digg

Facebook Connect Join Digg About

Phishers Setting Hidden Traps on eBay

news.com.com Click on an eBay auction listing, and you could get an unwanted result: a fake eBay login page, created by scammers looking to pilfer your username and password.

Who dugg this? Made popular Apr 2, 2006

Digg DudeWhat is Digg?

Digg is a place for people to discover and share content from anywhere on the web. Digg surfaces the best stuff as submitted and voted on by the community. Take the Tour to learn more.

57 Comments

show profanity settings
expand all
  • DrakeGTA, on 10/12/2007, -2/+14That's serious, I could see a lot of people falling for that.
  • adml_shake, on 10/12/2007, -2/+11Wow, I usually check to make sure it's secure, but Ebay had better get on the ball about this. Not only could this seriously turn people away, but People like me will hold them responsible if something should happen.
  • Petrarch1603, on 10/12/2007, -4/+13My judgemet is that its incumbent upon EBay to provide a more secure interface to nip this in the bud.
  • manicarzo, on 10/12/2007, -0/+8Yeah, I saw an auction that did this a few weeks ago on a message board (the guy was pointing out it was a scam). It turns out the ebay auction listings allow <script> </script> tags, and you can put in a form that auto-submits and redirects you, all using JavaScript, to the fake login page which again looks exactly like an ebay page.

    Be sure to alert your average ebay users, as people who may be not as internet savvy as most of us may be searching for the latest ipod or xbox 360 (or any hot item) may be easily fooled. If that happened to me, I might not even have noticed. Ebay is just becoming a haven for scam artists and the viability of the online auction and the trust it requires it slowly fading to the point where it's almost more safe to buy something through normal retail or online stores (even some of those aren't always trust worthy anymore...)
  • pondster, on 10/12/2007, -4/+12but thats expecting that ebay will actually do anything about it. This is a company that purposely hides its contact information other than online help.

    I stopped selling on ebay and recently got accepted to google purchases, the amount of crap that goes on ebay is ridiculous. You get the most traffic but also the most peril. Competitors constantly battle you and some of them fight dirty - not only stealing your listing descriptions and pictures, They will go through your auctions with a fine tooth comb looking for anything against ebay policy to report you on - no matter how minor.

    Oh and Ebay favors the power seller. You are limited to 10 of the same exact auction item, I had a competitor that was a power seller - ebay permitted them to list over 100 of the same item, literally flooding the market to make it impossible to sell your item - it gets lost like a needle in a haystack - ebay let this go on despite repeated requests to look into the ebayer - but if I put more than 10 - my item got pulled.

    Ebay is a scammers market where the cops take bribes.
  • andreo, on 10/12/2007, -1/+5And I forgot. You have to login to use "Buy it Now"! Looking in the Ebay community forums, they are redirecting you with fake buy it now links also. This makes things really really bad.
    Oh well, just have to look at that address bar really close, and / or install spoofstick.
  • dignick, on 10/12/2007, -3/+6Anybody got links to examples of this? I'd like to see what it looks like.
  • SectorNation, on 10/12/2007, -2/+5I'd like to see an example of one of these listings, just so I can tell if my browser will show me the BS URL or what the thing looks like in general. I've got 3 less computer literate Ebayers in my house and woud like to keep them protected. Anyone have a link to one of these types of listings?
  • CamperBob, on 10/12/2007, -0/+3It's simply incredible that eBay allows you to use Javascript in your auctions. No legitimate seller needs to do that. I've worried about this sort of attack ever since I first clicked on an auction that made my mouse cursor leave a cute trail of twinkly stars.

    Whether you consider these attacks eBay's "fault" or not, there is certainly a good case to be made that their negligent security practices are contributing to the problem in a big way. Disabling the SCRIPT tag would be a good start, and would harm no one except the sellers you don't want to deal with anyway.
  • kmccoll, on 10/12/2007, -0/+3I obviously can't speak for everyone, but I think a lot of people agree that it's not eBay's fault, but think that eBay could provide more protection. I don't think any digg reader is likely to fall for something like this, but that's not the point - ebay is used by everyone and no amount of comments on digg is going to get grandma to look at the address bar for every page there's a password being entered.

