Sunday, October 22, 2006

ebaY Motors Hijacked

22 Oct 2006

CORRECTION 7 NOVEMBER 2006
After more research we have found that being logged in to ebaY is not what allows the scammer to tap into your ebaY account information. Though the redirect is direct from ebaY, once you try to purchase the item you get a screen asking you to log in again - even though you were already logged in to ebaY. This second log in is actually on the scammers site, and by loggin in you are giving them all the information you need for the scammer to access everything on your ebaY account that you can access.

We have also found that even ebaY's own image service is being used by the scammers to execute the redirect.

On the 4th of October 2006 a buyer who had been scammed on ebaY Motors using a second chance offer and had previously reported the scam to ebaY, was told that ebaY was not responsible, quoth the email, " Please keep in mind that we do include information on the messages sent through our system as well as on our site that state items should not be purchased outside of the eBay platform and should not be paid for using Western Union." The problem is, that as far as the buyer knew, the purchase WAS made on the ebaY platform, by going to ebaY, through the buyers normal links - NOT an email link - logging on to ebaY - NOT a third party site - and clicking on the second chance offer on ebaY's listing page. When the page opened, the buyer then clicked Buy It Now, his personal information was populated into a confirm shipping address page with his name and address from ebaY's servers, and when he got to the Pay Now page he was given the option of Western Union Wire Transfer, which (unfortunately) he used.

Now all of you who read TAGnotes and visit our website know that it is never safe to pay a stranger for a purchase with WU, but not everyone knows that. What ebaY has always told users is that as long as you come to ebaY directly, and log in to ebaY directly, and complete the sale on ebaY, you are safe. This is no longer true. This buyer did come to ebaY and log in to ebaY, but due to a security hole the size of Niagara Falls in ebaY's coding, was automatically redirected from the ebaY link he clicked on, to a third party scam site, where he was robbed of his money. This redirect happened so fast he never saw it happen.

ebaY has known about this problem at least since 4 October, and of course posted no warnings about it, much less fixed it. On 22 October, an associate of the subscriber who informed TAG of this scam was able to use the same process and "buy" a fake vehicle from a scammer still using the same security hole. The buyer searched ebaY, found an item, clicked on the ebaY search result link, was taken to a page that looked identical to an ebaY listing, used Buy It Now, had their personal information populated automatically into a confirm address section and was taken to a Pay Now screen. To check that the personal information populated into the form came from the ebaY site, they first went to their ebaY account and changed some of their personal information to fake info, and the form populated with the fake info from ebaY, the only place in the world the info existed.

From what we have been told (but not witnessed) this redirect scam is also being used for second chance offers. The buyer follows ebaY's rule of going directly to the ebaY site to respond to a second chance offer, and not use a link in an email, logs into ebaY, goes to the second chance offer, and is redirected to a scam site where their money is stolen. The implication here is that My ebaY is also compromised, but we have not seen actual evidence of this yet, though it is also possible that the second chance offer message is only appearing on the closed View Item page.

Needless to say, all the accounts used were hijacked accounts, and ebaY's claim that these accounts are hijacked from information gained via external phishing scams is getting very old and less believable all the time. TAG has always said that ebaY must be considered as the prime suspect as the source for finding the buyer email addresses, so the buyer can be contacted by the second chance scammer on items the buyer bid on but for which they did not have the high bid. In light of this major security breach, TAG wonders if any information is secure on ebaY.

Right now we have only seen this redirect happening in ebaY Motors, but that does not mean it is not happening on other parts of ebaY. TAG has observed at least 3 variations of this scam, making it likely that the scammer/hackers who figured this out, shared the information with other scammers. We are sure to see more and more of this unless ebaY manages to plug this security breach.

One Tech Guru theorized that this might have been caused by ebaY's band aid fix for their broken search issues. ebaY search is broken, and to "fix" it ebaY is using a javascript redirect from the broken search result (bad) to a usable search result (good). Unfortunately this might be the open door that is taking a buyer from a legitimate search result (good), to a scammers redirect page (bad) using the same javascript code ebaY has bandaged and patched their problems with.

TAG feels ebaY should be responsible to reimburse every buyer who lost money to these scams, since these items were found and reached through legitimate ebaY links, directly from the ebaY site. TAG also recommends that NO purchases be made on ebaY Motors until this huge security gap is fixed. As a temporary work around, TAG further recommends that all users turn off /disable javascript in their browser settings for all of ebaY.Com.

The following images are from an item we found on ebaY today.
The first shows the listing from ebaY's search result


The second shows the item listed on the sellers ebaY item list


The third shows the URL reached when clicking on the link from ebaY's search result page and the item appearing on the ebaY site


The fourth shows the URL now redirected to the scammers site


Much information and assistance with this article came from The Folks at:
EBAY MOTORS SUCKS

And from other TAG subscribers and Gurus
Our thanks to all at Margaritaville for their invaluable assistance and advice.

2 comments:

Anonymous said...

FYI - this has been going on for quite some time and in every category on ebay. There have been posts on the Discussion Boards since earlier this year, and every single time a particular scam/auction is 'outed', they (ebay) take it down.

Therefore, they DO know about them, but they also fail to do anything longterm about such scams. Many scams use simple HTML JS coding (onload) that could be screened out when the listing is uploaded. ebay fails to do this.

They already screen for certain words - try listing a SHIRT and leave out the 'R'. The listing will not make it onto ebay. They could do the same for the simple JS coding - there is no legitimate reason for such coding - but they again FAIL to do anything.

Look here for examples of these re-directs, going back to March of this year:

http://forums.ebay.com/db2/thread.jspa?messageID=2001433707

http://forums.ebay.com/db2/thread.jspa?messageID=1004979197

There's plenty more, but this suffices.

The current scams are using a more sophisticated coding technique - the use of Flash and Embed commands. Legitimate uses of such coding allows for fancier-looking listings, but ebay *should* simply dis-allow them and start screening that coding out of uploaded listings. They should, but prolly don't care enough to do it.

tag said...

For some weird reason, comments posted to this blog are not showing up. We received this comment so are reposting it here -
-----------
FYI - this has been going on for quite some time and in every category on ebay. There have been posts on the Discussion Boards since earlier this year, and every single time a particular scam/auction is 'outed', they (ebay) take it down.Therefore, they DO know about them, but they also fail to do anything longterm about such scams. Many scams use simple HTML JS coding (onload) that could be screened out when the listing is uploaded. ebay fails to do this.They already screen for certain words - try listing a SHIRT and leave out the 'R'. The listing will not make it onto ebay. They could do the same for the simple JS coding - there is no legitimate reason for such coding - but they again FAIL to do anything.Look here for examples of these re-directs, going back to March of this year:http://forums.ebay.com/db2/thread.jspa?messageID=2001433707http://forums.ebay.com/db2/thread.jspa?messageID=1004979197There's plenty more, but this suffices.The current scams are using a more sophisticated coding technique - the use of Flash and Embed commands. Legitimate uses of such coding allows for fancier-looking listings, but ebay *should* simply dis-allow them and start screening that coding out of uploaded listings. They should, but prolly don't care enough to do it.