Sunday, January 23. 2005

Over the past few months I have entertained myself by reading and checking out e-mails sent out by hackers phishing for my e-bay password, paypal password, credit cards, etc. In most cases, such as this one. They come to me with a similar e-mail:


Dear customer,

We regret to inform you that your eBay account will be suspended due to the violation of our site policy below:

* Misrepresentation of Identity (User) - Representing yourself as another eBay user or registering using the identity of another.

Due to the suspension of this account, please be advised you are prohibited from using eBay in any way. This includes the registering of a new account.

Please note that this suspension does not relieve you of your agreed-upon obligation to pay any fees you may owe to eBay.

According to our site policy you will have to confirm that you are the real owner of the eBay account by completing the following form or else your account will be deleted.

http://free.hostdepartment.com/e/ebaybilling/signin.html

Our apologies for this unconvenience.

Thank you for using eBay! http://www.ebay.com


Some are more clever than others, but all end up linking to a fake login / validation page for eBay and execute a classic man-in-the-middle attack to compromise the user's validation information. While some are Unsecured Linux Boxes running a default Apache which hackers have gotten into and created bogus eBay login pages with, there is a new flavor I have recently found as well, such as this one which takes advantage of unsecure form mailer scripts running on respectable web sites to send e-mails to drop-box e-mail accounts with the login creditials, credit card information, etc. of anyone who is ignorant enough to buy into the scam.

Unfortunately, all of these phishing attacks have one thing in common: They are taking advantage of stupid people running PHP. Although different approaches are being used, neither could have happened if PHP wasn't involved. Of course one shouldn't leave an unsecured fresh linux box in the wild in the first place, but there is no reason why a company should have a form mailer script out there which allows me to bounce e-mail anywhere I want in the world as I see fit. Unfortunately, my attempts to contact the company running this nonsense has resulted in nothing but bounced e-mails (imagine that..)

When it's all said and done this is not a new problem, but for the lack of somewhere better to vent my frustrations I thought I would post them here. After all, I've been talking about this stuff for 4 years now so I doubt anything is going to change now.

If anyone has any brilliant suggestions on how PHP itself can be changed (perhaps a default configuration changed, or new anti-phishing restrictions put into place) which make any sense I'd love to hear them.