eBay scrambles to fix phishing bug

Criminals could use software bug to create a valid eBay link in scam to rip off people's identity info, auction giant says.

Matt Hines Staff Writer, CNET News.com
Matt Hines
covers business software, with a particular focus on enterprise applications.
Matt Hines
2 min read
eBay is fighting to repair a software glitch that opens the door to phishing attacks using one of its own legitimate URLs.

The online auction giant is working on a fix for the problem, and it hopes to distribute that fix among its Web pages in the next several days, a company representative said on Friday. The problem, described by the company as a "software bug," could be exploited by criminals to create an actual eBay link that redirects customers to a malicious site, the representative said.

eBay is one of the most popular targets of phishing schemes, which typically use e-mail messages that look like they come from a trusted service provider to dupe people into visiting a malicious Web site. The fraudulent site appears to be legitimate, but has been set up to steal the victim's personal information, such as a credit card number, which could then be used to commit identity fraud.

The company, based in San Jose, Calif., has repeatedly warned its customers not to respond to such e-mails, and has even adopted a messaging system to eliminate the need for most e-mail correspondence with its registered members.

This latest phishing issue for eBay differs in that it uses a legitimate URL to hook victims and send them to a malicious site. The flaw may have already allowed individuals to use one of eBay's URLs to trick unsuspecting parties into visiting malicious sites, the company representative said.

It is becoming significantly harder to discern phishing attempts from legitimate e-mail and Web pages, eBay spokesman Hani Durzy said in previous interviews with CNET News.com. He said that the company is working hard to put down fraudulent e-mail campaigns and sites before consumers can be tricked into giving over their data.

"We've done a lot in the eBay community to try and educate people how to identify a phishing e-mail or site, but it's becoming increasingly harder to do so just by eyeballing something," Durzy said. "Because education only goes so far, we're also working on technology solutions that could help protect against these kind of attacks."

The number of phishing threats aimed at the company have "exploded" over the last year or so, Durzy noted. He has indicated his belief that the problem is not likely to slow down anytime soon.

"People have become more aware of phishing, but the bad guys have become much better at it, so it's not going to go away overnight," Durzy said. "The key for us is really about educating Internet users to protect themselves in the same ways they do offline."