Attackers for months have been using eBay listings to redirect visitors to password-harvesting scam sites, the BBC reported. They use cross-site scripting to hijack eBay shoppers and trick them into handing over personal data.
This video, taken by a user, demonstrates the exploit in action:
eBay has been slow in responding to security professionals’ calls to remove the fake listings, said the BBC, which on Monday reported finding more than 100 listings affected by the exploit.
“Cross-site scripting, carried out by malicious individuals, is an issue affecting sites across the Internet,” eBay spokesperson Ryan Moore told the E-Commerce Times. “This is not a new type of vulnerability on sites such as eBay.”
Cross-site scripting is not allowed on eBay, however, and “we have a range of security features designed to detect and then remove listings containing malicious code,” he noted, adding that unauthorized account usage currently is at an all all-time low on the site.
Still, “the criminals behind cross-site scripting and phishing activity intentionally adapt their code and tactics to try to stay ahead of the most sophisticated security systems,” Moore pointed out.
“eBay is apparently suffering from the losing end of a common ‘risk versus convenience’ scenario,” Mark Stanislav, a security project manager with Duo Security, told the E-Commerce Times.
Other very similar exploits can do even more damage, Westin told the E-Commerce Times.
“If the attackers target vulnerable browsers and systems with this kind of exploit, it can lead to instant compromise of the system,” he explained.
“Since online buyers have become accustomed to interactive content, we’ll probably continue to see more of these kinds of attacks; they are lucrative and relatively easy for attackers to implement,” Westin observed.
“eBay is a community of sellers and buyers, and it’s vital to eBay’s business model to provide merchants with the ability to draw in more customers through the use of customized, interactive Web pages and content,” Tim Erlin, director of IT security and risk strategy with Tripwire, told the E-Commerce Times.
“This is a tough problem to stay on top of, but the success of eBay’s model depends on doing just that,” he added. “If consumers or merchants flee to alternatives because of a real or perceived lack of responsiveness from eBay, they lose revenue.”
One step eBay could consider taking is a per-user option to strip scripts out, he suggested. “Then we could shift the argument to whether to have that option on or off by default.”
In the meantime, users should be cautious, warned Duo Security’s Stanislav.
“It’s very hard for users to know they are being duped into doing something wrong online,” he explained. “Paying attention to what your browser address bar says is a very low-tech, high-value means to ensure that if you think you’re using eBay.com that you’re actually on that website when logging in.”
On SSL-enabled sites, “pay attention that you’re on a site with a valid certificate through the coloring/icons browsers provide to denote that fact,” he suggested.
“Users can help mitigate the effectiveness of these criminal ploys by utilizing the two-factor authentication provided by the service,” Stanislav recommended, “and also applicable for PayPal.”