eBay Fraud Scams exposed

Every year The Internet Crime Complaint Center (IC3) a partnership between the Federal Bureau of Investigation (FBI), the National White Collar Crime Center (NW3C), and the Bureau of Justice Assistance (BJA) issues a report on Internet crime.

You guessed it! eBay is #1 leader in internet crime statistics by permitting rampant fraud on it’s site.
Here is a full link to the report

http://www.ic3.gov/media/annualreport/2007_IC3Report.pdf in PDF format.

IC3 agrees with this eBay user, who called eBay : The Worlds Biggest ONLINE Crime Ring and you can see the famous YouTube Video on eBay : The Worlds Biggest ONLINE Crime Ring here

BTW, eBay PR Spin department always maintained that the fraud rate on eBay site is less than 0.1 percent, which is a complete BS. I have finally found a mention on how eBay Spin department calculates this fraud percentage. Here it is, directly from horse’s mouth, as published in this CNN Money Article
“eBay says the loss to the company due to fraud in the first quarter of 2007 amounted to less than 0.1 percent of its revenue - but with net revenue of $1.8 billion, that still leaves plenty of transactions that could have been better protected. Last summer, for example, a Manhattan company that auctioned thousands of pieces of jewelry on eBay agreed to pay $400,000 to settle charges that it inflated prices by bidding in its own auctions.”

Note the KEY WORD: “loss to the company due to fraud” : so this less than one tenth of one percent fraud rate eBay Spinsters tout are losses TO EBAY. How about losses to the eBay customers????????? It’s important to listen when eBay Spinsters serve news media their usual Kool Aid, comparing apples with oranges.

eBay scammers who hijack legitimate seller accounts use a disposable email address at a free email provider to lure eBay shoppers into off eBay transaction. eBay has announced that for safety reasons email addresses will no longer be allowed in eBay listing descriptions starting in September 2008. That’s a step in the right direction! After all, each eBay listing has contact the seller button that is built by eBay into the listing format so showing email address is redundant and unsafe. I am not sure how eBay will tackle a listing like this, where the scammer creates a large JPG or GIF image and places the text as well as email address onto this image and makes that image part of the auction.

This image comes from fake scam auction for Canon 600mm f 4 is L,Canon 300mm f 2.8 is L, … hopefully by the time you read this article, the eBay auction has been canceled so we have saved a screenshot of this fake eBay auction on a hijacked eBay seller account on our server.

If you look at our hijacked eBay sellers section, you will find screenshots of hundreds fake auctions on hijacked eBay seller accounts, they all have one thing in common: very prominent free email address in the listing urging the unsuspecting buyer to contact the ’seller’ at that free email address.

About a month ago media news reported arrest of Romanian coder, eBay hacker Vladuz, whose real name is Vlad Constantin Duiculescu, a young ( 20 year old ) high school graduate from Bucharest, who illegally accessed the e-Bay database from 2005 to 2007 and caused $2m in damage to the online sales site.

Just last month, Vladuz was arrested in a joint operation by the Romanian anti-organised crime unit and the Home Intelligence Service.

He told the judge that he hacked the e-Bay servers because he wanted to be famous and had abandoned school because he had nothing to learn there. It would be nice to get the transcript of what else Vladuz he told the judge since eBay denies any hacking to eBay servers ever occured. Remember, eBay labeled this incident as “- Some messages were published on a community board on the eBay.de (Germany) web site by a person who gained access to a small number of employee email accounts.” and here eBay spokespersong proclaiming “He did find access to a small amount of customer service rep e-mail accounts. He used those to go on discussion forums, as a pink — when an employee posts, it’s highlighted in pink. He did that in an attempt basically to say, ‘Ha ha, look what I did.”

It’s fantastic to hear this hacker kid was arrested, hopefully they will lock him up for a while. It would be interesting to see how eBay claims their security was not breached at all while the hacker braggs about accessing eBay system and servers. It’s the cover up odor that bothers me on this. eBay misleads it’s customers into a false sense of safety and security.

Some Follow up Vladuz : eBay Hackers from Romania bits:

• Here is a link to the article from Southeast European Times from 5/22/2008 giving some additional information on Romanian hackers posing increasing international threat

• Here is a Google Translateed article about partnership between Romanian Authorities and Ebay which stemmed from the investigation of the Vladuz case

So when shopping on eBay, be extra vigilant! As of today the same scammer, phisher and hacker we’ve been tracking for YEARS is still alive and well, hijacking eBay sellers, uploading fake scam eBay auctions and scamming HUNDREDS of unsuspecting eBay buyers into thinking eBay is safe place to shop. Seller feedback does not mean anything when seller has been hijacked!

