Does there come a point in the phishing-dominated world where folk like eBay should just stop sending out emails, and tell customers that’s what they’re doing?
I got an email from eBay this morning. I don’t remember getting one before, but I may have, or else my spam filter discarded it. It sure looked like spam: using my customer sign-on name, it was called ‘eBay’s Top 10 Best Buys’. The email itself had lots of graphics and looked so genuine (including a note on learning more to protect yourself from spoof emails) it could have been a phish.
Actually, it was genuine, but how are we to know? Maybe phishers are just getting smarter, and sending us emails that appear not to be asking for our details anymore. But what would happen if I visited the site and was then asked to sign in to see ‘my customized search options’ (just as a link on the real website asks me too)? Wouldn’t the phisher have achieved the same objective?
Another oddity I noticed: A lot of the images that load on the real website come from a domain called ebaystatic.com, which it’s not possible to access independently. So how are we to verify that the date being loaded comes from a genuine source? Wouldn’t this be perfect for a Multiple Browsers Frame Injection Vulnerability, a fancy term for slipping a fake site into a real one via browser frames.
I don’t know whether eBay and its ilk should just stop sending out emails altogether, so it can tell customers never to trust something that says it’s from eBay. Maybe that’s impossible. But I’m willing to put money on the notion that phishers will get more sophisticated, and it won’t take them long to figure out that more subtle methods are required to lure victims into giving up their details, and the best way to do that would be to offer them special deals from a source they trust. Like, say, eBay.