A sophisticated phishing attack has proven to be so successful it has tricked eBay's own fraud investigations team into endorsing it as legitimate, according to an independent security consultant who reported the attack to eBay.
In late November, Richi Jennings received a fraudulent email message containing the subject line "Christmas is Coming on ebay.co.uk." Offering him "great tips for successful Christmas selling," the message directed him to the website ebaychristmas.net, which then asked Jennings to enter his eBay user name and password, as well as the name and password for his email account.
Jennings reported the site to eBay on November 25, and four days later he got a note back from the company's investigations team claiming that the email message was, in fact, "an official email message sent to you on behalf of eBay."
Jennings was dumbfounded. He immediately wrote back to eBay pointing out that the website being used was clearly fraudulent, but his email went unanswered.
This week an eBay spokeswoman confirmed that the email message was indeed part of a fraud, but she could not explain why it had initially been identified as legitimate. "I don't know the answer to that," says spokeswoman Amanda Pires. "I'm assuming right now it was just an error."
From their initial response, it appeared that eBay's investigators did not take his concerns seriously, Jennings said. "They never actually used the word idiot, but I felt like they were calling me an idiot," he said. He believes that the email message in question bore such a close resemblance to a legitimate eBay message that the company's investigators were simply tricked by the scam.
Pires said that eBay had, in fact, been working to take down the phishing site since November 8, weeks before Jennings even contacted the company.
Both Jennings and eBay agreed that the phony website has been set up in such a way that it is extremely difficult to shut it down. The website's server software is being hosted on a variety of different PCs that appear to have been taken over by malicious "bot" software. Whenever eBay succeeds in getting one of these servers shut down, a new one pops up to take its place, Pires says.
"This is one of the cleverest [phishing attacks] I've seen in a while," Jennings says.
EBay has also been trying to shut down the website by working with the Internet registrar that was used to acquire the ebaychristmas.net domain, Pires says. Despite these efforts, however, the site has remained operational.
That registrar, which does business under the name Joker.com, has the power to shut down the scam site, Jennings says. "If they were taking their responsibilities seriously, the site would have been shut down weeks ago," he says.
Joker.com did not respond to email requests to comment for this story.
EBay's gaffe shows how hard it has become to keep track of fraudsters, says Rich Miller, an analyst with Internet services vendor Netcraft.
Netcraft, which offers a free antiphishing toolbar of its own, classified more than 8,000 phishing sites in the month of November, Miller says. "It's very had to keep straight what is legitimate and what's not," he says.
As for Richi Jennings, though he for eBay's investigators, he's willing to give them the benefit of the doubt. It's possible, he says, that the company was simply overwhelmed with questions about a legitimate email message that closely resembled the scam, and then made the mistake of assuming he was writing about the same thing. "Hopefully this was a false negative in a sea of correct answers," Jennings says.