JaBbA's Hut

I received an important email today. Apparently, my eBay account had an old credit card associated with it. eBay attempted to verify the card and it was declined. I better go sign in.

It looks legit. The email link says https://billing.ebay.com, and the status bar on my Thunderbird says http://billing.ebay.com. Must be OK.

Except look at the right side of the email's status bar.

When I click on the link I have my computer configured with FireFox as my default browser. It seems to think there's something odd about the web page I'm going to. It pops up this warning - something about authenticating to the website.

Well, I'm going to eBay, and I'm going to authenticate, so it must be OK.

So I get to the website, things flash for a second, and I get a blank screen - and Firefox tells me the website is trying to open a popup.

Darn popup blockers! I disable it for the website, and then the screen flashes again.

Darn it, eBay wants me to use IE! I knew those darn FireFox guys would get something wrong!

Well, luckily Microsoft makes sure that IE is on every windows computer. I fire up IE, cut and paste the address (luckily, I'm a very smart computer user) and I get this screen. See? The address bar says https://billing.ebay.com, and the lock on the bottom of my screen assures me that I'm encrypted and that I really am connecting to eBay.

Except that's not a status bar on the bottom of the screen - it's an image sent by the malicious website to my browser that LOOKS like an IE status bar. And it's using javascript to overlay the address bar with another address.

Nasty.