Question
Phishers attack eBay using new technique
By Michael Bazeley
Mercury News
Scammers have found a new way to try to trick eBay members into giving them their personal information. The new technique effectively hijacks links on listing or search results pages, taking people to an official-looking eBay log-in page that is actually phony.
In one example the Mercury News viewed this week, several listings were added to eBay's ``Totally bizarre'' category, a section intended for offbeat items, with the title ``Movie!With me and Laura!My best friend!Sexy show!1$''
When eBay users clicked on the listing titles, their Web browser was immediately redirected to the fraudulent log-in page. Making matters worse, the phony page appears to download a virus onto users' computers.
EBay said the people behind the scam appeared to have added malicious JavaScript code to their listings that redirected people off eBay's site. EBay allows members to include some types of JavaScript in their listings for things such as interactive photo albums or tools to help buyers calculate shipping charges.
(bolding added)
[ the rest of the story ]
Answer
Quote:
".... or tools to help buyers calculate shipping charges."
Perhaps this is somehow related ebays motivation to add transit times to listings. Maybe they're trying to find a way to integrate some kind of fixed shipping rate system into listings so they can eliminate the need for shipping calculators (using java) in sellers ads and thus circumvent the phisher's portal. Adding transit times and guaging seller response might be ebays way of getting their "interfering" foot in the door to implement a broader plan.
But then again, I'd have to guess that ebay has something far less vigilant and much more selfish in mind.
Just a thought.
Answer
"Perhaps this is somehow related ebays motivation to add transit times to listings"
No the idea is to show folks that check or money order takes time. They are using this to promote PayPal.
As for the spoofs with listings been going on for some time.
Answer
Originally Posted by 10x
"Perhaps this is somehow related ebays motivation to add transit times to listings"
No the idea is to show folks that check or money order takes time. They are using this to promote PayPal.
As for the spoofs with listings been going on for some time.
Is this what they told you?
Movie!With me and Laura!My best friend!Sexy show!1$''
Although that's hillarious, the whole concept is scarey. It's strange because sometimes eBay WILL randomly make me sign in to my account, so it's not completely unbelieveable.
Answer
Quote:
"No the idea is to show folks that check or money order takes time. They are using this to promote PayPal"
I don't think ebay mentions anything about traditional payments or the extra time they may incur on overall transaction time. They don't even indicate anything about it (specifically) in their feeble "asterisk" addendum.
It's obvious they're constantly trying to shove Preypal down our throats, but they're generally not very subtle about it.
Although, I suppose by proposing that we sellers bear the burden of clarifying this FORCED auction interference to our buyers, a natural result might be for some of us to make clearance times for such payment methods more prominent in our ads thereby making the use of paypal more attractive. Bearing in mind that 98% of sellers who accept traditional payments (and don't ship right away) already make this clear in their terms.
Actually, it might have an opposite affect in that without any clearance time clarification, many buyers, especially new ones might get the idea that these times are valid no matter how they pay.
Though I kind of doubt ebay is smart enough to concoct such a scheme, anything is possible with these inept grifters.
(don't mean to drag the thread off track! Thanks for the heads up Jim)
Answer
"many buyers, especially new ones might get the idea that these times are valid no matter how they pay."
Correct and why they wont put in the time due to payment method. Tends to force the seller to go for instant Paypal payment. The whole thing is a push for paypal. A smart idea for ebay and paypal and leaves the sellers purchasers in the lurch again.
We are stuck with the mess.
Answer
Maybe it is time for eBay to try out the Bank of America technique for stopping such scams. BOA have a personally chosen picture on the signon page so one knows one is on the real site.
Answer
Originally Posted by long-gone
Quote:
".... or tools to help buyers calculate shipping charges."
Perhaps this is somehow related ebays motivation to add transit times to listings. Maybe they're trying to find a way to integrate some kind of fixed shipping rate system into listings so they can eliminate the need for shipping calculators (using java) in sellers ads and thus circumvent the phisher's portal. Adding transit times and guaging seller response might be ebays way of getting their "interfering" foot in the door to implement a broader plan.
But then again, I'd have to guess that ebay has something far less vigilant and much more selfish in mind.
Just a thought.
My guess would be that putting eBay's own shipping calculator and their transit time figures in the auctions pushes the sellers to use their shippers too. And promotes instant gratification which means PayPal or similar instant payment for which the ones approved for use on eBay are _____? I prefer to not use UPS. What about those who use FedEx? Or DHL? Or ?
