eBay is fighting to repair a software glitch that opens the door to phishing attacks using one of its own legitimate URLs.
The online auction giant is working on a fix for the problem, and it hopes to distribute that fix among its Web pages in the next several days, a company representative said on Friday. The problem, described by the company as a "software bug", could be exploited by criminals to create an actual eBay link that redirects customers to a malicious site, the representative said.
eBay is one of the most popular targets of phishing schemes, which typically use email messages that look like they come from a trusted service provider to dupe people into visiting a malicious Web site. The fraudulent site appears to be legitimate, but has been set up to steal the victim's personal information, such as a credit card number, which could then be used to commit identity fraud.
The company, based in San Jose, California, has repeatedly warned its customers not to respond to such emails, and has even adopted a messaging system to eliminate the need for most email correspondence with its registered members.
This latest phishing issue for eBay differs in that it uses a legitimate URL to hook victims and send them to a malicious site. The flaw may have already allowed individuals to use one of eBay's URLs to trick unsuspecting parties into visiting malicious sites, the company representative said.
It is becoming significantly harder to discern phishing attempts from legitimate email and Web pages, eBay spokesman Hani Durzy said in previous interviews with ZDNet UK sister site CNET News.com. He said that the company is working hard to put down fraudulent email campaigns and sites before consumers can be tricked into giving over their data.
"We've done a lot in the eBay community to try and educate people how to identify a phishing email or site, but it's becoming increasingly harder to do so just by eyeballing something," Durzy said. "Because education only goes so far, we're also working on technology solutions that could help protect against these kind of attacks."
The number of phishing threats aimed at the company have "exploded" over the last year or so, Durzy noted. He has indicated his belief that the problem is not likely to slow down anytime soon.
"People have become more aware of phishing, but the bad guys have become much better at it, so it's not going to go away overnight," Durzy said. "The key for us is really about educating Internet users to protect themselves in the same ways they do offline."
