eBay Fraud Scams exposed

According to Spiegel article from yesterday translated by Google

eBay is aware that professional hackers are harvesting your eBay user infornation including your eBay username, password, bank info, partial credit card number and expiration date as well as your secret question. eBay has been made aware of this issue by one of it’s users faller-internet.de who describes the eBay flash XSS vulnerability in detail here

Each logged-in eBay member, on who’s computer the Flash plugin is installed, and who has allowed JavaScript, can become victim of this security vulnerability. The test showed that data scripting is possible completely unrecognized by the victim. And so the view into the personal sphere of „My eBay” works:
The criminal lists a rather prominent item on eBay, with a specially prepared Flash animation embedded into the item description. If a logged-in user visits this page his browser loads the malicious code of the scammer. This contains JavaScript which sends the eBay cookies of the user to the criminal. This import of external codes is already known since years as Cross Site Scripting (XSS).
As the Flash file is executed only on the computer of the victim user, eBay is unable to check the listing on prohibited JavaScript executables. eBay members can protect theirselves by generally disabling JavaScript in their browser, however, in that case the use of normal eBay pages is heavily influenced, important functions will not work without JavaScript

Here are the screenshots from Spiegel when Spiegel employee went to eBay :

This is how your private and financial information gets extracted by hackers by simply accessing some auctions on eBay (click thumbnail to see full size image)

1. EBay Home: A SPIEGEL ONLINE employee logs with his eBay account, then continues
2. … For the demonstration of the vulnerability of prepared Auction Site eBay. Here is a flash element of an external server embedded - not recognizable with naked eye, this flash element extracts your private information. This element is embedded flash …
3. … Reads personal data of the user logged into eBay, worse yet: It tries to pass on this user data via this vulnerability to a real looking page login dialog on hackers’ server.
4. … It ceases only when the page information is retrieved: Whatever it enters the login credentials into the fake eBay login form, it then sends the login info to the to an external (hacker’s) server. There could …
5. … Cyber-crooks extract data from the visitors browsing its auction site and manage bidders: eBay login name and password of bidders and all (even visitors to the auction site, who have not bid, but were logged!) The e-mail address, List of search-favourites, the address and the name of the subject - the ideal material for perfect phishing emails to use… Look at the screen shot: it offers glimpse of your login, password , eBay secret question, banking and credit card info.

eBay spokeswoman Maike Fuest was quoted in the Spiegle Article: “It is possible, on active content such as Flash and Javascript in auction descriptions to have a malicious content.” …
EBay allows sellers only a limited active flash contentWhy then eBay permits such dangerous content is it’s auctions and listings?

Fuest: “That would contradict eBay culture. We want our vendors to have a certin creative freedom in the design of their auctions” “EBay uses a different way to reduce the risk of malicious content in active listings. Since September 2005, only some, especially those active trusted members are allowed this content in their item descriptions. ”

It appears that user security is second to profiteering on eBay. Although eBay has been aware of this vulnerability on their own site for months now, eBay spokespeople reiterate eBay’s management position that giving a vendor a freedom to publish razzle dazzle flash auction is more important that few thousand or tens of thousands? of user logins , confidential financial information and credentials being phished out by cyber criminals directly on eBay site in it’s listings. This is a clear example of eBay placing it’s own profits over user safety. eBay knowingly allows phishing attacks by eBay hackers directly on their own auction listings. eBay users credentials are being offered by eBay to the hackers so eBay’s vendor auctions will look flashier so eBay can collect more fees for sold items.

REFERENCES:

• AuctionBytes Article published today: Watchdog Group Gives Live Demo of eBay Security Vulnerability
  By Ina & David Steiner
• Speigel Online Article original Text in German
  
• falle-internet.de Original article exposing eBay’s XSS flash vulnerability: My view into „your eBay” - the eBay XSS flash exploit.
• German Forum where users report Hijacked Seller account real time, so if you wanted to see some sellers currently being phished and fake auctions published on their Seller Accounts, take a look here.