eBay Falls Victim to Cross-Site Scripting Attack

The British website of online retailer eBay was compromised through a cross-site scripting (XSS) vulnerability, exploited to steal customers’ login credentials, according to the BBC.

Attackers apparently planted malicious Javascript code in product listings to redirect eBay customers interested in cheap Apple smartphones to a spoofed eBay welcome page. Once there, they were asked to enter their account username and password.

The incident was first reported by Paul Kerr, an IT worker from Scotland who contacted eBay and was told that the matter would be considered “of the highest level of security”.

However, the company was criticized for its 12-hour response time in fixing the issue.

“eBay is a large company and it should have a 24/7 response team to deal with this – and this case is unambiguously bad,” said Steven Murdoch from University College London’s Information Security Research Group.

In a statement, the retailer said the issue only affected one item listed on the UK site, information questioned by the BBC.

“This report relates only to a ‘single item listing’ on eBay.co.uk whereby the user has included a link which redirects users away from the listing page,” a spokesperson said. “We take the safety of our marketplace very seriously and are removing the listing as it is in violation of our policy on third-party links.”

Beware fake eBay security alert

Red Condor issued a warning of a new blended email threat that appears to be a security alert from eBay. The email message with the subject line "eBay Procedural Warning - Security Alert," is addressed to "Dear eBay Member," and warns recipients that the sender has "detected security issues on behalf of your account."

The email warns that to correct the issue, users "have to download and install the eBay Security Shield." The embedded link in the email actually takes user to a likely compromised site on eBay's network.

On the site is a Download Now button that when executed installs a Trojan. After the victim installs the malware as prompted by the email, they are directed to log into their eBay accounts, which then sends their eBay log-in credentials to the scammers.

"While this is a relatively low volume campaign, the scammers have not only figured out how to circumvent the majority of anti-virus engines, they have also exploited an 'About Me' page of a compromised eBay account to host the Trojan," said Dr. Tom Steding, president and CEO of Red Condor.

"In past eBay phishing attacks, the call to action URL has been on some random compromised machine. This scam, however, is a malicious and very sophisticated attack, and unfortunately, is a good representation of the types of phishing attacks that we are likely to see going forward. This attack is likely to get by many email security systems, so users should delete the message immediately."