Site Sponsor:

mcafee_logo.gif
line

Now Available:

Featured Resource:

line

Realtime Communities

line

Newsletter

Email Address:


line

Monthly Archives

line

RSS

line

Ask the Expert

Have a question for our resident expert? Email your questions to Dan or post a comment to the blog.

« We Make Hacking Too Easy: The Scourge of Default Passwords | Main | NSA Malware Goes Undetected in Test for 0-Day Test Platform »

eBay Members Phished Again

Perhaps we're not completely over hacking for bragging rights and it's not just about the money. Earlier this week, information on 1,200 eBay members was posted on a company forum. The posting included bogus credit card information which appeared real enough to trigger an investigation by eBay.

eBay posted its summary analysis on the company blog The Chatter:

While the issue was very unfortunate, it was clearly falsified to cause public concern. Early on eBay's teams verified that the credit card "data" did not match anything on file for these members on eBay or PayPal. After more investigation, including phone conversations with many of the members, it appears that these numbers were not valid at all.

Each of these accounts was the victim of an Account Take Over, most likely through a successful phishing campaign. eBay has been in contact by phone with many of these members, and there is a My Messages email going out to impacted accounts to further our reach.

eBay's take on this is that the account theft is the result of phishing, not hacking. eBay also say's members should check their message queue from eBay.


eBay members should always check their "My Messages" queue to verify any e-mail from eBay concerning their account. "If an e-mail affects your eBay account, it's in My Messages. If you get an e-mail that looks like it's from eBay about a problem with your account or requests personal information and it's not in My Messages, it's a fake e-mail," she said.

Suspicious e-mails should be reported to these mailboxes: spoof@ebay.com or spoof@paypal.com.

In theory, good idea; in practice, most of us can't keep up with our inbox now. People likely to become victim to a phishing scam using eBay in the lure probably don't know they have an eBay message queue let alone will take the extra step to check it.

We don't need to prevent all phishing but we need to drive the return on investment down for the phishers. I can think of a bunch of possible ways to improve the chances of victims correctly identifying a phishing lure, e.g. user selected images included in all emails from the vendors, digitally signed messages, etc. The only problem is I can think of even more reasons why these won't work in practice.

What do you think are the most promising anti-phishing techniques?

Tags:        
 Email This!  Digg it!  Sphere it!  Del.icio.us  Reddit!  Newsvine

Posted by Dan Sullivan on September 28, 2007 7:55 AM |

TrackBack

TrackBack URL for this entry:
http://www.realtime-websecurity.com/type/mt-tb.cgi/452

Post a comment

(All comments are approved by site leader before appearing here. Thanks for commenting!)

Search

line

Most Active Posts

line

Library Resources

line
line

Recent Posts

line

Categories

line

Latest White Papers

line

Blog Roll

line

Dan Sullivan's Bio:

Dan Sullivan is a systems architect with 20 years of IT experience that includes engagements in enterprise security, application design, and systems architecture. His experience includes a broad range of industries, including financial services, manufacturing, government, retail, gas and oil production, power generation, and education. Dan’s security-related project work has ranged from requirements analysis for enterprise information security to designing and implementing security for database applications and enterprise portals. Dan has written about information security and other enterprise information management topics for Business Security Advisor, DM Review, Intelligent Enterprise, and E-Business Advisor. You can contact Dan at: dan_sullivan@realtimepublishers.net