December 06, 2005, 10:57 AM — A sophisticated phishing attack has proven to be so successful, it has tricked eBay Inc.'s own fraud investigations team into endorsing it as legitimate, according to an independent security consultant who reported the attack to eBay.
In late November, Richi Jennings received a fraudulent e-mail message containing the subject line "Christmas is Coming on ebay.co.uk." Offering him "great tips for successful Christmas selling," the message directed him to the Web site ebaychristmas.net, which then asked Jennings to enter his eBay user name and password, as well as the name and password for his e-mail account.
Jennings reported the site to eBay on Nov. 25, and four days later he got a note back from the company's investigations team claiming that the e-mail message was, in fact, "an official e-mail message sent to you on behalf of e-Bay."
Jennings was dumbfounded. He immediately wrote back to eBay pointing out that the Web site being used was clearly fraudulent, but his e-mail went unanswered.
On Monday, an eBay spokeswoman confirmed that the e-mail message was indeed part of a fraud, but she could not explain why it had initially been identified as legitimate. "I don't know the answer to that," said spokeswoman Amanda Pires. "I'm assuming right now it was just an error."
From their initial response, it appeared that eBay's investigators did not take his concerns seriously, Jennings said. "They never actually used the word idiot, but I felt like they were calling me an idiot," he said. He believes that the e-mail message in question bore such a close resemblance to a legitimate eBay message that the company's investigators were simply tricked by the scam.
Pires said that eBay had, in fact, been working to take down the phishing site since Nov. 8, weeks before Jennings even contacted the company.
Both Jennings and eBay agreed that the phony Web site has been set up in such a way that it is extremely difficult to shut it down. The Web site's server software is being hosted on a variety of different PCs that appear to have been taken over by malicious "bot" software. Whenever eBay succeeds in getting one of these servers shut down, a new one pops up to take its place, Pires said.
"This is one of the cleverest [phishing attacks] I've seen in a while," Jennings said.
EBay has also been trying to shut down the Web site by working with the Internet registrar that was used to acquire the ebaychristmas.net domain, Pires said. Despite these efforts, however, the site has remained operational.
That registrar, which does business under the name Joker.com, has the power to shut down the scam Web site, Jennings said. "If they were taking their responsibilities seriously, the site would have been shut down weeks ago," he said.
Joker.com did not respond to e-mail requests to comment for this story.
EBay's gaffe shows how hard it has become to keep track of fraudsters, said Rich Miller, an analyst with Internet services vendor Netcraft Ltd.
Netcraft, which offers a free antiphishing toolbar of its own, classified more than 8,000 phishing sites in the month of November, Miller said. "It's very had to keep straight what is legitimate and what's not," he said.
As for Richi Jennings, though he doesn't have high regard (http://richi.co.uk/blog/2005/12/ebays-anti-phishing-desk-sucks.html) for eBay's investigators, he's willing to give them the benefit of the doubt. It's possible, he said, that the company was simply overwhelmed with questions about a legitimate e-mail message that closely resembled the scam, and then made the mistake of assuming he was writing about the same thing. "Hopefully this was a false negative in a sea of correct answers," Jennings said.