    In my opinion, eBay allowing custom javascript to run has been an invitation for something like this to happen. A naive misjudgement on eBay's part, nothing more. Even myspace doesn't allow javascript to be inserted into user pages.
  • Eddible, on 10/12/2007, -1/+3eBay are really useless with support. They've got that big that they have no time for individual issues. eBay needs some massive overhaul.
  • inactive, on 10/12/2007, -4/+6I once got an email saying that I could become a powerseller, at first I thought it was legit because I had been selling a lot of things on ebay. Then I realized that it was phishing.

  • ThinkBox, on 10/12/2007, -0/+2Good to see major news places really talking about phishers - yeah I dont want it to be another thing the press blows up and scares older people away from the internet with, but then again, i really dont want people to be uninformed about this kinda stuff. I got a very legit looking ebay email and I posted a story here in digg linking to the verification site it took me to. - http://digg.com/security/NON-_Ebay_Email_Security_Issue - since then the link has been killed - I felt it was my duty to spread the word... even if it only got 5 diggs, lol
  • luke--, on 10/12/2007, -0/+2I think ebay needs to cut out javascript from descriptions alltogether until they can figure out a targeted fix.

    Their concern is probably that they don't piss off the umpteen sellers that have ridiculously complicated html/javascript descriptions for all of thier items.
  • Elranzer, on 10/12/2007, -0/+2OK, that's it. Russia, Romania and Nigeria have lost their Internet priveledges. Time to cut them off from the world Internet. Unless someone can somehow prove why it would be beneficial to keep them connected.
  • jguerry, on 10/12/2007, -0/+1they run those russian hot lady wife sites. that's more than enough to keep them connected hah
  • DrRo183, on 10/12/2007, -0/+1Cross site scripting attacks?
  • mechagodzilla, on 10/12/2007, -1/+2I saw this yesterday. The page is down now, but firefox showed the real (non-ebay) url.
    When you clicked on the auction listing, you immediately were redirected to the phisher's site that asked for your ebay password. Disabling javascript in your browser prevents the redirection though.
  • Elranzer, on 10/12/2007, -0/+1And people wonder why eBay's stock bubble burst...
  • mechtech, on 10/12/2007, -2/+3Here is a phishing site that has the FAKE ebay login page.
    Apparently from russia.. http://ebayisapi.pochta.ru/eBayISAPI.usingSSL.login.php
    Go there at your own risk.
  • tehpunk, on 10/12/2007, -2/+3for the lesser knowledgable people, ebay does offer a toolbar plugin to detect phisching sites. might be good for grandma if she's on ebay alot.

    otherwise this is the usual, with a new twist. ebay has to offer limited html insertion to spruce up auction listings, but as always, the onus is on the user to detect these.

  • reparsed, on 10/12/2007, -0/+1Whenever I run into a phishing scam I browse the fake site with TOR and give them a suitable fake log and pass. Prolly doesn't do any good but make me feel a little better.
  • Madguy, on 10/12/2007, -0/+1I ran across this before on EBay. One problem is that EBay prompts for Username/Password during some searches, so it's not weird that it would pop-up a Login screen. I saw the screen and immediately put my user/pass in without even thinking about it. I then immediately realized that I should not have had to do that when clicking on a link to see an auction. I changed my password and tried to report it to Ebay. It sucks been forced to use only their forms to submit a problem. I then got the standard "email phishing" email from them.
  • toddmok, on 10/12/2007, -0/+1Get Trend Micro Internet Security. I tried to go to one of the example sites that shows the phishing login page and trend micro blocked the site and let me know that it was a phishing site. This still will probably not see all the sites but it sure can't hurt
  • miaow, on 10/12/2007, -0/+1I don't know if this would help but why don't they put all of ebay behind a secure server ?
  • xswag, on 10/12/2007, -0/+1THats what I do also Reparsed but I also use that Firefox extension NoScript and Privoxy with TOR running. Not sure if it helps but its a little added security on those sites. My login and passwords are always something vile!
  • Msonier, on 10/12/2007, -1/+2Genius16, congratulations for posting basically the same response three or four times.