OK, enough with words, let’s lay down some proof. Here are auctions this scammer is running on MANY HIJACKED SELLER ACCOUNTS ON EBAY. These are just auctions he is running this minute. He is not a very smart hacker, if we can find him for years without any special tools. Obviously, he is smart enough to be evading eBay security army that consists of 2,000 security professionals backed by 5 Billion dollars in cash.

The phisher is currently using this line:
NOTICE: Please do not bid if you don’t have the money. I will cancel all bids if you do not contact me first. I have had bad experience with non-paying bidders and I do not want that to repeat. If you are interested and want to know more about this auction then please email me at:
Mitica233@aol.com

• eBay seller Seller: jsti**on54 Feedback:100 % Positive Member: since Aug-20-03 in United States hijacked, with fake auction on DW Drum Collector Series Drums drum set This Fake eBay auction has 14 Bidders, [[ read as 14 victims of this scammer, who believe they are safe on eBay dealing with 100% feedback seller, those eBay victim buyers are being mislead by eBay inti thinking they are safe on eBay]]
• The same scammer hijacked another 100% Feedback eBay seller Seller: fool4**nkin Feedback: 100 % Positive Member: since May-21-04 in United States and is currently running scam fake eBay auction or Roland Electronic Drum Sets -TD20S-BK - V-Pro TD20 Kit which has 19 Bids now - Read 19 VICTIMS and on the same hijacked eBay seller account, he is also running Fake Scam eBay auction for Sean Ryon 16 Ranch Cutting Saddle with additional 11 BIDS / Victims. The strategy is simple, hacker collects bids from unsuspecting sellers and as soon as the scam auction price reaches higher value (here is a screenshot of that same auction few minutes later), he cancels all the bids- screenshot here so he can attract more victims to this super bargain listing.
• And that’s not all, there are many more hijacked by him, like this 100% Feedback eBay seller karenzita1 Feedback: 100 % Positive Member: since Oct-05-05 in United States where the eBay scammer uploaded Fake auction on eBay for Roland Fantom X8 with Case and this auction has 15 BIDS ..ehm.. read Victims who think eBay is safe place to shop.
• Yep, there is more, this scammer has also hijacked Seller: kigh**oy
  Feedback: 100 % Positive Member: since Apr-23-99 in United States and uploaded Scam Auction for Canon XL2 BRAND NEW and currently has only 1 Bidder Victim.

• Another Hijacked eBay Seller: angi**61 Feedback: 100 % Positive
  Member: since Nov-17-02 in United States where this scammer uploaded Fake eBay auction for John Deere 425 Lawn & Garden Tractor

• Another 100% eBay Seller: ferns**ction Feedback: 100 % Positive
  Member: since May-02-00 in United States hijacked with a SCAM Fake auction on eBay for Precor EFX576i Elliptical Crosstrainer

• Another 100% Feedback eBat Seller Hijacked dymun**l2k5 Feedback: 100 % Positive
  Member: since Apr-03-05 in United States with a Scam eBay Auction for Bose Lifestyle series 4 Surround System :: Note in that Screenshot: PAYPAL ACCOUNT REQUIRED TO BID! The scammer will try to hijack bidder paypal accounts and most likely is able to Accept PayPal payments. PayPal is becoming a favorite payment method of those scammers

At the moment there are other hackers we could find quickly, using disposable email addresses luring unsuspecting buyers. Some of the hackers have Hijacked PayPal accounts so the Western Union eBay payment is no longer a sole payment way you can get scammed with. Hijacked PayPal accounts have become an important tool for eBay phishers / scammers.

This scammer is currently using disposable email address rb.biz99@gmail.com

and hijacked eBay Seller: da**ta$2 ( 433) Changed User ID (less than 30 days) Feedback: 100 % Positive Member: since Jun-13-01 in United States and uploaded Fake Scam eBay auction for PRECOR 576i ELLIPTICAL CROSSTRAINER (EXPERIENCE SERIES) : note this auction ends in 8 Minutes! so much for eBay Trust and Safety Team of 2000 security professionals removing FAKE auctions quickly.

