Short bio: Computer Scientist, FOSS supporter (read more)
Tux Machines (TM)-specific
A flaw has been discovered on eBay’s website that would have allowed fraudsters to successfully redirect the sign-on process to a phishing site.
Reported by British anti-phishing outfit Netcraft, the clever scam apparently started with fraudsters sending e-mails asking eBay users to update their accounts. So far so normal, as such fake eBay e-mails are currently one of the phishing world’s persistent lines of attack.
Disarmingly, however, the link provided was genuine and led to the correct eBay sign-in page, signin.ebay.com. If users clicked on this, parameters embedded in the otherwise normal stream of characters at the end of the link actually redirected users away from the page after the sign-in page to a fake phishing page, via an open relay hosted at servlet.ebay.com.
The end result would have been that users gave away information allowing phishers to hijack their accounts, either as a way of laundering money or for launching fake auctions.