Pressure is mounting against eBay to quickly detect and remove bogus listings triggering cross-site scripting flaws to redirect users to phishing and other malicious pages.
EBay has generally been doing a good job removing malicious listings, but every now and then they slip up and the number of these listings spikes for a while, as it’s currently happening.
The onslaught started last week, when an IT worker from Scotland spotted a few listings that redirected him to a well-made eBay login phishing page.
The e-commerce giant has reacted, but not soon enough, and the listings were up for over 12 hours, tricking who knowns how many users.
According to the BBC, the number of listings using the same trick to redirect users to malicious pages has, in the meantime, risen to at least 100, and possibly even more.
Some of these listings have been placed via hijacked eBay accounts with 100% positive feedback, which made them look legitimate. The listings are offering iPhones, television sets, clothing, and other attractive items, and redirect to fake eBay Security & Resolution Center pages designed to harvest users’ credit card details, bank account details, some personal information, and so on.
“We have no current plans to remove active content from eBay,” they stated. “However, we will continue to review all site features and content in the context of the benefit they bring our customers as well as overall site security.”
But security experts say that the company should do more to protect its users so that they don’t lose their trust.