Just how cunning is eBay?
As Jason points out this morning (and Wayne pointed out in his web-free link feed a couple of days ago), eBay has an open redirect, at
http://cgi4.ebay.com/ws/eBayISAPI.dll?MfcISAPICommand=RedirectToDomain&DomainUrl=Yes, that means that phishers can have their “login in and change your password” link start with cgi4.ebay.com, and capture those people who wouldn’t click a link that starts with a numeric IP address, or with something not-quite-right like ebaysecuritylogin.com, but would click a link that ends with it, and ends up at it, but… wouldn’t you guess that eBayISAPI.dll also does a tiny bit of logging, and pays particular attention to things without a referer, and with suspicious URLs? “Oh, no, B’rer Phisher, please don’t use my redirect URL!”
The canonical url for this entry should be http://cgi4.ebay.com/ws/eBayISAPI.dll?MfcISAPICommand=RedirectToDomain&DomainUrl=http://philringnalda.com/blog/2005/02/just_how_cunning_is_ebay.php
…the BBC has (at least) one too:
http://www.bbc.co.uk/go/dragonsden/ext/ide1/-/http://www.frankieroberto.com/weblog/
There are tons of them: Google and Yahoo are huge redirection fans. The problem is having one of the biggest phishing targets around having one. Yahoo’s is arguably a problem, in that you could use it to phish for Yahoo passwords, but I personally can’t imagine wanting anyone’s Yahoo mail, not even my own. But eBay, or Paypal, or WaMu, who make up probably 95% of my phishing email, really ought not to have public redirects.
Unless, of course, they are actually honeypots.