Yet another Scam Disposable email address proclaiming this on another hijacked eBay Seller Account:

BEFORE YOU BID,CONTACT ME FOR THE BUY NOW PRICE,BECAUSE IT IS VERY LOW!!!
Please email me ONLY at: davidbarr011@gmail.com ! If you really want it !

Here he has hijacked eBay Seller: neurosoc**lite Feedback: 100 % Positive
Member: since Sep-10-03 in United States and is successfully running a fake eBay Scam auction for **NEW** 17′ APPLE MACBOOK PRO 2.4 GHZ 4GB RAM 160 GB HD with 22 bids [[ victims to false security feeling on eBay ]] This auction has been running since yesterday and certainly collected plenty victims who will get burned on eBay again.

And last but not least, you can take a look at this 100 % feedback seller marked by a hijacker whose current tag line is :
My Request is to CONTACT me directly to my email address
My personal EMAIL adres is : deangalbin@gmail.com

The poor Hijacked ebay Seller Seller: ri**3 Feedback: 100 % Positive
Member: since Jan-03-00 in United States even noticed his account is hijacked on on this fake auction for BRAND NEW XBOX 360 Elite Console+2 Controllers & Game the hijacked seller posted 3 days ago! :
On May-21-08 at 06:17:35 PDT, seller added the following information:
THIS IS NOT MY ITEM!! Please do not bid!!

Although eBay would like you to believe it is safe to shop there, the evidence suggests otherwise.

eBay has certainly improved on taking down fake scam auctions that appear on hijacked eBay seller accounts, duping eBay newbie buyers into thinking they are safe on eBay buying from an established seller with a high feedback. However such auctions are still abundant, so be careful, do not trust eBay. Scammer can upload his scam image directly into eBay servers, such as this image uploaded in FEBRUARY of this year and eBay will gladly host it for the scammer for months after any listing it was uploaded for expired so the scammer can reuse it. This scam email address Qveste@aol.com is a known eBay account hijacker and scammer. He just hijacked another Powerseller Seller: hs***uid (6144Feedback score is 5,000 to 9,999) Member:since Jan-25-99 in United States and uploaded fake eBay scam BOSE Lifestyle 48 Media Center DVD + 10 Bose Speakers auction.

That same scammer with Qveste@Aol.com email address usually runs many auctions on MANY HIJACKED SELLERS at the same time. Here is another hijacked eBay seller : Seller: janet***99 ( 2249Feedback score is 1000 to 4,999) Feedback: 99.0 % Positive
Member: since Dec-02-99 in United States and you can see a screenshot of the scam eBay auction for 2 Pioneer CDJ-1000 MK3 CD Players + 1 DJM-800 Mixer on this hijacked seller account with thousands of feedbacks.

This scammer using jameswittt@gmail.com email address hijacked another eBay seller Seller: me***74( 164) Feedback: 100 % Positive Member: since Apr-21-03 in United States and uploaded scam eBay auction for Roland Fantom X8 Sampling Workstation Keyboard 88 Keys

I thought when CA Security Advisor reported PayPal XSS page vulnerability in Feburary of this year, PayPal assured the writer this phishing hole was closed. See the full article: PayPal Closes a Phishing Vulnerability Published Feb 17 2008, 10:44 AM by Stefan Berteau. Was that just a lip service by PayPal?

A new article, different researcher shows the same vulnerability here in yesterday’s report:

A serious scripting error has been discovered on PayPal that could enable attackers to create convincing spoof pages that steal users’ authentication credentials.

The cross-site scripting bug is made all the more critical because it resides on a page that uses an extended validation secure sockets layer certificate. The new-fangled SSL mechanism is designed to give users a higher degree of confidence that the page they’re visiting is secure by turning their browser address bar green.

But Finnish researcher Harry Sintonen figured out a way to inject his own code into a supposedly protected PayPal page even as the green bar lulled visitors into believing it hadn’t been tampered with. Sintonen’s code simply caused an Internet Explorer alert window to open with the words “Is it safe?” as evidenced by the screenshot …..

Full Article with the screenshot of the vulnerability has been published on ChannelRegister.Co.Uk ‘Secure’ PayPal page is… you guessed it by Dan Goodin in San Francisco
16 May 2008 20:57

PayPal’s site is silent about this vulnerability… I guess the “hide your head in the sand” approach or “if you do not admit to ut, it’s not there” speaks volumes about how concerned PayPal really is about safety of their users.