    You say to not blame ebay and it is everyone else's fault, but this is ebays problem. Everyone who uses ebay is not internet/computer savvy. Is it ebay's fault someone falls for a scam? no not really, howevr if they want people to stick around they are going to need to protect their customers.

    In all your comments you really only proved the fact you're a prick; congrats genius16.
  • 12340987, on 10/12/2007, -0/+1wow, now that is a good scam.
    Also, often if you're paying for an item you'll get redirected to some other pay service other than paypal, which can be a problem. I guess people are more aware of that though.
  • hobophobe, on 10/12/2007, -1/+2"It is the Americian way to remove the responsibility of your own actions away from you and onto someone else..."

    Do you know anything about economics? It is the responsibility of the auction site to protect its reputation. If they don't, another auction site will, and eBay will go bust. Sure, the buyer should _always_ beware, but at the same time those businesses that provide a trustable reputation should be rewarded for helping.

    That's why when Dell won't let some woman return a server she didn't really need that got sold to her under false pretenses, they may be making a short-term profit off her, but they are losing long-term credibility.

    That's why when someone posts a photo on Flickr of a charred Apple power cable, they responded and he agreed to remove the images.

    These are examples of firms responding to the force information plays in the economy. As the internet continues to grow, it gives consumers better information than they had before, which in turn makes the markets better. In transition from a time of unbalanced information to balanced information, however, there will always be rocky patches and swings resulting.
  • Pizpump, on 10/12/2007, -0/+1"The company has methods in place to fight fraud and employs about 1,000 people whose fulltime job it is to keep the marketplace safe."

    Anyone care to wager on how much that figure is inflated by?
  • unluckier, on 10/12/2007, -3/+3No.

    The article indicates that eBay allows SCRIPT tags in the sellers' auctions. (!!!) This can allow the auction page to *automatically* redirect to the phishing page in any browser that has scripting enabled.

    Once you're on that page, a user who is paying attention will notice the address bar is wrong. But I have a feeling this will trick a lot of people.
  • TomP, on 10/12/2007, -2/+2ohhhh sh!t thats near enough identical! and very easy to asume its ebay...
  • scotty1024, on 10/12/2007, -2/+2This just goes to show one more time that username/password is no longer a secure means of authenticating users over the Internet. Whether you are eBay or Bank of America two factor authentication needs to become mandatory.
  • Jasruler, on 10/12/2007, -3/+3If EBay wants to stay in business, they'll have to protect their consumers lest they face a massive negative-PR backlash.
  • haooken, on 10/12/2007, -4/+4check the links in any of these emails or pages or whatever. If the link starts with an IP addy, then its bogus. No clicky.

    /I know everyone probably knows this already and some elitest prick is gonna mouth off, so STFU/GBTW in advance. Some people may not know. Feh.....
  • BumKnee, on 10/12/2007, -0/+0While I agree that ebay should do something about this, it is not an easy fix for them (if they want to continue to provide sellers the ability to provide dynamic content).

    A workaround in the meantime: log in to your account from ebay's main page before browsing any auctions.
  • cnorris1, on 10/12/2007, -0/+0This happned to me. Fortunately I have different passwords on my ebay account and paypal otherwise some guy in Germany would have gotten a free motorcycle from me.
  • trash115, on 10/12/2007, -0/+0***** these scammers, i've been screwed out of an ipod nano, there are so many of these people on ebay!
  • jguerry, on 10/12/2007, -1/+0i might actually fall for this.

