eBay WTF

Jun. 5th, 2008 08:22 pm
rivka: (smite)
[personal profile] rivka
I tried to log in to my account this evening because I'm in the middle of an auction. I went to www.ebay.com, which had the typical "Hello rivkawald!" message on it. I clicked "sign in." My username was prepopulated in the right field. I entered my password. And was directed to what seems to be a phishing page.

"We have noticed an increasing fraudulent activity recently. In order to provide your security and protect you from fraudsters we have introduced a new system of identification that will help us to avoid any kind of fraud or unauthorised access.

Please enter as more information as possible to provide your complete identification and to activate all the features of the new system."


The page then proceeded to ask for my full name, date of birth, mother's maiden name, social security number, credit card number & security code, ATM PIN, bank account number, and routing number.

No, really. And there wasn't any way to get past it.

(Screencaps are here and here.)

I went back to www.ebay.com and tried to log in again. Same thing again. I tried their "live help" chat and got routed to "account security live help," where I waited and waited and WAITED to no avail. "Thank you for your patience. Please hold for the next available Live Help Agent." And hold. And hold.

Finally I got through to a live agent. She had me clear my cache and cookies. I cleared everything out and then was able to get a regular login page when I went to ebay.com. I immediately changed my password, obviously.

But what the hell? I typed in the address to the eBay main page myself. I didn't follow a link in an e-mail. How could this happen? I am running AdAware and a full virus scan, but... yikes. This scares the hell out of me. I thought only stupidcredulous people were victims of phishing scams.

Date: 2008-06-06 12:31 am (UTC)
brooksmoses: (Default)
From: [personal profile] brooksmoses
That is darned interesting, is what it is.

At first guess, I'm guessing DNS hijack. Which, if true, is one of those "oh bleep; that raises the stakes another notch or dozen" sorts of things.

In any case, yipes.

Edit: Also, having looked at the screencaps: At least fraudsters still can't write decent English, so it's obviously false rather than eBay being dumb when one looks closely enough.
Edited Date: 2008-06-06 12:33 am (UTC)

Date: 2008-06-06 12:39 am (UTC)
From: [identity profile] cattitude.livejournal.com
I'd guess toolbar or ActiveX control hijacking. A DNS spoof to a previously visited https site would show a bad certificate dialog.

Firefox, while not perfect, is a bit safer than IE.

Date: 2008-06-06 01:50 am (UTC)
From: [identity profile] rivka.livejournal.com
I have installed Firefox. I'm also seeking security help from a Hijack This forum.

Argh.

Date: 2008-06-06 03:44 am (UTC)
From: [identity profile] adriang.livejournal.com
A DNS spoof to a previously visited https site would show a bad certificate dialog.
Actually, you may not be able to count on this. At one time (and I haven't kept up to see if this is still a problem), many browsers cached the fact that they had valid certificates by IP address. In other words, once a browser validated a certificate from a particular IP address, it would simply note the IP address, and then it would assume, for a while, that other HTTPS connections to that same IP address are okay without validating any further certificates.

So, if you hit "https://www.evil.com/", that site could poison your DNS cache, while responding to the "www.evil.com" DNS request so that it points to the same IP address if you look up "www.ebay.com" a bit later. Then it could validate a certificate for "www.evil.com" at the IP address, and then later, when you when to eBay, you'd pick up the poisoned entry to eBay, so your browser would kit the same IP address that it did for "www.evil.com". Also, it would note that it had already validated a certificate at that IP address, so it wouldn't bother validating a certificate for "www.ebay.com" aat the same IP. You would never see any indication that the certificate was in doubt.

I hope that a few vendors have created fixes for this problem, since the last time I researched it.

Adrian

Date: 2008-06-06 01:29 am (UTC)
From: [identity profile] klwalton.livejournal.com
Oh, crap. I'm sorry this happened to you.

I just signed on (it had been a while), and had no problems. I also have the Ebay/PayPal security key fob (can't find a great link at the moment) which generates a security code every 30 seconds. I got it when I started doing some heavy-duty selling.

As bigoted as it might sound

Date: 2008-06-06 01:41 am (UTC)
From: [identity profile] laurent-atl.livejournal.com
Using Windows and IE is a bit of a suicidal behavior.

Also I would not bet clearing your cache and cookies restored your machine to a safe state. I would not use this machine to enter/handle any sensitive information.

Re: As bigoted as it might sound

Date: 2008-06-06 02:08 am (UTC)
From: [identity profile] rivka.livejournal.com
Using Windows and IE is a bit of a suicidal behavior.

