eBay has taken a step toward elinimating (criminal) phishing success by setting up an internal messaging system that handles all communications with their users, related to account information. The hope is that this will train users that they shouldn't respond or react to email from criminals that ask for details about their eBay account.

Of course, a smarter userbase would be nice. Phishing isn't exactly a sophisticated hacking tool. But, through creative graphics, modified message headers (the from: and reply: addresses), criminals have a new set of branding capabilities to con marks with relatively cheap campaigns. In less than an hour, a criminal can set up a site, clone it to look like it's legitimately eBay, create a message that looks authentic, and send millions of these messages around the world. It's a good idea to let people know there's alternative methods of handling their money related accounts. Perhaps veryone should evacuate the email trend and move to more controlled streams of communications.

As ebay's introductory email says:

Protection Against Fake (Spoof) Emails
With My Messages, you now have a definitive, legitimate source for any communication from eBay that affects your account. Whenever eBay sends you an alert or message related to your account, it will be duplicated in My Messages.

It's important to recognize that eBay is NOT abandoning email marketing. Unfortunately for them, "Urgent eBay Message," won't solicit the same response it once did. However, their marketing email may actually get more attention now. Then again, maybe everyone will just delete them all, like I do.

Posted in business | security | tech jasonn's blog