![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
Entry tags:
what's the deal with this phish?
I see a lot of phishing attempts and more than a few spear-phishing attempts, but a recent one is leaving me wondering what the phishers were trying to do.
A couple days ago I got email, purportedly from eBay, acknowledging my new account. The email came to my Gmail address, which I don't publicly use but is easily guessable. The account had a goofy name starting with the first few letters of my email address.
Whenever I think there could be an unauthorized account in my name on a real service I try to reset its password, just in case. So I fired up an incognito window and went to eBay (really eBay, not using the link in the email), went to the login page, gave that account name, and clicked "forgot password". This generated email to me -- which means, I think, that an account of that name really was created (not by me). I reset the password.
While I was there I checked the transaction history and looked for private information. That was all clean. I initiated an account-deletion request, choosing "concerns about identity theft" from their menu of reasons. (Aside: eBay's short list of deletion reasons includes "concerns about identity theft"!) eBay holds such requests for a week to ensure that transactions close, even if there are no transactions (I consider the latter a flaw). I set a reminder to check back in a week.
A day later (just about 24 hours, in fact), I got password-reset email, identical to the email my own reset request had generated (other than the specific link).
Now if the phishers tried to log in and clicked "forgot password", they should already know that that would only work if they could intercept that email. I am as confident as I can be without server access that my Gmail account has not been compromised (I'm very careful about that), but I nonetheless changed my password and reviewed recent access logs. No new devices had accessed my account in this timeframe.
It is always possible, of course, that I am dealing with somebody who is just inept. But if this is a viable attack vector, what's the deal? How is it supposed to work? How does creating an account on eBay attached to an email address you can't access help you?
A couple days ago I got email, purportedly from eBay, acknowledging my new account. The email came to my Gmail address, which I don't publicly use but is easily guessable. The account had a goofy name starting with the first few letters of my email address.
Whenever I think there could be an unauthorized account in my name on a real service I try to reset its password, just in case. So I fired up an incognito window and went to eBay (really eBay, not using the link in the email), went to the login page, gave that account name, and clicked "forgot password". This generated email to me -- which means, I think, that an account of that name really was created (not by me). I reset the password.
While I was there I checked the transaction history and looked for private information. That was all clean. I initiated an account-deletion request, choosing "concerns about identity theft" from their menu of reasons. (Aside: eBay's short list of deletion reasons includes "concerns about identity theft"!) eBay holds such requests for a week to ensure that transactions close, even if there are no transactions (I consider the latter a flaw). I set a reminder to check back in a week.
A day later (just about 24 hours, in fact), I got password-reset email, identical to the email my own reset request had generated (other than the specific link).
Now if the phishers tried to log in and clicked "forgot password", they should already know that that would only work if they could intercept that email. I am as confident as I can be without server access that my Gmail account has not been compromised (I'm very careful about that), but I nonetheless changed my password and reviewed recent access logs. No new devices had accessed my account in this timeframe.
It is always possible, of course, that I am dealing with somebody who is just inept. But if this is a viable attack vector, what's the deal? How is it supposed to work? How does creating an account on eBay attached to an email address you can't access help you?
no subject
no subject
no subject
no subject
In this case I'd say maybe less phishing and more inept internet user.
no subject
no subject
Passthrough!
0) Create an account on Ebay for a known email address.
1) Rip the skin off Ebay and slap it on your own website, named something like www.ebay.com.ebaysomethingdomain.com.
2) Edit the javascript capture any user submitted auth tokens before passing them along to real Ebay, so that when user submits username/password on the fake site, it really does log you in to (and pass you along to) Ebay, but keeps a copy. (This can be either logging in as a kind of virtual client of Ebay, or simply snagging your credentials and sending you to use real Ebay.)
3) Email the email account with the link to the bogus passthrough website.
4) Wait for user to log into the account through the URL in the email, to the passthrough website. If the user doesn't notice the URL is bogus in the email, everything(?) subsequently will look legit because they will be using real Ebay's skin.
5) Profit.
If they can get you to follow their URL, they don't need to read your email.
ETA: which is a hell of a lot of effort for spearphishing. Another vote for clueless user.
Re: Passthrough!
Years ago I heard a then-clever trick from somebody: any time you are not 100% certain you're dealing with the site you think you are, log in with a bad password. If it "logs you in", you know you're dealing with a scraper. These days that probably doesn't work; they can probably log you in (or fail to) on the other site and update their man-in-the-middle site before you notice this is taking too long.
I guess enough people to be profitable still don't inspect URLs before clicking? That www.ebay.com.nefarious.site.in.russia trick is pretty old by now.
Re: Passthrough!