In this article, we will take a look at phishing in online shopping. A phishing page imitating Taobao baby used a different strategy to cheat users. It took advantage of a flaw in design in the e-commerce payment process and that flaw is also difficult to repair in a short period of time.
After logging into the fake account the user reaches a purchase confirmation page, which is a normal process in Taobao; everything else looks real except URL. After clicking on purchase confirmation button the user enters the payment page. Normal Taobao payment gateway is Alipay. This phishing site has forged Alipay checkout page also to trick users to enter passwords. After that, the user completes the payment; however, the payment password would have been stolen. The user clicks on back button and reselects online banking to pay. In this whole process, the user’s account password in Taobao and Alipay payment password have been both acquired by the phishing site. All the pages that the user sees and believes as Taobao’s are faked. And the most important fact is that the phishing sites can steal users’ money even without knowing their passwords. This can be considered a design flaw of online shopping. In the aforementioned example, the final payment page was embedded with a form of payment of the Industrial and Commercial Bank of China as you can see from the source code that follows.
<form id="ebankPayForm" name="ebankPayForm" target="_blank" method="post" action="https://B2C.icbc.com.cn/servlet/ ICBCINBSEBusinessServlet">
<input type="hidden" name="interfaceName" value="ICBC_PERBANK_B2C" />
<input type="hidden" name="interfaceVersion" value="1.0.0.0" />
<input type="hidden" name="orderid" value="507148170" />
<input type="hidden" name="amount" value="985000" />
<input type="hidden" name="curType" value="001" />
<input type="hidden" name="merID" value="4000EC23359695" />
<input type="hidden" name="merAcct" value="4000021129200938482" />
<input type="hidden" name="verifyJoinFlag" value="0" />
<input type="hidden" name="notifyType" value="HS" />
<input type="hidden" name="merURL" value="http://bank.yeepay.com/ app-merchant-proxy/neticbcszrecv.action" />
<input type="hidden" name="resultType" value="0" />
<input type="hidden" name="orderDate" value="20110522205936" />
<input type="hidden" name="goodsName" value="China Unicom Payment" />
<input type="hidden" name="merSignMsg" value="fwWXBaBUrgwpxzP5oxyZ ay7ObihJrHt9UkGm9okjRrHH828Kx8b/lkX8hOdS7wv74lgh3rZybkqSL+DpB9F0 u24+Pji9CWrGJeN5Y96qd97agv/n802vVp+VhKbFc0h6yuSQH4HK6dRxFrz4Dsdp qgAr7ZdpUiM2DgSzjHCQUK0=" />
<input type="hidden" name="merCert" value="MIIDBDCCAeygAwIBAgIKYULK EHrk AC49gjANBgkqhkiG9w0BAQUFADA2MR4wHAYDVQQDExVJQ0JDIENvcnBv cmF0ZSBTdWIgQ0ExFDASBgNVBAoTC2ljYmMuY29tLmNuMB4XDTEwMDkyNTA 3NTU0MloXDTExMTAxMDE1NTk1OVowPzEYMBYGA1UEAxMPeWVlcGF5MDEuZS 40MDAwMQ0wCwYDVQQLEwQ0MDAwMRQwEgYDVQQKEwtpY2JjLmNvbS5jbj CBnzANBgk qhkiG9w0BAQEFAAOBjQAwgYkCgYEA1LE1UbpYQd2bW87+hzo/3F9N8A8m 3OCVU4Vj8rYN7g499Yw XJtCmvXJpKGHzpsygEvrwDsEWQp2rOFI0nSAyga4Vyy VbmFnx3dkiKFpAco6pi+G2YvtaxsoI8oI0ZpBzytRJRDy3WSZG6mKw3ty5UlbAiN lug JARfcMuYGvQ7jsCAwEAAaOBjjCBizAfBgNVHSMEGDAWgBT5yEXDU5MmNj GTL5QQ38hTPfZvnjBJBgNVHR8EQjBAMD6gPKA6pDgwNjEQMA4GA1UEAxMHY 3JsMzAzMTEMMAoGA1UECxMDY3JsMRQwEgYDVQQKEwtpY2JjLmNvbS5jbjAd BgNVHQ 4EFgQUI+mwl5mh7sI81gNXua2rcv/nev0wDQYJKoZIhvcNAQEFBQADggEBALa J5oyxbHP8LsWiyvi//ijREAiA6oJ35hEy6Yn4Y8w7DZwM0H1il7txG0KfGPYU7pAQ 6A9iQ+wMnMCBMrLO yws1osi2JQIwZncs7/AisCXfGlji6wesAU4MCNiAfV2+ nPmr2SMpkhak0OIcOZlZHqNPeTBcTIuPmR3tH3UAJnC5vaz+7/Y+veEXa2PDia// TT2GCsaV3UP3mfdHFzGKVYIIZJ0qGJFN4nBDqF1aYXgGBawfJwUVDIIJBnv94K9kj 4u7sac1Eicl3AwkPJdrhWY/Y5SZuu11pckfiserbSoGEKDCQ3OD9HoSV FIMpJi7nkwP56xhrJW8mQlUggGAgGE=" />
<input type="hidden" name="remark1" value="0" />
<input type="hidden" name="remark2" value="0" />
</form>This form
The submitted URL for this form was
action=https://B2C.icbc.com.cn/servlet/ICBCINBSEBusinessServlet
This is a true payment URL of Industrial and Commercial Bank. In other words, the form is real.
Take a look at the several key parameters in this form:
name = "orderid"
value = "507148170"
Order number name = "merID"
value = "4000EC23359695"
Merchant logo name = "merAcct"
value = "4000021129200938482"
Merchant logo name = "merURL"
value = http: //bank.yeepay.com/app-merchant-proxy/ neticbcszrecv.action
Merchant URL name = "goodsName"
value = " China Unicom payment recharge “ Merchant name
From the Merchant URL you can see this order is actually paid to YeePay.com while users think they made the payment to Alipay.
The product name was changed to China Unicom payment and recharge while the users would have thought they bought a Media air conditioner; the hidden form field reveals the truth here.
In addition, there are two key parameters, merSignMsg and merCert, which are signature of order and certificate of merchant used to confirm an order, respectively. Ultimately, this is real order submitted to a phishing site and the money paid through the online banking gateway of Industrial and Commercial Bank to YeePay.com.
