09/23/2014

Bad news for eBay users, especially sellers with high feedback ratings: it looks like eBay got hacked again.

The BBC news first reported on Sept. 17 that eBay had been compromised badly enough that people who clicked on certain links were redirected to spoof sites — a site that looks like a legitimate eBay listing, but was actually created by hackers in order to trick people into handing over their confidential information.

A BBC technology reporter last week had discovered such a scam listing, purporting to sell an iPhone 5, and said eBay “was alerted to the hack on Wednesday night but removed the [fraudulent] listings only after a follow-up call from the BBC more than 12 hours later.”

The problem should have ended there, but it did not. By Sept. 22, the BBC reported “eBay under pressure as hacks continue,” and said it had “identified more than 100 listings that had been exploited to trick customers into handing over personal data. Over the weekend, readers got in touch with the BBC, saying they had attempted to warn eBay about the problem.”

Cross-site scripting

The problem centers around eBay sellers' ability to use Javascript and Flash on their listing pages, leaving them vulnerable to a hacking technique known as cross-site scripting (XSS), which enables hackers to plant malicious code on the affected pages. Hackers managed to take over innocent eBay sellers' accounts, many with long seller histories and 100% positive feedback, in order to place fake listings.

Potential buyers who clicked on a compromised listing were taken to “a sophisticated, official-looking site that asked victims to log in and share bank account details” (i.e., a spoof page).

Even worse, at least one seller whose account was hijacked told the BBC that he was locked out of his account, and then billed “around £35” [$57.40 on Sept. 23, with a 1:1.64 pound-to-dollar conversion rate] to cover the hacker's listing fees.

Though news of this hacking is only a few days old, the BBC confirmed that the security flaw has been present at least since February, possibly for more than a year.

James Lyne of the Sophos security firm said “The summary is that it is exceptionally dodgy and redirecting the user to a nasty web page with some really suspect scripts …. At present we can't get our hands on the end payload, so can't be sure of the attackers complete motive, but it is clear there are still nasty malicious redirects on the eBay site.”

Before you bid

ChinaTopix.com's coverage of the story mentions various unnamed “experts” who said that “most of the malicious listings have this message: 'Contact me before you bid'.” However, those anonymous experts might simply be whoever wrote this old About.com listsicle titled “Clues that tell you not to bid [on eBay]”; item number 6 warns against this:

"Contact me before you bid" listings. When you do contact sellers that put this key phrase in their description, they'll tell you that you can buy direct from them, bypassing eBay. Then they'll take your money and disappear, and eBay won't have any record of the transaction, so you won't even be able to leave negative feedback.

So, while avoiding “contact me before you bid” listings is a useful all-purpose “avoid getting scammed on eBay” rule, it won't necessarily help keep potential buyers safe from this latest eBay hacking, which focuses less on taking a buyer's money and more on redirecting buyers to a spoof site, presumably in hope of stealing their data for identity theft purposes. As for what honest sellers can do to protect their accounts from being hacked — thus far, nobody seems to know.

EBay is already facing a potential class-action suit based on its unofficial policy that “the buyer is always right, and the seller is always wrong” is unfair to sellers and makes it easy for dishonest buyers to defraud them.

The company's apparent lack of concern over news that honest seller accounts are being hijacked by hackers is unlikely to help its reputation. We'll keep you posted as more information about the hacking becomes available.