Get the ECT News Network Weekly Newsletter » View Sample | Subscribe
Welcome Guest | Sign In

Phishing Scam Ensnares eBay Shoppers

By Katherine Noyes
Sep 23, 2014 6:25 AM PT

Attackers for months have been using eBay listings to redirect visitors to password-harvesting scam sites, the BBC reported. They use cross-site scripting to hijack eBay shoppers and trick them into handing over personal data.

Smartphones, televisions, hot tubs and clothing are among the items supposedly for sale in listings infected with malicious Javascript code. When users click on the listings, the code redirects them through a series of other websites to a page requesting their eBay log-in and password.

This video, taken by a user, demonstrates the exploit in action:

eBay has been slow in responding to security professionals' calls to remove the fake listings, said the BBC, which on Monday reported finding more than 100 listings affected by the exploit.

Nothing New

"Cross-site scripting, carried out by malicious individuals, is an issue affecting sites across the Internet," eBay spokesperson Ryan Moore told the E-Commerce Times. "This is not a new type of vulnerability on sites such as eBay."

The problem is made possible by the fact that eBay allows sellers to use active content like Javascript and Flash to make their listings on the site more attractive, Moore said. "However, we are aware that active content may also be used in abusive ways."

Cross-site scripting is not allowed on eBay, however, and "we have a range of security features designed to detect and then remove listings containing malicious code," he noted, adding that unauthorized account usage currently is at an all all-time low on the site.

Still, "the criminals behind cross-site scripting and phishing activity intentionally adapt their code and tactics to try to stay ahead of the most sophisticated security systems," Moore pointed out.

Easy Money

"eBay is apparently suffering from the losing end of a common 'risk versus convenience' scenario," Mark Stanislav, a security project manager with Duo Security, told the E-Commerce Times.

"By providing the ability for users to add Javascript and Flash content to improve buyer experiences, they've also allowed attackers to craft code which can manipulate consumer browsers to benefit criminals," he said.

These attacks are similar to recent attacks against ad networks that have allowed Javascript to be embedded, noted Ken Westin, a security analyst with Tripwire.

Other very similar exploits can do even more damage, Westin told the E-Commerce Times.

"If the attackers target vulnerable browsers and systems with this kind of exploit, it can lead to instant compromise of the system," he explained.

"Since online buyers have become accustomed to interactive content, we'll probably continue to see more of these kinds of attacks; they are lucrative and relatively easy for attackers to implement," Westin observed.

Tough Problem

"eBay is a community of sellers and buyers, and it's vital to eBay's business model to provide merchants with the ability to draw in more customers through the use of customized, interactive Web pages and content," Tim Erlin, director of IT security and risk strategy with Tripwire, told the E-Commerce Times.

"This is a tough problem to stay on top of, but the success of eBay's model depends on doing just that," he added. "If consumers or merchants flee to alternatives because of a real or perceived lack of responsiveness from eBay, they lose revenue."

While many Internet users readily accept Javascript in Web pages, largely on the strength of their trust in the site, that's no longer the case with Javascript in emails, "because scripts delivered by email could have come from anywhere, and probably did," Paul Ducklin, a senior security advisor at Sophos, told the E-Commerce Times.

One step eBay could consider taking is a per-user option to strip scripts out, he suggested. "Then we could shift the argument to whether to have that option on or off by default."

Security Vigilance

In the meantime, users should be cautious, warned Duo Security's Stanislav.

"It's very hard for users to know they are being duped into doing something wrong online," he explained. "Paying attention to what your browser address bar says is a very low-tech, high-value means to ensure that if you think you're using that you're actually on that website when logging in."

On SSL-enabled sites, "pay attention that you're on a site with a valid certificate through the coloring/icons browsers provide to denote that fact," he suggested.

"Users can help mitigate the effectiveness of these criminal ploys by utilizing the two-factor authentication provided by the service," Stanislav recommended, "and also applicable for PayPal."

Katherine Noyes has been reporting on business and technology for decades. You can find her on Twitter and Google+.

Women in Tech
Which type of articles do you find most useful when reading about technology?
Analysis / Case Studies
Breaking News
Features / Special Reports
"How To" Tips and Advice
Opinion and Commentary
Q&A / Interviews