)
This is intended as a warning to Ebay users, especially those who like me are not comfortable with computers.
Step 1. To build the fraudulent web site, the attacker simply sends requests to
eBay for the HTML markup and images needed to render critical pages of the eBay
site. Because the Web works by having clients (such as Mozilla or Internet Explorer )
download HTML from the server and then display the results to the user, there is no
way for eBay to stop users from downloading its source. In fact, easy replicability
of content from one Web site to another is a critical feature of the Web.
Instructing the eBay site to send a copy of the source is as simple as having the
attacker point his browser to http://www.ebay.com/.
Step 2. The eBay site responds to the request from the client, sending down the
HTML source for the requested page. Capturing this information, instead of using
it strictly for display on the attacker's monitor is as simple as using the \Save As"
menu option in the browser.
The attacker now has the source code needed to replicate the \look and feel" of
the eBay site on any server of his choosing. With some minor modi_cations to the
code, the results of forms can be sent to new programs that reside on the attacker's
computer, instead of the legitimate form processing software on the real eBay web
site.
Step 3. Additional data might be needed to fetch things like images from the
eBay web site, or to see what email from eBay actually looks like.
Step 4. eBay will naturally respond to the attacker's requests|which all by themselves
are quite legitimate. It's important to understand that from eBay's perspective,
no fraudulent activity has (yet) taken place.
Unbeknownst to eBay, however, the attacker has not been simply displaying the
data he has downloaded. He has created a new site of his own, using the HTML
and images from eBay, with modi_cations to ensure that the data submitted by the
user will be collected by the attacker's site instead of submitted to the legitimate
eBay web site.
Once the site is _nished, it is put online, where it will await users who submit
their information to it.
2.2 Directing Users to the Fraudulent Site
Step 5. eBay users now need to be convinced to connect to the fraudulent web
site. The means for doing that is by sending an email message, crafted using eBay's
look and feel, even including an image of the eBay logo. The text of the message
is reproduced precisely in Figure 2.
With the exception of the truncated copyright notice, there seems to be very
little indication of anything being amiss. Indeed, to non-experts, the reason given
for having deleted the credit card information might even sound plausible.
Step 6. Mail client requests real eBay images. As the user's email client renders
the fraudulent message, it will obey the HTML directive to fetch the eBay logo
image from the legitimate eBay web site. A careful user might even be inclined to
note the source of the eBay logo, which would tend to support the conclusion that
the message itself is legitimate.
Step 7. eBay returns real images to client for display in the fraudulent email.
Thus, the HTML is stolen from eBay and modi_ed, sent by an attacker, the images
come directly from eBay, and the link will connect the user not to the real eBay,
but to the fraudulent Web site.
3
INTERHACK PROPRIETARY: PUBLIC/3/3
Recently we attempted to authorize payment from your credit card we
have on _le for you, but it was declined.
For security purposes, our system automatically removes credit card
information from an account when there is a problem or the card expires.
Please resubmit the credit card, and provide us with new and complete
information. To resubmit credit card information via our secure server,
click the following link:
http://cgi3.ebay.com/aw-cgi/eBayISAPI.dll?SignIn
This is the quickest and easiest method of getting credit card information
to us. Using the secure server will ensure that the credit card will
be placed on account within 24 hours.
Copyright 1995-2003 Ebay Inc.
All Rights Reserved. Designated trademarks and brands are the
property of their respective
Figure 2: Text of Message Bringing Users to Fraudulent Site
2.3 Fraudulent Site Operation
Step 8. Victim clicks on the link, requesting source from attacker's Web server.
Interestingly, the link that is displayed to the user1 is not the actual URI of the link.
Careful examination of the email's HTML source will show the actual link. Figure
3 shows the HTML source of the paragraph and the link itself.
<p>Please resubmit the credit card, and provide us with new
and complete information. To resubmit credit card information
via our secure server, click the following link:</p>
<p> <a href="http://cgi3.ebay.com:aw-cgieBayISAPI.dll
SignInRegisterEnterInfo&siteid=0co\_partnerid=2@
www.john33.netfirms.com/">
http://cgi3.ebay.com/aw-cgi/eBayISAPI.dll?SignIn</a>
</p>
Figure 3: HTML Source of Fraudulent Email Message
The URI is very carefully constructed to appear to be legitimate but to redirect
to the fraudulent Web site. Here we break the URI into its parts.
http:// This is the protocol identi_er, and the separator characters showing an
1http://cgi3.ebay.com/aw-cgi/eBayISAPI.dll?SignIn
4
INTERHACK PROPRIETARY: PUBLIC/3/3
external link. The protocol in this case is HTTP, unencrypted. (A typical
unsecured web link.)
cgi3.ebay.com: This is an optional section of a URI, reserved for the name of the
user logging in, and the separator token (:) used to di_erentiate it from the
next section.
aw-cgieBayISAPI.dllSignInRegisterEnterInfo&siteid=0co partnerid=2@
This tricky section is obviously constructed to appear to be linking deep down
into the eBay web site, but in reality is being put into the optional password
_eld of the URI. The giveaway is the @ character at the end, which means
that what proceeded it is user and/or password data.
www.john33.net_rms.com/ The real site name to which the client will connect.
Step 9. Attacker's Web server answers the client's request, sending back the
fraudulent HTML for the user's browser to display.
At this point, the user believes that he is following a legitimate link to the eBay
web site. What the user sees instead is the illegitimate copy of the eBay web site
created in steps one through four.
Step 10. Thinking he is seeing the real eBay web site, the user enters his username
and password, sending them to the thieves running the fraudulent site.
Step 11. Fraudulent web site saves the username and password (thus allowing
the attacker to login to the user's account on the real eBay site), and displays a
page that asks the user to enter his credit card information again.
Note that no matter what the user enters, the fraudulent site will behave as if
the username and password were entered correctly. This reinforces the idea to the
user that the site is the correct one: when the user enters the right authentication
credentials, the site accepts them, and only the user and eBay's server should know
what those credentials are.
Step 12. User enters his credit card information and hits submit, sending the
credit card information not to eBay, but the fraudulent site.
Note that because the site is not using cryptographic methods for authentication
or session con_dentiality, the credit card is also exposed to eavesdroppers.
Step 13. Fraudulent site sends back a \thank you" page, promising to update the
eBay account within twenty-four hours.
At the end of the session, the user believes that he has updated his eBay account,
and the attacker has collected the username, password, and credit card information
of eBay users who fell for the scam.
This is not my own work btw, i downloaded it as part of a file cant remember the site. PS I have omitted the methods of detection in case any gavones should think of trying this!