Ebay is one of the top targeted sites for phishing emails. It has been in the top ten since the launch of the phishery. As phishing is largely based around social engineering, the security risk of some one clicking on a site is extremely probable.
In this article we investigate, in detail, a phishing scam, and provide insight into how effective they are, and who the likely victims will be.
The phishing scam process:
- looking/scan for a vulnerable website
- inject a phishing kit using the website vulnerability
- email the user and convince them to go on the fake website
- wait for the user to enter their credentials
- collect/resell/user the informations collected.
This week we received yet another email purporting to be from ebay where it contained a link to a phishing site. This german phishing site is no different from any other, but this time the information collected from users that submitted their details were contained in a file on the phishing website. It is very rare to be able to view the results of a phishing scam, and to view the number of users that have entered their credentials. Phishing kits usually send emails to an anonymous account containing user data, so that the information collected is not stored on the server. This time the collection process was slighty different, the information was also written to a file on the web server.
Over the last week we have being keeping tabs on this phishing site and the files containing user information. On Thursday when we first viewed this site, this phishing scam had captured 1024 user’s credentials. Within two hours there was an increase in users’ details by 1%, or ten users. On this site, files were found containing user confidential information, one file contained eBay login details (username and password) and the second file contained credit card/banking account details, and also users’ addresses, phone numbers and dates of birth - as well as other items relating to the users’ identity!!!
The phisherman who sent out these phishing emails has been around since April 2006; an article appeared in Castlecops where phishing emails were not just targeting eBay, but Chase, HSBC, and Paypal. We alerted the owners of the website to inform them of the phishing scam on their site. However, a week later the site is still up, and still gathering user information. Approximately 150 more users details have being collected, bringing the total to 1190. The file that contained the credit cards details has a total of five users.
The graph below illustrates, the increase in users details against time.
We see a huge drop in the quantity of user details on November 16th, it would seem that phisherman has cleared the file or the file was deleted, and the recapture has started again.
This source data gives us a reasonable amount of information to analyse user details.
- The number of users that submitted details was 1190.
- The number of people that have detected that this is a phishing website was 34 which was 2.69% of all submitted details
- Number of people that entered their password more than once and truely believed that the website were real was 219 which is 17.8% of all users.
On further analysis of the passwords, we set up a ranking system where
Level 1 - Easily crackable password: username is contained in password or is found in common passwords file.
Level 2 - Crackable password: password is all lowercase or all uppercase or all digits.
Level 3 - Contains uppercase and lowercase characters.
Level 4 - Contains uppercase and lowercase and digits.
Level 5 - A good password: contains uppercase and lowercase characters, digits and meta characters.
| Password level | Percentage | ||
|---|---|---|---|
| 1 |
|
7.02% | |
| 2 |
|
31.57% | |
| 3 |
|
37.47% | |
| 4 |
|
23.95% | |
| 5 | 0% | ||
People are aware of how passwords should be a certain length, have lowercase, upper case and numbers, but it is interesting to see how many conform to this best practice: out of 1190 users, not one satisfied this criteria.
It is not only individual accounts that have been compromised, but there is a small percentage of business accounts as well. These users, who have submitted there details cover a broad range of ages, from around 22 to 62. Not only uneducated users have been affected but users that are working in the IT sector themselves. This illustrates how effective phishing is, and the social engineering aspect of it, and globally,how every individual is susceptible to phishing attacks.
This site is still up and the number of user details captured is growing by the minute!!