Malicious eBay listings redirect users to phishing site

An IT worker from Scotland who is also an “eBay PowerSeller” has discovered an eBay listing for an iPhone that was rigged to redirect potential buyers to a spoofed eBay login page.

Paul Kerr happened upon the listing by chance, and immediately recognized the redirection for what it was: a phishing attempt. At the time, the advert had been up for 35 minutes, he noted, and he immediately notified eBay of the problem.

But, despite getting assurances that the matter will be dealt with immediately, the listing remained available for over 12 hours, Kerr claims. “They should have nailed that straight away, and they didn’t,” he commented.

To have a proof of his finding, Kerr captured a video of the attack:

The malicious listing contained Javascript code that took advantage of a cross-site scripting (XSS) flaw in the website and, according to the BBC, there were in total three listing posted by the same malicious seller, and at least two contained the redirection code.

All three listings have been removed by eBay, but its spokesman admitted the existence of only one. “We take the safety of our marketplace very seriously and are removing the listing as it is in violation of our policy on third-party links,” he added.

Chances are good that some people have fallen for this phishing scheme, but it’s difficult to say what the exact number could be.

This is not the first time that XSS vulnerabilities in the eBay website have been misused by malicious actors, and it probably won’t be the last.




Share this