Pro-Syrian hackers have produced evidence that they intercepted the sensitive communications of eBay security personnel as the employees responded to a recent hack of the company's UK websites. The incident underscores the lack of success some of the world's most powerful tech companies have withstanding everyday attacks.

An image posted over the weekend shows an e-mail purportedly sent by Paul Whitted, whose LinkedIn profile lists him as a senior manager at eBay overseeing "incident management and resolution of major site issues." The February 1 message addresses other eBay employees and raises the possibility that one or more of their computers—or at least one of their e-mail accounts—was compromised as they were discussing a hack last Saturday on eBay and PayPal websites.

It reads:

Just pointing out if someone has remote access to email via compromised laptop and is on this thread then they now have our conference info to listen into this incident. Might want to have folks call into the sec / ppcc and be in breakout where password is required to join. Paul Sent from my iPhone

An eBay spokesman confirmed that on Saturday hackers succeeded in causing some people visiting eBay and PayPal marketing webpages in the UK, France, and India to be redirected to fraudulent destinations. He said the attack was quickly detected and resolved. No customer data was accessed, and no customer accounts were affected. The spokesman declined to say if the published e-mail was authentic, but there's nothing obvious to indicate that it's a hoax.

A security professional who trains people how to respond to security incidents just like the one that hit eBay and PayPal told Ars that the e-mail looks real to him. Based on the contents, he said it appears the e-mail account of at least one of the people responding to last weekend's attacks was compromised. That would have allowed the hackers not only to redirect some eBay and PayPal Web visitors but to also eavesdrop on incident responders as they tried to block the attack.

"If I had to guess, I'd say that these guys were probably compromised via a phishing e-mail," Jacob Williams, an instructor for the SEC504: Hacker Techniques, Exploits & Incident Handling course offered by the Sans Institute, told Ars. Given Whitted's mention of a compromised laptop, he said it's possible the phishing site exploited a vulnerability in Java, Flash, or another commonly abused application to hijack the responder's computer. Of course, it's also possible that Whitted's hunch about a compromised laptop was mistaken, and the phishers only gained access to the responder's e-mail account.

In either case, Saturday's episode is a cautionary tale for a couple of reasons. First, it should serve as a wake-up call to all incident responders involved in security about the need for what's often called "out-of-band" communication channels. As Williams explained in a post mortem blog post:

Whatever you do, don't count on your main method of corporate communication during an incident response

There are many reasons for this, but a big one is that the main method of communication may have been compromised by the very attackers you are trying to repel. If you continue to communicate over compromised channels, you're violating some pretty fundamental tenets of OPSEC and giving your playbook to your attackers. Where I come from, that's a huge fail.

Not just eBay

There's another reason why the entire tech industry and the people who rely on it should pay attention. The attack on eBay came a week after phishers successfully compromised yet another company that should have known better. Late last month, Microsoft said a select number of employees fell victim to a successfully executed, highly targeted spear phishing attack . In the process, a Microsoft advisory warned, the attackers stole documents associated with law enforcement inquiries, and it's possible customer information was accessed as well.

The incidents come on top of anecdotes recounted here and here underscoring how social engineering attacks on employees of GoDaddy, Amazon, and possibly PayPal can have devastating effects on those companies' customers.

The incidents are discouraging for at least two reasons. First, Microsoft, eBay, and the other companies recently implicated are some of the biggest holders of sensitive data. They have ethical and possibly legal responsibilities to safeguard the information they're entrusted with, and they failed in a very fundamental way. More importantly, the employees of these companies are presumably some of the most savvy and well-trained in the world at spotting social-engineering ploys. If they're being hoodwinked by phishing attacks and other plain-vanilla social engineering campaigns, what hope is there for the rest of us?