PayPal is no stranger to security vulnerabilities:

• PayPal fixes phishing hole by Joris Evers, CNET News.com Published: June 16, 2006 4:12 PM PDT
• July 20, 2006 Netcraft reports this same XSS PayPal vulnerability existed for 2 years!
  

Quick check this morning finds many eBay sellers and powersellers hijacked and fake auctions uploaded to their accounts:
Like this eBay seller where scammer uploaded bunch of fake auctions, like this scam auction on eBay Marantz reference series MA9-S2 with a typical scammers image inviting the unsuspecting eBay victims to email the scammer to a disposable email address andresler299@gmail.com

Another hijacked eBay seller victim of this scammer advertising fake auction for Panasonic AG-DVX100B 3-CCD Mini-DV Cinema Video inviting eBay victims of this scam to email him to a disposable email address at jhatch2@gmail.com

We are tracking this one scammer for years now. He must be one of the real slow learners because he is so easy to spot and track. According to scammer’s own admission there are hundreds of them on eBay making living daily. He is just one of the army. We’ve been tracking this guy since 2005 and he’s still scamming like there’s no tommorow. Just now he has uploaded over 2500 FAKE SCAM AUCTIONS on a single hijacked eBay seller account - notice on that linked screenshot, the number of scam auctions is just 1178 scam high end auctions. By the time we took inventory of the listings, the total number of auctions this eBay scammer uploaded was 2663 scam auctions on a single hijacked seller account. They are the typical email me to my gmail/aol/hotmail/msn disposable email address for buy it now (off eBay) deal of a lifetime now. Here is a screenshot of one of the 2663 scam eBay auctions this scammer uploaded on that poor hijacked seller’s account tonight. One of his many disposable email addresses is biz.kastor@gmail.com with a history of hijacking other accounts on eBay and tracked by others. But wait, that’s not this scammers only email address, he operates with many, after all he is a professional eBay scammer and makes a decent living even for US standards doing this. He is also known as trevor023@gmail.com with a a full blown photo album to faciliate his eBay scams and quick check on eBay located 2 different sellers hijacked with this scammers email address published: hijacked seller stein**** with fake eBay Roland Phantom X8 with case scam auction and the same hijacker breaking into the account of eBay seller in Australia with a scam auction for 2 Pioneer CDJ-1000 MK3 CD Players with contact email address trevor023@gmail.com and another seller in US hijacked by the same scammer trevor023@gmail.com with the same 2 Pioneer CDJ-1000 MK3 CD Player - SCAM-O-RAMA on eBay. These auctions have been running for a while, see the link - this is a 5 day auction with 5 hours to go… so much for eBay taking these scam auctions down quickly….. and these auctions have plenty of victims (aka newbie buyers on eBay). By coincidence or by design another seller hijacked in France with an item from this sellers repertoire, this eBay auction title says in French LISTING NOT VALID - IDENTITY HIJACKED and the auctions advertises email address gigi_pizdulici99@yahoo.com .

The current list of items of this eBay Hacker / Scammer / Phisher is quite extensive, we are going to publish it here so in case you are shopping for one of these items, please be extra cautious.

Here is a list of items this scammer is currently uploading daily to several hijacked eBay seller accounts

The perplexing question is: if we can find and track this eBay scammer on eBay so easily and consistently without any resources or priviledged security tools, why does not a multi billion dollar company ( eBay ) care enough to squash this scammer? Do they not care about safety of eBay customers? Or are there just too many eBay scammers and the fraud is so wide-spread through eBay that eBay team of over 2000 fraud prevention staff just cannot keep up?

This just hot off the press:

eBay Applauds Romanian and U.S. Law Enforcement for Arrest of Alleged Cyber-criminal, Vladuz.

Another kudos to eBay. I hope it is true and not just another PR stunt be eBay in the wake of it’s share price decline that followed eBay’s Q1 earnings statement today.

But back to these exciting news… remember Vladuz? He was the Romanian hacker who hacked thousands of eBay seller accounts and injected ongoing legitimate auctions with his “zudalv” (vladuz spelled backwords) signature just to prove to his audience, whoever they may have been that he CAN hack eBay and further sales of his eBay scamming warez to his fellow eBay scammers who are less proficient in phish coding.

