Angry in the Great White North
ebay phishing hack collecting user names and password
Wednesday, April 18, 2007 at 03:51 PM

Read other posts by Steve Janke published by the National Post
Leader

An ebay phishing hack is collecting login information. Interestingly, the phishing page is reached from a hacked ebay page, which is something I've never heard of before.

Update: Apparently you can add Java to your auction page, and ebay will happily serve that page up. Sheesh!

Donate to the AGWN Legal Fund
Main Story

A reader sent me a heads up on a ebay phishing hack.

Amazingly, I always thought ebay was protected against this sort of thing.

You start with item number 120110237584:

ebay01.jpg

You go a to valid listing (the URL starts with http://cgi.ebay.com/ebaymotors/ws/...):

ebay02.jpg

I've added the modesty box. The listing appears for a brief moment as your browser is redirected to this phishing page:

ebay03.jpg

Looks like ebay, but smells like phish.

The URL gives it away:

http://69.72.209.35/3/base.php?pa2=errmsg=runa....

The correct URL for the signin page is this:

https://signin.ebay.com/ws/eBayISAPI.dll?SignIn

Not sure with what they'll be doing with the information being phished. But then I'm not a criminal mastermind. What's really interesting here is that this is not a phishing attempt prompted by an email ("ebay requires you to login to verify your account information. Please follow this link..."). Instead, a valid ebay page has somehow been modified to immediately redirect you to a phishing page. I've never heard of an ebay page being compromised in such a way.

Makes me wonder just how many of these compromised ebay pages are directing ebay users to phishing operations.

ebay has been informed.

Update: The page has come down.

Update: I didn't know ebay allowed people to add Java to their ebay auction pages:

eBay does not permit the use of several types of HTML and JavaScript functions in member listings, Stores pages, About Me pages, or Want-It-Now ads.

Any attempts to disguise the intention or function of the source code (HTML or JavaScript) of your listing are in violation of eBay policy. This includes, but is not limited to:

  • the use of unescape functions in JavaScript
  • items that split HTML or other JavaScript tags with the express purpose of hiding the tags within the source code of the listings’s HTML or script

Users may not manipulate or edit any areas outside of the areas designated for member content.

Additionally, on the German site (eBay.de), the use of JavaScript functions is further limited. Refer to the Additional Information section below for more information.

Violations of this policy may result in a range of actions, including:

  • Listing cancellation
  • Limits on account privileges
  • Account suspension
  • Forfeit of eBay fees on cancelled listings
  • Loss of PowerSeller status

I guess we can add redirects to pishing pages to that list.

Search for more opinions from Canadian bloggers on these related keywords
 ebay  Web 2.0  phishing