Do you suppose that eBay obtains some monetary benefit from excluding some shippers from their shipping info?
The nice people who offer the third party scripts to figure shipping hopefully will translate them into PHP server based code or similar which cannot as easily be hijacked. But then the shipping calculator would be a separate spawned browser window most likely.
This latest hijack effort may yet force eBay into verifying every account which is a good thing imho.
When setting up thumbnails and enlarged photos in auctions, I went out of my way to find a method that didn't use scripts because I knew some day eBay would nerf them... more... (they already do on About pages) Scripting isn't necessary to do thumbs and enlarged photos which can be done in HTML only, although not as fancy.
Answer
Originally Posted by Jim
Phishers attack eBay using new technique
By Michael Bazeley
Mercury News
Scammers have found a new way to try to trick eBay members into giving them their personal information. The new technique effectively hijacks links on listing or search results pages...
The amazing thing is that eBay was warned in 2004 that this exact security hole that these phishers exploited existed on its site (on item listing pages and about me pages) and it did absolutely NOTHING to correct the problem.
This is my post from tuliptools with links to the security advisories that were issued in 2004 by both GulfTech Research and SecurityTracker.
Originally Posted by bargainbloodhound
Almost 1 year after this vulnerability was pointed out to eBay, hackers did in fact take advantage of this hole in December 2005 to phish users on the ebay site .
The GulfTech warning was issued in January 2005...eBay did nothing despite the warnings.
Originally Posted by Gulftech
Last year GulfTech Security Research found several security flaws in eBay and the eBay owned half.com. These security flaws could allow attackers to execute malicious code in the context of a victim's browser, and could easily be used to hijack accounts, and in phishing, and other scams. Unfortunately only some of those security flaws were fixed, and the most dangerous of the bunch still remain even after being made public. Additionally, GulfTech Security Research found similar security vulnerabilities in the well known amazon.com website. Like eBay, the amazon.com vulnerabilities still exist.
Should I Be Worried?
If you make use of eBay or amazon.com you could be put at risk simply by visiting a link, or viewing a malicious web page. The eBay vulnerability is an especially nasty one because all an attacker has to do in order to acquire victims is place an auction or fill out their "about me" page with malicious data. Once the malicious auction is placed a victim's cookie based credentials can be stolen silently, and even worse an attacker can hijack certain Document Object Model elements and cause anyone who clicks on the "place bid" button to be redirected to a bogus login page or worse. Below is an example "about me" page put together by us that will demonstrate how this vulnerability could be used for phishing.
The full article: http://www.gulftech.org/?node=resear...00064-01042005
Based on the fact that eBay knew about this security vulnerability for almost a year and did nothing, I think they would have a hard time defending themselves in court if anyone who was victimized (had their personal info stolen or account hijacked) decided to sue them.
A similar security problem also existed in 2004 with the LiveWorld Forum software eBay uses. That hole was fixed, but according to the security researcher who exposed the hole both eBay and LiveWorld were slow to respond to the problem...leaving their users who used the eBay boards at risk of having their passwords and other personal info stolen for several months.
Originally Posted by bargainbloodhound
Originally Posted by Gulftech
LiveWorld Products Allow Remote Users to Conduct Cross-Site Scripting Attacks
GulfTech Security Research Team reported that LiveForum, LiveQ&A, LiveChat, and LiveFocusGroup (and possibly other products) do not properly validate user-supplied input before displaying the information. A remote user can create a specially crafted URL that, when loaded by a target user, will cause arbitrary scripting code to be executed by the target user's browser. The code will originate from the site running the LiveWorld software and will run in the security context of that site. As a result, the code will be able to access the target user's cookies (including authentication cookies), if any, associated with the site, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.
Impact: A remote user can access the target user's cookies (including authentication cookies), if any, associated with the site running the LiveWorld software, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.
full article (includes examples of some eBay URLs which suffered from this vulnerability): http://www.securitytracker.com/alert...g/1011036.html
The original proof of concept article from GulfTech Research: http://www.gulftech.org/?node=resear...00044-08232004 . According to the article, both LiveWorld and eBay were slow to respond when presented with proof of the vulnerability in the LiveWorld software.
Answer
Ebay needs to hire those bad people to do good work instead. I really don't think ebay is as secure as we would all like to believe...Trust no one...