Internet Explorer and Internet Address Spoofing

Posted on February 2, 2004

I originally wan’t going to post about this, but I think it’s worth it. A bug was discovered in Internet Explorer (and to a lesser extent Mozilla) where you can link to a web page with a URL similair to “www.ebay.com%fakesite.com” and it would show “www.ebay.com” in the URL bar. A special character (I used the % to represent it) would move the rest of the URL to the next line down. But the URL bar only shows one line! So, you get: www.ebay.comfakesite.com but you only see: www.ebay.com

Mozilla has fixed the small bug that affected it, but Microsoft said about a month ago that it didn’t need to be fixd, because it wasn’t being exploited. Well, now it’s being exploited.

My mother buys things on eBay. She got an e-mail from “update@ebay.com”. It’s too easy to fake an e-mail address. I can send you an e-mail and have it say “from: webmaster@pokemon.com”. This e-mail’s header was “Update your eBay account” and the body was:Dear valued eBay member,It has come to our attention that your eBay billing updates are out of order. If you could please take 5-10 minutes out of your online experience and update your billing records you will not run into any future problems with the online service.

Once you have updated your account records your eBay session will not be interrupted and will continue as normal. Failure to update will result in cancellation of service, Terms of Service (TOS) violations or future billing problems.

To update your eBay records click here:

http://cgi1.ebay.com/aw-cgi/ebayISAPI.dll?UPdateeBay

Update team

http://www.eBay.com

The update URL would take an IE user to http://update.ebay.com … or would it? It really takes the user to http://update.ebay.com^A%00@malkiobiavi.com/test/indexa.htm but it looks like http://update.ebay.com in IE’s URL bar! The link in the e-mail really goes to http://malkiobiavi.com/test/index.htm which redirects you to the “fake” or “spoof” page, which looks like this. Don’t fill out that information! It asks for you name, credit card number, address, maiden name, social security number, and more, then sends it to some people in France! Luckily, my mother uses Mozilla Firebird on Linux, so when she clicked on the link in her e-mail, instead of being tricked into giving away all of her information and money, she was sent to http://www.malkiobiavi.com/. It’s a black page with letters that are coloured to look like an alien or something. This cause my mother to get me to see what was up, and that’s what all I found.

If you use Internet Explorer and eBay, if you parents do, if your friends do, if your aunts and uncles and grandparents and other relatives do, then warn them! If they get an e-mail like this, don’t click the link! Instead, they should type “http://cgi1.ebay…” etc into their URL bar. That’s Microsoft’s solution, and if someone’s going to use Internet Explorer, then that’s the only solution, outside of ignoring the link.

Remember: warn anyone that you know that uses Internet Explorer, and eBay, or any other online service that deals with credit cards and money transactions! Maybe they’ll get an e-mail from “PayPal”, or “Amazon.com” like this, but it’ll really be some guy in France or Russia or Hawaii trying to steal information. They can get a person’s user name and password and maiden’s name and address and driver’s licences and credit card number, and a lot of people will fall for it. This is a very urgent situation, and I hope that Microsoft will see this and release a patch soon. Then it’ll be up to you to make sure that everyone you know that uses Internet Explorer updates with the patch. Or, they can try out a new browser. Seriously. Mozilla had a lesser version of this “bug”, and they fixed it right away. Microsoft did not. I’ve used the basic installation of Firebird (no extensions or installed theme or anything special to enhance it) for a whole month, and it’s ready for people to use. It works enough like Internet Explorer to be quick and easy to learn, and it’ll stop Grandma from calling you about why pop-ups are coming up all the time, requiring you to go run AdAware to clean adware/spyware that IE let install onto Windows XP. And grandpa won’t have his identity stolen to buy expensive disco shoes from eBay with the money he was saving to buy you Pokemon Fire Red for your birthday.

I’ve already contacted eBay about the e-mail and followed all instructions to send them the e-mail and its header and I included information about the spoof being used and what browsers it affected and how.