Anyway, I’m selling some Farscape DVDs on eBay. The auctions end Sunday, November 29.

The URL was a normal eBay URL of the form http://members.ebay.com/aboutme/_____. Pasting the link into another browser brought up the user’s About Me page… which consisted of a spoofed eBay login form that would submit the username and password to a page hosted at Yahoo.

So it not only came through eBay’s official messaging system, but the form appeared on eBay’s own website, meaning it bypasses many of the usual cues. It’s not a secured page, but use of SSL for login pages is still spotty enough that a user could easily miss that. And how many people have noticed that eBay only puts login forms on signin.ebay.com? You have a slightly better chance if you have a browser like Opera, which shows you the target* of a form when you hover over a button. If you think to look at it.

I went looking and found another sighting at Conor’s Web of Esoterica, which has a screenshot of the bogus form.

This reminds me a lot of the password-stealing flaw found in Firefox and IE last November. In that case, the problem was that it was possible for a MySpace user to put a fake login form in his profile, which would get filled out by an overeager password manager. The immediate solution there was for MySpace to prevent their users from posting forms with password fields. Once again, the problem is that a malicious eBay user is able to post a form that imitates eBay’s real login form, only here the intent is to fool the user into filling it out instead of the browser.

Until eBay improves the filter on their About Me page, the best solution is to only sign in from the eBay home page. If another page brings up a login form, don’t trust it.

*Even that could probably be circumvented with some sneaky use of JavaScript to change the target, but I’m pretty sure eBay already blocks scripts on About Me pages.

But when I forward them a message with the comment, “Here’s a sample of a blatant phish,” is it really necessary to reply with the full two-page notice explaining, “This is a spoof, we didn’t send it, here’s how to avoid it, blah blah blah” and the entire body of the original message, complete with the links to the phishing site?

I’d think in this case a simple, “Thanks for the report, we’ve notified the authorities” note would be sufficient, especially since the “how to spot a phish” stuff is already in the auto-response. All it takes is giving their abuse staff an extra choice for the form letter.

And under no circumstances should they be including the full, original text of the phish. At best, it’s asking for the response to get lost in a spam box or blocked outright. At worst, it’s a security risk waiting to happen (since this copy really did come from eBay). Somewhere in the middle is the risk of mucking up adaptive filters as they try to reconcile the original message, which was spam, with the new message, which isn’t.

Case in point: I did a Google search for the phrase, “nigerian scam,” and saw the following ad:

Wow, when they say, “Whatever it is, you can get it here.”—they really mean it!

Interestingly, if you search for “419 scam,” you get the same type of ad, but not if you search for “advance fee fraud.”

I tried a few random search terms, and from what I can tell, eBay’s ad shows up on many—but not all—two-word searches. I’m not sure what the pattern is, but I can’t imagine someone at eBay deliberately asked to buy ad space for some of these phrases.

But in a show of accuracy, if you search for “random stuff,” you’ll find it!

On Saturday I shifted the old parts down to my spare computer and put what was left on eBay. I was looking for prices on comparable hardware, and it’s amazing how cheap some things have gotten—like 5-year-old CPUs. Given how much the tech has advanced…

Anyway, the mid-tower case is still good (just a bit loud), and the Antec EasyUSB front panel is wonderful for anyone who wants to add front USB ports without sacrificing a drive bay. (It’s a combination mounting rail and USB panel, so you can put a floppy, zip, etc. in it.) And if you can come up with something to do with an AMD K6-2 processor/motherboard/memory combo with 512 MB of RAM, it’s going for cheap.

All items here.

Every once in a while, you’ll see something weird.

Today I received what looked like a classic credit-card theft scam: a notice supposedly from PayPal claiming that my account would be canceled unless I re-entered all my credit card information into the linked web page. Right. Normally I just report it to PayPal and delete it, but this one had an attachment instead of a link, and that attachment had been defanged. With a name like www.paypal.com.scr, it was pretty obviously a virus. (The .scr extension, normally used for screen savers on Windows, is often used by viruses because it will be run just like any other program, but it’s less obvious than naming it .exe.)

The really odd part was that it was sent to an address I only use on eBay and PayPal, and they make it really difficult to pick up email addresses these days. I realized that only two groups of people would have that address: people who really did work for eBay or PayPal, or people whom I had recently bought from or sold to on eBay.

A quick search through my email history, and I found two messages sent from the same IP address, both from a seller I had bought from last month.

By the time I got around to searching, two things had happened: I had received two more copies from the same source, and Symantec had posted a description of what they were calling W32.Paylap@mm [ed: W32.Mimail.I@mm]. I sent a note to the seller about the virus, suggesting also that he contact his credit card company if he actually filled out the form.

With luck, he’ll catch it before any financial damage is added to the infected computer.