Phish Site Of Mystery

The file at this URL...

http://0xd1130a9c/eBayISAPI.dll

...opens just fine as a fake eBay login page in Internet Explorer, but triggers a file download in Firefox.

It's not just because of the .dll suffix. EBayISAPI.dll actually is the name of the eBay login page. You normally see it followed by a question mark and then miles of login cruft, without which it redirects to a you-screwed-up page. I don't know exactly how this copy of it is broken, but it clearly is, in Firefox at least.

(The obfuscated URL is, by the way, actually http://209.19.10.156/eBayISAPI.dll. I've received many copies of this phish, though, and they probably use lots of different servers; it's just that I've only now bothered to look at one in more detail.)

I suppose it's possible that the broken Firefox behaviour is by design, to constrain this phish's audience to the drooling masses in the IE world. The integrated Google Safe Browsing phish indicator in Firefox 2 works fine with this URL, but you have to manually cut the URL out of the phish e-mail and paste it into the Safe Browsing submit box if you want to submit it. Enough people have bothered to do that that that site does indeed have the ominous darkened look that Firefox gives suspected fakes, if you manage to trick it into loading. But Firefox users normally never get to see it - they just go straight to the confusing (and, at least, harmless), download box.

If you're using a browser that's quirk-friendly enough that it recognises that this file is renderable HTML (it's the usual code cut-and-pasted from eBay's real login page, with strategic edits), you get the fake login form, which submits (in this case at least) to http://members.lycos.co.uk/ineedmoney2/dukyy.php. That, at the moment, seems to redirect to another, already-shut-down, phish page.

You'd really think that ISPs would have some basic search bots scanning their hosted sites for pages called eBayISAPI-dot-anything, or titled "Sign In" or "BankName Internet Banking". There really can't be that many of those pages, and it'd be simplicity itself to set up an arrangement that lets a human scan through fifty of them a minute, see which ones look like phish pages, and disable the accounts that're hosting said pages.

(I dare say quite a few phishes are hosted on actual discrete privately owned servers sitting in the corner of a business office. But most of them are on servers that can be cut off by a hosting company.)

Perhaps some hosts are doing that already, but it's clear that most aren't. Because, of course, it'd cost money. Most phish pages are hosted on unsuspecting servers whose administrators left security holes open, and nobody wants their hosting cut off just because some miscreant happened to host a fake Amazon login page on their server for a while. That's the kind of thing that might cause the hosts to lose customers.

So, instead, we get the current situation, where the phish pages get to hang around for at least a day or two as the ISPs receive complaints and/or notice their IPs on phish lists, then tell the unwitting phish-hosting customer, then go back and forth for a while figuring out who has to fix the problem and how.

In the meantime, people get robbed.

As Bruce Schneier's pointed out so many times (talking about software, but hosting companies are in the software business too), the way to make businesses implement security is to force them to do it, financially. If they're not liable, if it doesn't cost more to be insecure than it costs to be secure, they'll stay insecure, no matter how many other people's lives are ruined by their unconcern.

You wouldn't get far by suing HostyPlace for the security misdeeds of its clients. But if you started suing the clients, they'd probably share the joy.

Posted in Scams, Spam. 8 Comments »

8 Responses to “Phish Site Of Mystery”

  1. Chris Says:

    The actual reason it brings up a download box in Firefox is fairly simple to see - the server is configured to serve DLL files as application/x-msdownload, which is the default MIME type for DLL files.

    Here's where Firefox and IE behavior vastly differs.
    Firefox believes the server-provided MIME type, if any, no matter what. So it sees application/x-msdownload and wants to save it.
    IE has a list of 28-ish (text/plain apparently doesn't count on XP SP2) MIME types that it thinks it knows better about.
    If the server provides one of these, IE won't trust it immediately; instead it will look at the first 256 bytes and see if it has some idea what it 'really' is. This was handy when the default for unknown extensions was for a server to send the content-type as text/plain or some other such nonsense, of course. But before XP SP 2, IE would render HTML files renamed to .txt as HTML because they looked like HTML!

    So anyway, IE sees application/x-msdownload and decides to look at the file, sees HTML, and decides the real MIME type is actually text/html.