    thank god google auction is in the works
  • Tripmoneyuk, on 10/12/2007, -3/+2There are plenty of programs, that allow you to manage ebay from your desktop.
    Maybe it's time I started to look into them a little more?
  • Genius16, on 10/12/2007, -3/+1i agree wholeheartedly with you... but apparently there is a reason for eBay allowing java script, which is why it hasn't been removed yet. though personally i think it should be removed, but speaking in an overall unbiased sense, i think it should stay. its the same scenario as Microsoft allowing macro scripts in word. they're still there and people can make hella virii with it.

    customer education and personal responsibility is key. removing the harmful threat along with critically wounding the legit uses is overall not the way to go. speaking unbiasedly...
  • andreo, on 10/12/2007, -4/+2Same here, I want to see an example. I read the story. And I pretty much know all the places where Ebay will normally ask for you log on information again ie; when you go to "My Ebay", trying to view "adult listings", trying to view "completed items". But they should have put one of the fake pages in the tutorial so the public can see exactly what will happen.
  • DEFSMAC, on 10/12/2007, -5/+3it looks exactly like a normal listings page and ebay login page, hence why people are fooled by it.
  • tehpunk, on 10/12/2007, -4/+2sorry for double posting, but another nice trick is to hijack a username, buy something, then send a fake email to the seller saying that due to the item's value he/she must provide tracking to claim the funds. they ship the item, provide tracking, but a transaction never occured. seller is out.

    and what's funny is they point the finger at ebay.

    people need to get something straight.

    if you buy something ON ebay, you are not buying anything FROM ebay. you are engaging in a real transaction with a person, and if you think you aren't, you have no business conducting a transaction online.

  • Genius16, on 10/12/2007, -4/+2how is it ebay's fault, when they are not the ones creating the scam? its not gmails fault i get tons of phishing emails...

    and why am i a prick? because i believe in personal responsibility?
  • UserId, on 10/12/2007, -6/+4Why are you people undigging this post? It's like you all hate taking responsibility. Companies can't protect you from your own stupidity no matter what. I understand that there are computer illiterate people out there that will fall for this type of thing, but they will fall for this no matter what eBay does if they stop one thing the con men will find another way to scam people. You can't stop scams, on line or offline, there are stupid people out there and someone smarter will always find away to get there money. The scams are big on eBay because eBay is big. If a true compitor was out there and got even close to being as big as eBay the scam artists would just start going there, and would find away around any program or block to start scamming people. Scam artists have been around forever and nothings going to change that. All you can do is try to educate the people.

    "It is the Americian way to remove the responsibility of your own actions away from you and onto someone else...
    Pft...
    Its your personal responsibility to not fall for a phishing scheme. Not eBay's. Not anyone elses. thats like saying its gmails fault i fell for a phishing email scam, and that they need better spam filters so I dont have to educate myself to fight against it."
  • tiamat, on 10/12/2007, -4/+1I noticed this about 2 weeks ago and reported it to ebay. At the time I found it via a really cheap laptop listing. That one seems to have been removed.
  • kevin_ou, on 10/12/2007, -3/+0I clicked on an auction that took me to a phisher "ebay login" page and reported it to ebay. Ebay never responded to my email afterwards.
  • bacirriu, on 10/12/2007, -7/+3Phising toolbars are for noobs.
  • Genius16, on 10/12/2007, -8/+3Why would you hold eBay responsible? (See my above responce to another gentleman)

    Would you hold google responsible if you fell for a phishing email scam that was sent to your gmail account, citing they need better spam filters?

    Stop being lazy and get some personal responsibility.
  • Fetching more discussions...
    Show 51 - 57 of 57 discussions

  • Add a Comment

    Login or register to comment!
    Or, sign-in super fast with your Facebook account ...


© Digg Inc. 2009 — Content created and posted by Digg users is dedicated to the public domain | Terms of Use Updated | Privacy Policy
DIGG, DIGG IT, DUGG, DIGG THIS, Digg graphics, logos, designs, page headers, button icons, scripts, and other service names are the trademarks of Digg Inc.