decoding an ebay phishing email

Permabanned
Joined
18 May 2006
Posts
9,036
just had a look at an ebay phishing email that came in this morning,
basically it is made to look like an email from an email member requesting info.


this was one of the links used

https: //signin.ebay.com/ws/eBayISAPI.dll?SignIn&UsingSSL=1&pUserId=&co_partnerId=2&siteid=0&ru=http%3A%2F%2Fsignin.ebay.com%3A80%2Fws%2FeBayISAPI.dll%3FSignInMCAlert%26ru%3Dhttp%253A%252F%252F3736827751%253A82%252Fhttps.signin.ebay.com%252Freg.php%26SignInMCAlert%3D%26guest%3D1&pageType=2602



they are using double decoding to confuse their web URL:
(I'd only noticed single decoding before now)

http%253A%252F%252F3736827751%253A82%252F

IE decodes "..%252f" into "..%2f", as "%25" is a URL encoded '%'
(25 hex is the ASCII code for a percentage sign).
and %2f is a backslash "/"


= http %253A %252F %252F 3736827751 %253A 82 %252F


from this we get, http://3736827751:82

and decoding that using
http://www.toastedspam.com/decodeip

= http://222.187.119.103:82

which I think is somewhere in China


This is the interesting bit:
The "ru=" bit in the 1st URL is what Ebay normally uses to redirect you back
to where you orginally were on the Ebay site,
but the phisher uses it to redirect you to their ebay clone html after a logon failure
(note they are still trying to make it look like a https URL)

ru=http://3736827751:82/https.signin.ebay.com/reg.php

the link is dead,
but it's at this point they will try to log your Ebay password.



this technique is at least a year old now,
I think Ebay needs to sort itself out,
you shouldn't need to know all this guff just to log on safely :p



I'm not an expert in this, so feel free to point out errors
.
 
Last edited:
Wow, from someone that knows nothing about this type of thing, i am very supprised at how sophisticated it is.

I thought they just used the text and title elements of anchor to hide where it was sending the user, something like this:

Code:
<a href="evildomain.com" title="eBay.com">Http://www.ebay.com</a>
 
yep, they are getting more interesting these days.

when internet explorer was getting hacked into the dust a few years ago,
there were all sorts of stuff to look out for.
I liked the method of getting the address bar to display a faked site,
I even managed to reproduce that exploit myself. Never saw it used in the wild though.

I guess 'Pharming' is the new kid on the block now.
http://en.wikipedia.org/wiki/Pharming

Potentially some malicious code could rewrite a users router config, to point to a fake DNS server. Not many people change their router password, so this could be easy to script as a payload.

.
 
Back
Top Bottom