An effective and virtually invisible method of redirecting website viewers from a legitimate page to a page crafted for criminal purposes has eBay UK visitors at risk, according to UK security firm Netcraft. The attacks detected by Netcraft apparently target visitors who are visiting advertisements for vehicles on the site.
Netcraft identified the method as a man-in-the-middle attack. The implementation of this attack represents a great danger to an unwary viewer. Netcraft said that just viewing an affected ad exposes the visitor to the potential for loss.
Due to malicious JavaScript code embedded by criminals in the ad, the visitor’s web browser gets quietly redirected to a man-in-the-middle server. This web server returns content to the browser that looks like the legitimate ad. Such code embedding is a violation of eBay’s rules, but naturally criminals aren’t much for following inconvenient guidelines.
Netcraft noted a key difference between the fake ad and a real eBay listing. The “Contact the seller” link changes from the legitimate “Email the seller” option that leads to a form monitored by eBay, to a direct email link to the purported seller.
The ad retains all the other information about the item’s listing, including the hijacked seller’s feedback rating. As regular eBay users know, a high positive feedback rating encourages potential buyers to trust a seller; in this case, the trust would be very misplaced.
The criminals would then hope a prospective buyer will contact them to make payment arrangements for a listing, in this case a used vehicle. Thanks to the new classified ad listing format in use, encouraging directly dealing with the seller, a victim may find themselves sending thousands of dollars to the fraudster.
Worse, since the arrangement would have happened outside eBay’s monitored communications, the transaction would not be covered by eBay’s buyer protection policy. A victim faces the possibility of significant financial loss and a difficult avenue to recovering payment.
Fortunately a careful site visitor may notice the change in their address bar from eBay’s domain to the domain of the man-in-the-middle server. While this particular attack can return a legitimate listing to the viewer, it doesn’t mask the URL shown in the address bar. People shopping through classified listings should take extra care that their site visit remains on a legitimate eBay domain.
Man-in-the-middle attacks have been used to attempt to do more than change a contact method in a classified ad. Other similar schemes seek to replicate legitimate banking and other sites in an attempt to trick someone into entering their real login details on a faked page.
Once these logins are captured, someone can use them to login to the real site and possibly perpetrate fraud. Fortunately many sites are adding additional login factors besides a simple username and password to defeat such spoofing of authentic pages.
For example, Verizon Wireless requires customers to select and label an image that will be presented to them on future logins. If that image and label don’t show up or are different when someone uses their regular login and password, it would indicate they aren’t visiting the real website.