    For the record, eBay does serve any pages using eBayISAPI.dll with a proper content-type of text/html.

  2. Chris Says:

    Because I forgot to put it in my previous comment, here's the page detailing this behavior of IE. There's supposedly a feature control to disable that behavior, but in my very short amount of testing I haven't found how to turn it on (the options that sound vaguely like it in the Group Policy editor don't appear to do that, in any case).

  3. corinoco Says:

    I'm an architect; I work with, and on, building sites on a daily basis.

    Say I am desgining a high-rise building, and for one reason or another, a cladding panel falls off the building into the street. It doesn't have to even hit anyone, let alone their kid / car / dog / stolen goods, it just has to hit the street. I am liable. Immediately. Even if I can prove it wasn't my fault, I was nowhere near the site, didn't design the panel, wasn't operating the crane, etc, but I WAS the defined 'superintendant' in the contract. I don't get to write a EULA which says I am not responsible for anything that happens anywhere, ever, my fault or not.

    It really shits me that ISPs seem to get the same legal loopholes as pawn shops "we didn't know it was stolen; we traded for cash in good faith". Yep, to a scruffy, panting sweaty guy with shifty eyes and beer-stained ID claiming he was Gladys Nurke as he traded a Prada handbag.

    There is actually a legal case in Australian (actually English - it's from the 1800's London I think) known as the "snail-in-a-bottle" case that claims that retailers ARE liable for damage caused beyond their knowledge or control - it's the same law that makes me liable for klutzy builders. I'm sure a good lawyer could slam an ISP using it. I'd love to see it done...

  4. Ken™ Says:

    Corinoco - As nice as it may be, the logic you use doesn't really work, IMHO. The data traversing through an ISP's network can't be monitored in a practical manner. Let's say one of their customers downloads a file. Privacy laws aside, how can the ISP distinguish whether that file contains copyrighted content? With today's technology, it is technically impossible. And even if it was, think about the sheer volume of data being moved around.

    Now, if the ISP was made aware of a specific copyrighted file located on one of their systems, and did nothing about it, then they may become liable. But then there's nothing stopping the person responsible for that file from simply renaming it and making it available again. The ISP can only be reactive, not proactive.

    In your specific case corinoco, IANAL, but surely you would a) have liability insurance for just such a situation, and b) have appropriate policies and procedures in place to minimize the risk of such an event, as well as appropriate contracts with the builders and other contractors indemnifying you?

  5. Daniel Rutter Says:

    Uh, Ken, we're not talking about copyright infringement here. We're talking about people hosting phish pages. ISPs don't have to monitor traffic or check copyright to deal with that - they just have to see whether any of their clients have suddenly started pretending to be major financial institutions.

  6. Ken™ Says:

    Sorry Dan, fair comment. My bad.

  7. Ken™ Says:

    Incidentally, phishers and scammers in general should burn in hell.

    Or if you don't believe in hell, then they should be shot out of a cannon. Into the sun. Wearing nothing but a t-shirt, shorts, and thongs. And no sunblock.

  8. neil Says:

    The famous (in my country) snail in a bottle case is Donoghue v Stevenson. Mrs Donoghue was in a Tea Shop in Paisley, Scotland in 1928 when her friend bought her a bottle of ginger beer and some ice cream. The "bottle was sealed with a metal cap, and was made of dark opaque glass". It contained the decomposing body of a snail which was only discovered after she'd drunk most of the bottle. Hilarity (en)sued.

    The case doesn't state though, that retailers are responsible for things beyond their knowledge or control. For one thing the defender was the manufacturer of the ginger beer and not the Tea Shop owner.

    Interestingly though, what the Pursuer did claim (and what was held to be relevant) was: "it was the duty of the defender to provide a system of working his business that was safe, and would not allow snails to get into his ginger beer bottles ... it was the duty of the defender to provide an efficient system of inspection of said bottles before the ginger beer was filled into them, and before they were sealed".

    Which is, if you consider bottles to be ISP webspace and snails to be phishing sites, exactly what Dan is talking about.

    The ice cream was fine.


Leave a Reply