A good snapshot of Vladuz articles in the news over the past year can be found in The Register by Dan Goodin. You can read related articles on the bottom of that linked page.

It will be interesting to watch if further news on Vladuz background, details of his arrest and some trial tid bits resurface. Perhaps we can get confirmation of some of our own theories.

Apparently the original articles (in Romanian) about the capture of Vlad were published early this morning, one of them by Antena3 and according to bits of info gathered from the article, Vladuz’s real name is Vlad Constantin Duiculescu , trying to translate this article on the basis of several other languages I speak, my rough translation would be that they report this 20 year old hacker specialized in creating phishing programs to extract eBay user’s logins, passwords, PINS, credit card number and was a head of outfit that made $2,000,000 in the period from 2005 through 2007. He was finally apprehended this morning and while the law enforcement entered his building, he managed to throw 3 laptops out of his window in an effort to destroy any evidence on those hard drives. —disclaimer— I do not speak Romanian, I only speak Italian, Spanish, Russian, Czech and English and this translation may be completely off base — end of disclaimer —

This article (also in Romanian) in Gardianul appears to offer quite detailed information on the activities of this Vlad character.

Anyone with Romanian language skills? If you can provide a translation of this article please post it into comments here - any interesting bits and pieces of info are appreciated. Thank you!

Update 4-19-2008 We have translation of the articles under the comments area of this section. As more news details becomes available we will update this section.

Here is a Vladuz arrest Video from TVR (romanian TV)

Here is a
police video from Vladduz’s appartment

Here is another police video on Vladuz from Romanian Antena3 TV

Finally a step in the right direction! eBay appears to be catching up with the 20th Century - kudos anyway. Today’s announcement is truly a music to our ears:

April 14, 2008 | 11:45AM PST/PT

John Canfield
Hello…I’m John Canfield, Senior Director for Trust & Safety policy management. My team specializes in working to keep the site safe and protected against fraud. Much of the company’s work around safety happens behind the scenes, but some of our efforts are also public-facing. Masking and protecting our Community’s identities on all bidder IDs on auction-style listings, the PayPal Security Key, our work with Yahoo and other domains to block email from unauthenticated addresses, and encouraging safer payments – each of these address a particular aspect of security and is making a dramatic difference in the overall security and safety of the marketplace and consumers’ confidence in shopping online. Our technologies – those that exist today, as well as those that we are designing for tomorrow – are helping to make the internet safer every day.
I’d like to tell you about a new safety initiative that launches on April 14th.

Trusted Selling with Identity Confirmation
One of the ways criminals attempt to defraud people on eBay is by gaining access to member accounts with well-established reputations which they then use to set up listings in that person’s name. They gain this access often through a phishing email that convinces an unsuspecting member to click a link and enter their User ID and password.

To protect the Community against this type of fraud, beginning today, eBay will start noting which computers members typically use to conduct their buying and selling activity. After our data collection phase, sometime in June eBay will begin verifying our sellers when they list an item to ensure they are logging in from the same machines they have successfully used previously – usually a home or business computer.

If you are a seller, and you attempt to list an item from a different computer – for example, from a PC you are borrowing in a hotel or library – eBay will make an automated call to the phone number you have registered with us to confirm it is really you. We may also prompt you to verify your identity in other ways.

Initially, this identity confirmation process will only be applied to selling, although we may be extending this to other high-visibility activity in the future.

Sellers, please update your registered phone numbers
Now more than ever, having a current phone number on file with eBay is vital to the safety of the Community and to your business. A wrong or outdated phone number may delay your ability to list items or respond to your customers, if eBay cannot verify your identity.

Have a cell phone? Registering it could save you time and money
If you carry a mobile phone, we encourage you to add this number as a secondary phone number in your registration details, so that we can reach you when you are away from your business or residence where you normally use your trusted computer

source: http://www2.ebay.com/aw/core/200804.shtml#2008-04-14114255

I just have one question for John:

Knowing this is in place. Won’t the scammers/hijackers first change the phone number on the record, then wait a day or so, then list … so the phone authentication would end up in the lap of the hijacker?

… or does phone number change from a DIFFERENT than usual computer also trigger phone or additional verification? … I hope some multi level logic exists on this.

Update 4-19-2008: My question and few others were answered here: eBay Chatter
This change could not come fast enough, hopefully our steady Romanian Hacker will then be stopped from hijacking eBay seller accounts daily and publishing fake auctions, just like he has hijacked another eBay seller right now and publishing those typical high end scam auctions on eBay as we write this.

