what's the deal with this phish?
Dec. 11th, 2015 10:45 am![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
cellioI see a lot of phishing attempts and more than a few spear-phishing attempts, but a recent one is leaving me wondering what the phishers were trying to do.
A couple days ago I got email, purportedly from eBay, acknowledging my new account. The email came to my Gmail address, which I don't publicly use but is easily guessable. The account had a goofy name starting with the first few letters of my email address.
Whenever I think there could be an unauthorized account in my name on a real service I try to reset its password, just in case. So I fired up an incognito window and went to eBay (really eBay, not using the link in the email), went to the login page, gave that account name, and clicked "forgot password". This generated email to me -- which means, I think, that an account of that name really was created (not by me). I reset the password.
While I was there I checked the transaction history and looked for private information. That was all clean. I initiated an account-deletion request, choosing "concerns about identity theft" from their menu of reasons. (Aside: eBay's short list of deletion reasons includes "concerns about identity theft"!) eBay holds such requests for a week to ensure that transactions close, even if there are no transactions (I consider the latter a flaw). I set a reminder to check back in a week.
A day later (just about 24 hours, in fact), I got password-reset email, identical to the email my own reset request had generated (other than the specific link).
Now if the phishers tried to log in and clicked "forgot password", they should already know that that would only work if they could intercept that email. I am as confident as I can be without server access that my Gmail account has not been compromised (I'm very careful about that), but I nonetheless changed my password and reviewed recent access logs. No new devices had accessed my account in this timeframe.
It is always possible, of course, that I am dealing with somebody who is just inept. But if this is a viable attack vector, what's the deal? How is it supposed to work? How does creating an account on eBay attached to an email address you can't access help you?
A couple days ago I got email, purportedly from eBay, acknowledging my new account. The email came to my Gmail address, which I don't publicly use but is easily guessable. The account had a goofy name starting with the first few letters of my email address.
Whenever I think there could be an unauthorized account in my name on a real service I try to reset its password, just in case. So I fired up an incognito window and went to eBay (really eBay, not using the link in the email), went to the login page, gave that account name, and clicked "forgot password". This generated email to me -- which means, I think, that an account of that name really was created (not by me). I reset the password.
While I was there I checked the transaction history and looked for private information. That was all clean. I initiated an account-deletion request, choosing "concerns about identity theft" from their menu of reasons. (Aside: eBay's short list of deletion reasons includes "concerns about identity theft"!) eBay holds such requests for a week to ensure that transactions close, even if there are no transactions (I consider the latter a flaw). I set a reminder to check back in a week.
A day later (just about 24 hours, in fact), I got password-reset email, identical to the email my own reset request had generated (other than the specific link).
Now if the phishers tried to log in and clicked "forgot password", they should already know that that would only work if they could intercept that email. I am as confident as I can be without server access that my Gmail account has not been compromised (I'm very careful about that), but I nonetheless changed my password and reviewed recent access logs. No new devices had accessed my account in this timeframe.
It is always possible, of course, that I am dealing with somebody who is just inept. But if this is a viable attack vector, what's the deal? How is it supposed to work? How does creating an account on eBay attached to an email address you can't access help you?
(no subject)
Date: 2015-12-11 07:02 pm (UTC)