While there are various ways for attackers to trick users into disclosing their authentication credentials, phishing remains one of the most popular. Our spam traps caught a series of emails purporting to be from a disgruntled eBay user demanding an answer regarding a recent transaction. The emails contain a number of hyperlinks to the product in question which, when clicked, results in a browser-based FTP transaction to a remote host which displays a carbon copy of the legitimate eBay login page.



What caught my attention was the inclusion of one of eBay's security tips within the fraudulent copy, instructing users to "Check that the Web address in your browser starts with https://signin.ebay.com". One only needs to follow this advice to see that the page they are on is indeed suspicious:







Why on earth would an attacker inform potential victims of a way in which to invalidate his own malicious scheme? Is the attacker just inexperienced and didn't run a careful eye over his creation? There is a good possibility that this is exactly the case. But more importantly, will this have any effect on the success of this attack? I'd say probably not.



A regular Internet user will, in time, become less security conscious as they become more familiar with the sites they frequent. While they subconsciously check the sites' validity via the recollection of the site by memory, only significant changes are most likely to be recognized immediately. Changes to the URL, or to parts of the page that are farther away from the focus area (which is the login form in this case) are often not rechecked. Phishers know this, and rely on their victims to speedily log in without visually verifying the most important security indicators such as the URL.



It is highly unlikely that users will scrutinize each and every site they traverse for indications of phishing, however incorporating a quick visual inspection of the URL when accessing banking, trading, auction, retail or any other services that deal with sensitive personal information will foil a high number of these attacks. A few seconds could save you a big headache.



We need to be aware every time we log in - the attackers only need us to slip up once.