Number of malicious eBay listings rises, accounts are hijacked
Pressure is mounting against eBay to quickly detect and remove bogus listings triggering cross-site scripting flaws to redirect users to phishing and other malicious pages.
This particular problem exists for years because eBay allows the use of custom Javascript and Flash content on listings pages so that they might “pop out” and attract more potential buyers.
EBay has generally been doing a good job removing malicious listings, but every now and then they slip up and the number of these listings spikes for a while, as it’s currently happening.
The onslaught started last week, when an IT worker from Scotland spotted a few listings that redirected him to a well-made eBay login phishing page.
The e-commerce giant has reacted, but not soon enough, and the listings were up for over 12 hours, tricking who knowns how many users.
According to the BBC, the number of listings using the same trick to redirect users to malicious pages has, in the meantime, risen to at least 100, and possibly even more.
Some of these listings have been placed via hijacked eBay accounts with 100% positive feedback, which made them look legitimate. The listings are offering iPhones, television sets, clothing, and other attractive items, and redirect to fake eBay Security & Resolution Center pages designed to harvest users’ credit card details, bank account details, some personal information, and so on.
EBay has commented the matter by saying that many of their sellers use active content like Javascript and Flash to make their eBay listings perform better.
“We have no current plans to remove active content from eBay,” they stated. “However, we will continue to review all site features and content in the context of the benefit they bring our customers as well as overall site security.”
But security experts say that the company should do more to protect its users so that they don’t lose their trust.
“Until eBay has the ability to automatically identify malicious links, it should disable Javascript until they have some way of better controlling the risk,” opined Brian Honan, BH Consulting CEO.