eBay security issue II—Access to your account from a foreign IP address

There is a new one from eBay. I won't say "Poor eBay", they make tons of money and this is probably more advertising than anything else for them. But here we have a funny one!

Your account has been accessed from a foreign IP address

Received:			from snap.turnwatcher.com by substitute with [XMail 1.22 ESMTP Server]
				id <SAE97> for <@mail.m2osw.com:alexis@halk.m2osw.com>
				from <root@hs58.order-vault.net>; Fri, 8 Sep 2006 18:00:52 -0700
Received:			from hs58.order-vault.net (unknown [69.94.80.35])
				by snap.turnwatcher.com (Postfix) with ESMTP id 4FD8E26AD32
				for <alexis@m2osw.com>; Fri,  8 Sep 2006 18:03:17 -0700 (PDT)
Received:			from hs58.order-vault.net (localhost.localdomain [127.0.0.1])
				by hs58.order-vault.net (8.12.11/8.12.11) with ESMTP id k8913GLI004002
				for <alexis@m2osw.com>; Fri, 8 Sep 2006 21:03:16 -0400
Received:			(from root@localhost) by hs58.order-vault.net (8.12.11/8.12.11/Submit)
				id k8913FGa028804 for alexis@m2osw.com; Fri, 8 Sep 2006 21:03:15 -0400
Date:				Fri, 8 Sep 2006 21:03:15 -0400
Message-Id:			<200609090103.k8913FGa028804@hs58.order-vault.net>
From:				"eBay" <aw-confirm@ebay.com>
MIME-Version: 1.0 Content-Type: text/html
Content-Type:			text/html
Content-Transfer-Encoding:	8bit
Subject:			FPA NOTICE: Suspicious Activity -Section 9
To:				undisclosed-recipients:;

Dear eBay member,

We recently noticed one or more attempts to log in to your eBay account from a foreign IP address and we have reasons to believe that your account was accesed by a third party without your authorization.
If you recently accessed your account while traveling, the unusual log in attempts may have been initiated by you.

The login attempt was made from:

IP address: 154.106.12.15

IS Host: cache-154.proxyes.aol.com.

Due the security measures we temporarily suspended your account.
If you are the rightful holder of the account, click on the link below, fill the form and then submit as we try to verify your identity:

The following is how the link appeared. Hey! Looks like a very silly eBay link alright.

http://signin.ebay.com/ws/eBayISAPI.dll?SignInMCAlert&fsopz3qqsa.catz49979qqs.ocmdzlisting

Wow! This one was a really good one and I wonder how long it will take eBay to close the weakness. The problem is that if that's really working that way they will need to design a new set of script to make a new way work. This looks really stupid from eBay to offer such an easy way to go from place A to place B. So?! How could people fall for it? Look at that URL. It starts with http://signin.ebay.com and that is the legal 100% legitimate URL!!!

http://signin.ebay.com/ws/eBayISAPI.dll?SignInMCAlert&ru=http://0x53.0x62.0x8003/https://signin.ebay.com/ws/eBayISAPI.dll/index.php

What am I talking about?! Look at it this way: the dll that the hackers have found there will take a parameter from the URL (i.e. ru=) and go there instead. The blue part is "good" (normal silly eBay stuff), and what's red is hacker stuff.

http://signin.ebay.com/ws/eBayISAPI.dll?SignInMCAlert&ru=http://0x53.0x62.0x8003/https://signin.ebay.com/ws/eBayISAPI.dll/index.php

And as I'm writing this, I tried and it looks 100% like the normal eBay login screen. eBay's programmers are really really bad! And of course, this proves that eBay is using wonderful MS-Windows Server. The most holy servers ever. Note that Microsoft will tell you they own the market. The fact is there are more Apache servers out there. Yet, Microsoft isn't lying on that one. They own the market monetary wise. They do not own it in property. In the long run, it cost you a lot less to run Apache even if you do not have all these wonderful tools which you have no idea what the hell they do to your websites...

Note: the other links below are standard eBay links. Note that eBay will let you use your account from anywhere in the world.

Once you will confirm your personal information so we can verify your identity, your account will be re-estabilished. We strongly recommand to change your personal information such as password or security question if the login attempt was not made by you.

Please note that this suspension does not relieve you of your obligation to pay any fees you may currently owe to eBay.

Respectfully,
Trust and Safety Department
eBay Inc.
https://www.ebay.com/


 

This eBay notice was sent to you based on your eBay account preferences. If you would like to review your notification preferences for other types of communications, click here. If you would like to receive this email in text only, click here.

As outlined in our User Agreement, eBay will periodically send you information about site changes and enhancements. Visit our Privacy Policy and User Agreement if you have any questions.

Copyright © 2006 eBay Inc. All Rights Reserved.
Designated trademarks and brands are the property of their respective owners.

eBay and the eBay logo are trademarks of eBay Inc.

Submitted by on Wed, 03/07/2007 - 18:48