven@xxxxxxxxxxx > >
