Sign up to our newsletter
Auction site eBay has remained defiant about ‘active’ listings, despite multiple reports indicating that these are being used for eBay scams where users are directed outside the site to pages built for phishing attacks, according to Computer Weekly.
The issue originally came to light last week when a listing, which offered cheap iPhones for sale, was found to contain a malicious script which directed site users outside eBay to a site which resembled the auction site, but harvested usernames and passwords, according to TameBay.
This week, the BBC claims that such eBay scams have been active since at least February, with transcripts of chats between customers and support staff seeming to support this.
The broadcaster also found several dozen new listings with similar ‘cross-site scripting’ tactics.
One transcript, from user Paul Castle, dated from February this year, showed Mr Castle explaining, “I was just browsing in Digital Cameras and came across a password-harvesting scam.”
Mr Castle said that the problematic February listing, “transfers immediately to a password harvest scam page”.
E-Commerce Times reports that eBay defended the use of such ‘active’ listings, saying, “The criminals behind cross-site scripting and phishing activity intentionally adapt their code and tactics to try to stay ahead of the most sophisticated security systems.”
The site claimed in its statement that unauthorized account usage is at an all-time low on the auction service. However, the accounts used for the XSS phishing scam seemed to be highly rated accounts stolen from innocent users, some of which had been used for hundreds of bogus auctions.
Veteran security researcher and writer Graham Cluley comments that eBay has a responsibility to manage such ‘active content’ more effectively, saying, “There are plenty of reasons to be careful when buying items on eBay in the first place, but it is disappointing to find out you also need to keep a keen eye open for scams and malicious scripts that eBay’s security team should really have stamped out in the first place.”
Author Rob Waugh, We Live Security