These past few days our real life projects took us away from time usually needed to monitor eBay fraud auction, hence the silence.

Spot check this morning shows we have the usual scammers running circles around eBay.

Another day on eBay…
…another (few hundred) eBay powersellers hijacked …
…another few thousand fake auctions by professional eBay scammers who are so amateurish even we can find them with minimal tools like a rss feed that picks the usual scam phrases, scam items, scammer’s email addresses etc..

Here is the latest eBay powerseller with almost 1000 feedbacks, nice lingerie store being hacked right now with the usual assortment of fake auctions.

This eBay scammer’s latest signature tag line is:
As i take this auction very seriously i want to speak personally with every interested buyer who’s ready to make the deal of the year. I will sell it only to a serious person,just after i’ll talk with him via e-mail. Questions about condition,more pics, shipping; Contact me at :
Markosshopp@aol.com

here is this eBay Scammer’s and other scammers’ list of fake eBay auction items they love to offer to their eBay victims at a fabulous once in a lifetime deal prices

One has to ponder:

• If we can find those scammers so easily with zero access to anything proprietory, just public RSS tools, why the heck is eBay not finding them and preventing them from fleecing unsuspecting buyers ?
• eBay boasts 5 Billion Dollars in surplus cash: why won’t eBay invest teeny tiny minute fraction of it into improving security on their site ?
• When questioned about the ongoing security issues where massive numbers of users logins and passwords are already compromised and in hands of hackers resulting in vast numbers of fake auctions on eBay, eBay always claims that’s not a problem. Why? What does eBay have to gain by letting fraud rampant on it’s site?
  

It’s in hundreds of thousands. Monitoring this single eBay hijacker, just spot checking every so often, we always find him hijacking one or more eBay accounts…. seems as though the hijacker has unlimited supply of accounts. The same hijacker who has 4 eBay seller accounts hijacked a couple days ago, is currenly uploading the scam auctions to the PowerSeller account alliedweighing ( 260 Feedback score) , here is a screenshot of the usual scam auctions on ebay this hijacker uploads to compromised seller accounts,

hijacked powerseller alliedweighing by jnestoc@aol.com on eBay

Pioneer CDJ-1000 MK3 CD Players & 1 DJM-800 Mixer:: fake auction on eBay

this minute appearing on « hijacked powerseller alliedweighing and here is a screenshot of the the scammer’s auction: , asking eBay buyers to contact him at freshly baked free email address:

Scammer’s signature line on each fake auction —>Please contact me before you bid for buy it now and the rest of the transaction details: jnestoc@aol.com

The hijacked Powerseller alliedweighing is not one of the thousands hijacked eBay accounts on the list published earlier by another Blogger few days ago, so these hijacked eBay account most come from yet another multitude of stashes of compromised eBay logins and passwords.

This Blogger published list of thousands compromised eBay user logins and passwords that was found online for anyone to see. Go to their blog and you can check if your eBay Login has been hacked. To find the database with hacked logins, just scroll down in the list of posts, find March 15th posts and jump in to the sections that are presented alphabetically with groups of compromised eBay IDs.

We have saved the complete list so if iBay manages to threaten the blog owner into deleting those pages we can republish so the victims of UNSAFE eBay can protect themselves. Shame on eBay.

According to Spiegel article from yesterday translated by Google

eBay is aware that professional hackers are harvesting your eBay user infornation including your eBay username, password, bank info, partial credit card number and expiration date as well as your secret question. eBay has been made aware of this issue by one of it’s users faller-internet.de who describes the eBay flash XSS vulnerability in detail here

Each logged-in eBay member, on who’s computer the Flash plugin is installed, and who has allowed JavaScript, can become victim of this security vulnerability. The test showed that data scripting is possible completely unrecognized by the victim. And so the view into the personal sphere of „My eBay” works:
The criminal lists a rather prominent item on eBay, with a specially prepared Flash animation embedded into the item description. If a logged-in user visits this page his browser loads the malicious code of the scammer. This contains JavaScript which sends the eBay cookies of the user to the criminal. This import of external codes is already known since years as Cross Site Scripting (XSS).
As the Flash file is executed only on the computer of the victim user, eBay is unable to check the listing on prohibited JavaScript executables. eBay members can protect theirselves by generally disabling JavaScript in their browser, however, in that case the use of normal eBay pages is heavily influenced, important functions will not work without JavaScript

