Should eBay Stop Sending Emails Altogether?

Does there come a point in the phishing-dominated world where folk like eBay should just stop sending out emails, and tell customers that’s what they’re doing?

I got an email from eBay this morning. I don’t remember getting one before, but I may have, or else my spam filter discarded it. It sure looked like spam: using my customer sign-on name, it was called ‘eBay’s Top 10 Best Buys’. The email itself had lots of graphics and looked so genuine (including a note on learning more to protect yourself from spoof emails) it could have been a phish.

Actually, it was genuine, but how are we to know? Maybe phishers are just getting smarter, and sending us emails that appear not to be asking for our details anymore. But what would happen if I visited the site and was then asked to sign in to see ‘my customized search options’ (just as a link on the real website asks me too)? Wouldn’t the phisher have achieved the same objective?

Another oddity I noticed: A lot of the images that load on the real website come from a domain called, which it’s not possible to access independently. So how are we to verify that the date being loaded comes from a genuine source? Wouldn’t this be perfect for a Multiple Browsers Frame Injection Vulnerability, a fancy term for slipping a fake site into a real one via browser frames.

I don’t know whether eBay and its ilk should just stop sending out emails altogether, so it can tell customers never to trust something that says it’s from eBay. Maybe that’s impossible. But I’m willing to put money on the notion that phishers will get more sophisticated, and it won’t take them long to figure out that more subtle methods are required to lure victims into giving up their details, and the best way to do that would be to offer them special deals from a source they trust. Like, say, eBay.

The Gaping Browser Hole

Sometimes security holes can be subtle rather than complex. Sidney Low of Aliencamel points out the vulnerability discovered by Secunia, called the Multiple Browsers Frame Injection Vulnerability.

It’s a fancy term for a simple enough trick, where the bad guy hijacks a frame in a legitimate webpage (a frame is one portion of a webpage which has been divided into sections). The result is that the overall page is kosher — including, crucially, the URL — but that one of the frames contained inside is not. In that frame, of course, the bad guy could do anything he likes, and the user is none the wiser.

The only way a user can tell, I think, is by right clicking on the frame content and seeing what URL it is coming from, but who does that?

This vulnerability, actually, is a variation on a vulnerability Secunia reported had been fixed in earlier versions of IE, but then created again in a recent version. The bad news is that the vulnerability is not only an IE also present in Opera, Safari, Netscape and Mozilla. I couldn’t get it to work in Firefox, interestingly. There’s a test you can perform here.

As Sydney says: “This one is quite worrying because it doesn’t need to do any URL masking. It simply exploits the fact that framesets will do the URL masking for the phisher.”