Sign up to our newsletter
The dangers of clicking on links in eBay scam postings were highlighted after a fake posting advertising iPhones linked to a phishing site designed to steal usernames and passwords for the site – and eBay did not remove the listing for hours.
The listing, which offered cheap iPhones for sale, contained a malicious script which directed site users outside eBay to a site which resembled the auction site, but harvested usernames and passwords, according to TameBay.
It was discovered by British IT worker Paul Kerr, according to veteran security researcher Graham Cluley – but was not removed until 12 hours later, when a call from the BBC prompted the site to react. The BBC claim to have found additional listings with similar scripts directing victims outside the site.
eBay responded to TameBay with, “The eBay corporate network has not been compromised. This appears to be a case of abuse by a user who placed malicious links within a few product listings on eBay.co.uk. We take the safety of our marketplace very seriously and remove listings that are in violation of our policy on third-party links.”
Veteran security researcher and writer Graham Cluley says, “eBay clearly dropped the ball by allowing the malicious script to find its way into auction entries – it’s the kind of code which should be stripped out of its pages, so there’s no possibility of any harm being done. But, worse than that, why did it require the BBC to investigate before action was taken?”
Computer Weekly describes the eBay scam incident as “the latest in a string of security incidents at the auction site.”
Earlier this year, Ebay’s online ticket resale service Stubhub fell victim to an eBay scam where a “global gang” used 1,600 hacked accounts on the service and bought and resold tickets, laundering the profits through European banks – earning a total of $1m.
Three criminals behind the spate of Stubhub accounts hacked were arrested in New York, and a further three in London, according to the BBC’s report.
The eBay scams were complex, involving data from other corporate breaches (such as email addresses and passwords) which were then used to breach legitimate Stubhub accounts – eBay emphasized that its servers had not been accessed, after a high-profile attack earlier this year reportedly exposed customer data.
Author Rob Waugh, We Live Security