![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png)
I tried to log in to my account this evening because I'm in the middle of an auction. I went to www.ebay.com, which had the typical "Hello rivkawald!" message on it. I clicked "sign in." My username was prepopulated in the right field. I entered my password. And was directed to what seems to be a phishing page.
"We have noticed an increasing fraudulent activity recently. In order to provide your security and protect you from fraudsters we have introduced a new system of identification that will help us to avoid any kind of fraud or unauthorised access.
Please enter as more information as possible to provide your complete identification and to activate all the features of the new system."
The page then proceeded to ask for my full name, date of birth, mother's maiden name, social security number, credit card number & security code, ATM PIN, bank account number, and routing number.
No, really. And there wasn't any way to get past it.
(Screencaps are here and here.)
I went back to www.ebay.com and tried to log in again. Same thing again. I tried their "live help" chat and got routed to "account security live help," where I waited and waited and WAITED to no avail. "Thank you for your patience. Please hold for the next available Live Help Agent." And hold. And hold.
Finally I got through to a live agent. She had me clear my cache and cookies. I cleared everything out and then was able to get a regular login page when I went to ebay.com. I immediately changed my password, obviously.
But what the hell? I typed in the address to the eBay main page myself. I didn't follow a link in an e-mail. How could this happen? I am running AdAware and a full virus scan, but... yikes. This scares the hell out of me. I thought onlystupidcredulous people were victims of phishing scams.
"We have noticed an increasing fraudulent activity recently. In order to provide your security and protect you from fraudsters we have introduced a new system of identification that will help us to avoid any kind of fraud or unauthorised access.
Please enter as more information as possible to provide your complete identification and to activate all the features of the new system."
The page then proceeded to ask for my full name, date of birth, mother's maiden name, social security number, credit card number & security code, ATM PIN, bank account number, and routing number.
No, really. And there wasn't any way to get past it.
(Screencaps are here and here.)
I went back to www.ebay.com and tried to log in again. Same thing again. I tried their "live help" chat and got routed to "account security live help," where I waited and waited and WAITED to no avail. "Thank you for your patience. Please hold for the next available Live Help Agent." And hold. And hold.
Finally I got through to a live agent. She had me clear my cache and cookies. I cleared everything out and then was able to get a regular login page when I went to ebay.com. I immediately changed my password, obviously.
But what the hell? I typed in the address to the eBay main page myself. I didn't follow a link in an e-mail. How could this happen? I am running AdAware and a full virus scan, but... yikes. This scares the hell out of me. I thought only
no subject
Date: 2008-06-06 12:31 am (UTC)At first guess, I'm guessing DNS hijack. Which, if true, is one of those "oh bleep; that raises the stakes another notch or dozen" sorts of things.
In any case, yipes.
Edit: Also, having looked at the screencaps: At least fraudsters still can't write decent English, so it's obviously false rather than eBay being dumb when one looks closely enough.
no subject
Date: 2008-06-06 12:39 am (UTC)Firefox, while not perfect, is a bit safer than IE.
no subject
Date: 2008-06-06 01:50 am (UTC)Argh.
no subject
Date: 2008-06-06 03:44 am (UTC)A DNS spoof to a previously visited https site would show a bad certificate dialog.
Actually, you may not be able to count on this. At one time (and I haven't kept up to see if this is still a problem), many browsers cached the fact that they had valid certificates by IP address. In other words, once a browser validated a certificate from a particular IP address, it would simply note the IP address, and then it would assume, for a while, that other HTTPS connections to that same IP address are okay without validating any further certificates.
So, if you hit "https://www.evil.com/", that site could poison your DNS cache, while responding to the "www.evil.com" DNS request so that it points to the same IP address if you look up "www.ebay.com" a bit later. Then it could validate a certificate for "www.evil.com" at the IP address, and then later, when you when to eBay, you'd pick up the poisoned entry to eBay, so your browser would kit the same IP address that it did for "www.evil.com". Also, it would note that it had already validated a certificate at that IP address, so it wouldn't bother validating a certificate for "www.ebay.com" aat the same IP. You would never see any indication that the certificate was in doubt.
I hope that a few vendors have created fixes for this problem, since the last time I researched it.
Adrian
no subject
Date: 2008-06-06 01:29 am (UTC)I just signed on (it had been a while), and had no problems. I also have the Ebay/PayPal security key fob (can't find a great link at the moment) which generates a security code every 30 seconds. I got it when I started doing some heavy-duty selling.
As bigoted as it might sound
Date: 2008-06-06 01:41 am (UTC)Also I would not bet clearing your cache and cookies restored your machine to a safe state. I would not use this machine to enter/handle any sensitive information.
Re: As bigoted as it might sound
Date: 2008-06-06 02:08 am (UTC)Was this supposed to be helpful? Or was it just supposed to bolster your sense of superiority?
no subject
Date: 2008-06-06 03:03 am (UTC)scary stuff
Date: 2008-06-06 04:16 am (UTC)no subject
Date: 2008-06-06 05:56 am (UTC)no subject
Date: 2008-06-06 07:40 am (UTC)Hope this can help -- if not, just ignore.
no subject
Date: 2008-06-06 08:37 am (UTC)no subject
Date: 2008-06-07 02:00 pm (UTC)no subject
Date: 2008-06-06 11:48 am (UTC)Yes. eBay remembers who you are, but you have to sign in with your password at least once a day if you want to be able to bid on things.
no subject
Date: 2008-06-06 12:27 pm (UTC)I believe the police said that the way it technically happened is something to do with security holes in how Explorer implements "https". It did persuade my aunt to start using Firefox.
no subject
Date: 2008-06-06 04:21 pm (UTC)Also, Adblock for Firefox makes all sorts of web browsing more pleasant.
http://www.mozilla.com/en-US/firefox/
https://addons.mozilla.org/en-US/firefox/addon/722
https://addons.mozilla.org/en-US/firefox/addon/1865
no subject
Date: 2008-06-08 06:59 pm (UTC)no subject
Date: 2008-06-08 08:33 pm (UTC)no subject
Date: 2008-06-09 03:22 pm (UTC)(More like *cackle*, actually. Out loud.)