Here are the screenshots from Spiegel when Spiegel employee went to eBay :

This is how your private and financial information gets extracted by hackers by simply accessing some auctions on eBay (click thumbnail to see full size image)

1. EBay Home: A SPIEGEL ONLINE employee logs with his eBay account, then continues
2. … For the demonstration of the vulnerability of prepared Auction Site eBay. Here is a flash element of an external server embedded - not recognizable with naked eye, this flash element extracts your private information. This element is embedded flash …
3. … Reads personal data of the user logged into eBay, worse yet: It tries to pass on this user data via this vulnerability to a real looking page login dialog on hackers’ server.
4. … It ceases only when the page information is retrieved: Whatever it enters the login credentials into the fake eBay login form, it then sends the login info to the to an external (hacker’s) server. There could …
5. … Cyber-crooks extract data from the visitors browsing its auction site and manage bidders: eBay login name and password of bidders and all (even visitors to the auction site, who have not bid, but were logged!) The e-mail address, List of search-favourites, the address and the name of the subject - the ideal material for perfect phishing emails to use… Look at the screen shot: it offers glimpse of your login, password , eBay secret question, banking and credit card info.

eBay spokeswoman Maike Fuest was quoted in the Spiegle Article: “It is possible, on active content such as Flash and Javascript in auction descriptions to have a malicious content.” …
EBay allows sellers only a limited active flash contentWhy then eBay permits such dangerous content is it’s auctions and listings?

Fuest: “That would contradict eBay culture. We want our vendors to have a certin creative freedom in the design of their auctions” “EBay uses a different way to reduce the risk of malicious content in active listings. Since September 2005, only some, especially those active trusted members are allowed this content in their item descriptions. ”

It appears that user security is second to profiteering on eBay. Although eBay has been aware of this vulnerability on their own site for months now, eBay spokespeople reiterate eBay’s management position that giving a vendor a freedom to publish razzle dazzle flash auction is more important that few thousand or tens of thousands? of user logins , confidential financial information and credentials being phished out by cyber criminals directly on eBay site in it’s listings. This is a clear example of eBay placing it’s own profits over user safety. eBay knowingly allows phishing attacks by eBay hackers directly on their own auction listings. eBay users credentials are being offered by eBay to the hackers so eBay’s vendor auctions will look flashier so eBay can collect more fees for sold items.

REFERENCES:

• AuctionBytes Article published today: Watchdog Group Gives Live Demo of eBay Security Vulnerability
  By Ina & David Steiner
• Speigel Online Article original Text in German
  
• falle-internet.de Original article exposing eBay’s XSS flash vulnerability: My view into „your eBay” - the eBay XSS flash exploit.
• German Forum where users report Hijacked Seller account real time, so if you wanted to see some sellers currently being phished and fake auctions published on their Seller Accounts, take a look here.

eBay warns of Romanian phishing threat ZDNet Asia, Asia - Online auction site eBay has hit out at the lack of interest in cybercrime enforcement in countries including Romania, warning that not enough is being done to stop fraudsters targeting auction sites. Along with Romania, China and Russia were also pinpointed as the source of the majority of phishing e-mail messages targeting eBay users for personal and account details. Mark Lee, trust and safety manager for eBay U.K., blamed the fact there was “no fear of real punishment” in the countries and highlighted the particular scale of the problem in Romania. He said: “These attacks are definitely organized. There are towns in Romania where the entire focus is on sites like eBay as the main source of income.” Last June eBay revealed details of a three-year long campaign to curb online fraud by criminals in Romania–leading to several hundred arrests. . …

Why not make a Security Key mandatory for any seller who wants to sell more than 2 items simultaneously at a given time? We have mentioned this over and over and over again. If sellers of multi items had to use the equivalent of the PayPal security key to post multiple auctions…. the hackers who hijacked seller account would not be able to abuse hijacked seller account except posting one or two auctions without the security key.
More info on the Security Key here

Let’s meet a Romanian Scammer

eBay Porn Redirect ScamsThis is a must read: go to ebaymotorssucks.com and take a look on a long known issue, nothing new, just an ongoing cancer eBay refuses to fix on their site :: It’s Monday Night, 05/07/2007, And The eBay Whores Are Back!