Was this supposed to be helpful? Or was it just supposed to bolster your sense of superiority?

Date: 2008-06-06 03:03 am (UTC)
platypus: (Default)
From: [personal profile] platypus
Hm. I'm wondering if the little folder icon near the bottom of the screen with the little exclamation point was related to the situation. Isn't there usually a lock icon somewhere when a https:// site is actually secure? It's pretty alarming to see something like that managing to hijack your browser (or whatever happened) right at eBay's site.

scary stuff

Date: 2008-06-06 04:16 am (UTC)
From: [identity profile] jinian.livejournal.com
Whoa. At least they overreached -- hopefully some fraction of people hit with this thing are going to know asking for their PIN is fishy.

Date: 2008-06-06 05:56 am (UTC)
ext_6381: (Default)
From: [identity profile] aquaeri.livejournal.com
Yeeeeeesh. Thanks for passing on a warning to the rest of us.

Date: 2008-06-06 07:40 am (UTC)
From: [identity profile] sciamanna.livejournal.com
I don't know if this can be helpful to solve the situation or at least find out its cause, but... Is it normal that you still have to sign in when the welcome screen already shows your username? I don't have an eBay account so I don't know about the specific case, but in all other cases I can think of, *either* I'm already signed in and then the screen shows my username somewhere, *or* I have to sign in and then my username doesn't appear on the screen (though in some cases it may be prefilled in a field, but that's my browser and not the site).

Hope this can help -- if not, just ignore.

Date: 2008-06-06 08:37 am (UTC)
From: [identity profile] green-knight.livejournal.com
Some sites - Amazon for example do this for added security - you're logged in for forums to view your wishlist etc, but if you want to do something potentially costly, you need to prove that you're you. It's good practice.

[livejournal.com profile] rivka's experience sounds scary - thanks for sharing.

Date: 2008-06-07 02:00 pm (UTC)
From: [identity profile] selki.livejournal.com
LinkedIn does this, too -- normal login is fine for most stuff, but if you want to private message someone or invite someone to be a connection, it asks for your password again.

Date: 2008-06-06 11:48 am (UTC)
From: [identity profile] rivka.livejournal.com
Is it normal that you still have to sign in when the welcome screen already shows your username?

Yes. eBay remembers who you are, but you have to sign in with your password at least once a day if you want to be able to bid on things.

Date: 2008-06-06 12:27 pm (UTC)
From: [identity profile] papersky.livejournal.com
This happened to one of my cousins a few months ago. She was totally taken in by it and lost a lot of money. And her mother was earlier taken in by the "Lottery" scam on the phone, and lost a lot of money. They're gullible people. At least you have the good sense not to fall for it.

I believe the police said that the way it technically happened is something to do with security holes in how Explorer implements "https". It did persuade my aunt to start using Firefox.

Date: 2008-06-06 04:21 pm (UTC)
From: [identity profile] marici.livejournal.com
Not complete sure this is the same, but I run Firefox and No Script. No script is annoying as all get-out at first since you have to whitelist each site you trust that wants to run scripts, but when I signed into the secure portion of Blizzard.com it stopped me to say "you were on Blizzard.com, now you're getting a page from www.blizzard.com. Is this ok?" As in, it wanted me to check the addition of www , I think.

Also, Adblock for Firefox makes all sorts of web browsing more pleasant.

http://www.mozilla.com/en-US/firefox/
https://addons.mozilla.org/en-US/firefox/addon/722
https://addons.mozilla.org/en-US/firefox/addon/1865
Edited Date: 2008-06-06 04:59 pm (UTC)

Date: 2008-06-08 06:59 pm (UTC)
From: (Anonymous)
the whole stupid thing crossed out and then writing credulous was a little studpid dont you think?

Date: 2008-06-08 08:33 pm (UTC)
From: [identity profile] rivka.livejournal.com
Do you think I would have seemed more intelligent if I'd crossed out studpid and then written credulous? Please advise.

Date: 2008-06-09 03:22 pm (UTC)
From: [identity profile] porcinea.livejournal.com
*laugh*

(More like *cackle*, actually. Out loud.)

Profile

rivka: (Default)
rivka

April 2017

S M T W T F S
      1
2345678
9101112131415
16171819202122
23242526272829
30      

Most Popular Tags

Style Credit

Expand Cut Tags

No cut tags
Page generated Jun. 11th, 2025 07:20 am
Powered by Dreamwidth Studios