Hackers have exploited a long-existing vulnerability in eBay that lets them steal your password if you click a fake listing.
Yet another eBay hack has been exposed, only four months after criminals stole millions of passwords, forcing everyone who has an account with the site to change them.
In this latest wave of attacks, criminals create fake listings that appear in search results. Clicking the apparently legitimate listing redirects you to a fake eBay sign-in page, which asks for your user ID and password. If you enter these details, you are effectively handing them straight to the criminals, who will then try to buy items using your PayPal account or log into your email address (which is shown in your eBay account), where they can root around for other sensitive information.
Unlike many phishing scams, these fake listings look very authentic - they don’t contain spelling mistakes or clumsily worded phrases. It’s enough to fool even the most cautious shoppers and these bogus listings can be hiding anywhere on eBay.
According to the BBC, the first fake listing, which purported to be selling a digital camera, was reported to eBay back in February. In early September, another fake listing - this time for an iPhone - was flagged up by another eBay user. The BBC says this particular fake listing remained on the site for 12 hours after it was reported, and was only removed when the BBC contacted the site itself. If true, leaving a malicious listing live for so long is a shocking oversight by eBay.
A subsequent BBC investigation uncovered 64 false listings in a 15-day period in September, across a wide range of items, not just electronic goods. David Emm, senior security researcher at Kaspersky, thinks this could be the tip of the iceberg.
“It’s certainly possible that there may be more. Even if there aren’t, there’s no knowing how many eBay customers may have clicked the links and been redirected,” he said.
What’s more worrying is that the listings don’t simply contain malicious links in the product description, which is a relatively straightforward form of attack. Instead, the hackers have tweaked eBay’s code to infiltrate the search results, exposing deep security flaws within the site.
So far, eBay hasn’t commented on the BBC’s claim that at least 64 of its listings were malicious, but a spokesman did confirm the the fake iPhone listing, and said it was removed.
So what can you do to stay safe?
Thankfully, most reputable antivirus software comes with anti-phishing tools, which Emm says will identify fake eBay pages. You should check to see that your antivirus has this.
Jiff Sejtko, an antivirus analyst at Avast, also warns users to be “suspicious if a site requests you to log in or provide personal details at times you normally wouldn’t”. In these eBay attacks, clicking the listing takes you to a fake sign-in page, but eBay would never normally ask you to sign in at this point. In fact most shopping sites only request this information at the point of purchase. This YouTube video (www.snipca.com/13739) shows at what point the fake login page appears.
The message from experts is defend yourself using security software and look out for anything odd. However, eBay’s security really should be sophisticated enough to prevent this kind of attack. And if the hackers do sneak through, eBay needs to react faster. Only then will its damaged reputation start to recover.
THE FACTS
• Hackers have created eBay listings that redirect you to a page that steals your password
• 64 hacked listings have been discovered so far, but experts say there could be many more
• The vulnerability was first reported to eBay In February, according to the BBC