Blog

The initial redirector on eBay will only redirect a user to another site if the correct eBay partner ID is provided. In this incident, the URL provided first redirects the user to the second redirector hosted on DoubleClick's advertisement server at us.ebayobjects.com. The URL looks like this: http://cgi1.ebay.com/aw-cgi/ebayISAPI.dll?Redirect [REMOVED] http%3A%2F%2Fus.ebayobjects.com

This second redirector by DoubleClick is then used to redirect the user to the third redirector hosted on AOL. The URL looks like this: http%3A%2F%2Fus.ebayobjects.com%2F [REMOVED] http://www.aol.com

Finally, the redirector on AOL is then used to redirect the user to the eBay phish site which appears to be hosted on someone's home cable Internet connection. The URL looks like this: http://www.aol.com/ [REMOVED] url=http://static-64- [REMOVED] .isp.broadviewnet.net/httpsiginin.ebay.com/reg.php

We already had this phishing URL categorized in our database and is known as an eBay phishing site. This particular incident is of interest not only because of its use of redirectors, but the chaining of redirectors and the initial use of an eBay redirector to finally direct the user to an eBay phish site. The fact that the first redirector belonged to ebay.com definitely helped make this eBay phish URL look legit at a quick glance.

The complete ebay phish url looks like this (a screen shot is provided below): http://cgi1.ebay.com/aw-cgi/ebayISAPI.dll?Redirect [REMOVED] http%3A%2F%2Fus.ebayobjects.com%2F [REMOVED] http://www.aol.com/ [REMOVED] url=http://static-64- [REMOVED] .isp.broadviewnet.net/httpsiginin.ebay.com/reg.php