A sophisticated phishing attack has proven so successful, it has tricked eBay's own fraud investigations team into endorsing it as legitimate, according to an independent security consultant who reported the attack to eBay.
Joker in the pack
Late last month Richi Jennings received a fraudulent email message containing the subject line "Christmas is Coming on ebay.co.uk." Offering him 'great tips for successful Christmas selling', the message directed him to the website ebaychristmas.net, which then asked Jennings to enter his eBay user name and password, as well as the name and password for his email account.
Jennings reported the site to eBay on 25 November. Four days later he got a note back from the company's investigations team claiming the email message was "an official email message sent to you on behalf of eBay".
Jennings was dumbfounded. He immediately wrote back to eBay pointing out that the website being used was clearly fraudulent, but his email went unanswered.
On Monday, an eBay spokeswoman confirmed the email message was indeed part of a fraud, but she could not explain why it had initially been identified as legitimate. "I don't know the answer to that", said spokeswoman Amanda Pires. "I'm assuming right now it was just an error."
From their initial response, it appeared that eBay's investigators did not take Jenning's concerns seriously. "They never actually used the word idiot, but I felt like they were calling me an idiot," he said. He believes the email message in question bore such a close resemblance to a legitimate eBay message that the company's investigators were simply tricked by the scam.
Pires said that, on the contrary, eBay had been working to take down the phishing site since 8 November - weeks before Jennings even contacted the company.
Both Jennings and eBay agreed the phony website has been set up in such a way that it is extremely difficult to shut it down. The website's server software is being hosted on a variety of different PCs that appear to have been taken over by malicious 'bot' software. Whenever eBay succeeds in getting one of these servers shut down, a new one pops up to take its place, Pires said.
"This is one of the cleverest [phishing attacks] I've seen in a while," Jennings said.
eBay has also been trying to shut down the website by working with the internet registrar was used to acquire the ebaychristmas.net domain, Pires said. Despite these efforts the site has remained operational.
The registrar, which does business under the name Joker.com, has the power to shut down the scam website, Jennings said. "If they were taking their responsibilities seriously, the site would have been shut down weeks ago," he said.
Joker.com did not respond to email requests to comment for this story.
eBay's gaffe shows how hard it has become to keep track of fraudsters, says Rich Miller, an analyst with internet services vendor Netcraft.
Netcraft, which offers a free antiphishing toolbar of its own, classified more than 8,000 phishing sites in the month of November, Miller said. "It's very had to keep straight what is legitimate and what's not", he said.
As for Richi Jennings, though he doesn't have high regard for eBay's investigators, he's willing to give them the benefit of the doubt.
It's possible, says Jennings, that the company was simply overwhelmed with questions about a legitimate email message that closely resembled the scam and then made the mistake of assuming he was writing about the same thing. "Hopefully this was a false negative in a sea of correct answers," Jennings said.