Skip to content ↓ | Skip to navigation ↓

The online auction site eBay has been compromised after hackers created multiple listings carrying a malicious JavaScript code capable of rerouting users to a phishing scam and stealing their login credentials.

Paul Kerr, an IT worker from Scotland, discovered the scam about 35 minutes after it was posted and immediately alerted eBay. However, the listing remained online nearly 12 hours later.

Fake iPhone listing redirects users to phishing scam.

According to BBC News, shoppers may have been affected simply by clicking on the original listing that contained the malicious code. Affected users were then redirected through a series of other websites and ultimately landed on a replica of eBay’s welcome page that asked for their log-in and password.

Security researcher Dr. Steven Murdoch from University College London was able to analyze the listing before it was taken down, stating the attack was carried out using cross-site scripting (XSS), with the code likely capable of executing other malicious actions.

“eBay is pretty competent, but obviously it has been caught out here,” Murdoch told BBC News. “Cross-site scripting is well within the top 10 vulnerabilities that website owners should be concerned about.”

Tripwire security researcher Ken Westin added, “Although the code on eBay only redirected users to a malicious site, more damage could have been done if the attackers were targeting vulnerable browsers and systems leading to instant compromise of the system.”

An eBay spokesman responded to the incident by claiming the attack included only a “single item listing,” although reports state a total of three listings had been posted on the site.

A screen-grab of the video was uploaded by Kerr:

“They should have nailed that straight away, and they didn’t,” said Kerr.

Although it is unclear how many shoppers may have fallen victims to the scam, Tripwire’s Chief Technology Officer Dwayne Melancon says the traditional advice holds true, “Be very cautious when clicking on links and watch the URL bar for strange addresses.”

“When  conducting any financial transaction, you are better off typing the web site’s address manually, or using your own trusted bookmark, rather than clicking on a link or button in an email,” said Melancon.

Earlier this year, eBay was under fire again after a breach compromised nearly 150 million accounts, including users’ emails, addresses, phone numbers and birthdates, along with their encrypted passwords.

Read More Here…