An eBay phishing attack is spoofing the IE Url to fool users
into believing that they are actually on the eBay login page.
The email looks legitimate enough
But when clicked it actually goes to
http://200.41.5.40:780/rock/e/
Which resembles the eBay login page
The phishing site creates a popup which covers IE’s URL bar
which makes for a convincing spoof. It may actually fool the user
into believing that he is in
https://signin.ebay.com/ws/eBayISAPI.dll?SignIn&sid=verify&co_partnerId=2&siteid=0
when he is actually at this site
http://200.41.5.40:780/rock/e/.
Here is the code that was used to spoof the IE’s url.
Of course the code was originally protected with a series of
encryption at first but this is what it looks like when its
decrypted.
I tried googling and it revealed that this code has been in use
for quite some time now. All you had to do is change the url in the
variable vuln_html and your good to go.