back to article Gone phishing with eBay

There I was, on Monday night, scanning eBay for car bits. This is not a problem. I have this under complete control. I can give up buying worn out parts and rusty bits of bodywork at any time. Really. Anyway, I spotted a real bargain, a 2007 Bentley Continental for 0.01 GBP. Since these usually retail for something in the …


This topic is closed for new posts.
  1. Josh

    Great find

    Great find...

    If you find that the redirects go by too quickly in IE, download Firefox and install both the NoScript extension and the Web Developer Toolbar extension. The NoScript extension will let you view each screen as it goes by because you will have to enable JavaScript for each domain that it redirects through. The Web Developer Toolbar lets you disable any meta redirects.

  2. Anonymous Coward
    Anonymous Coward


    Why do PR people insist on telling such blatant lies?

    It's pretty obvious that they have no system, otherwise the listing would not exist. They just rely on people telling them.

    Incidentally, you needn't have blanked out the user's ID, because the images you posted are pretty illegible anyway...

    PS While I'm here, a couple of points about the comments section.

    1) ever since you changed it recently, my browser is unable to remember my login details

    2) it would be really useful if the story was still visible at the top of the comments page

  3. Anonymous Coward
    Anonymous Coward


    ...the most likely explanation.

  4. Anonymous Coward
    Anonymous Coward

    There's obviously no auto checking

    Or it would pick up things like this:

    Check who has made purchases for a real shocker.

  5. Anonymous Coward
    Anonymous Coward

    xxs flaw recorded on video

    Where have you been? That porn redirect, in various forms, has been present on ebay, and documented since around october or november of 2006.

    look on a movie and photo hosting site called hidebehind, for movie with file name 46C8A8, there you will see a live naked lady redirect xxs auction from/on ebay, with the redirect and all, on Firefox browser 2.003

    please note the above site is an adult site. If nudity and/or porn offends you do not visit or look for it.

    That XSS flaw has been unrepaired and unacknowledged for at least over 1 whole year, possibly longer. (see US-CERT Vulnerability Note VU#808921)

  6. Steven Knox

    Nice report -- almost

    "Thirdly, it took eBay at least two hours to respond to this after it was reported."

    Not true. According to your timeline, you reported it at 21:54 and the listings were gone at 00:15. That's 2:19 to COMPLETE a response, not to begin responding.

    "Do you consider this to be moving “quickly”?" That depends. How many fraudulent listings were there? If there were only the dozen or so you showed, that's one thing. But if there were thousands or millions*, the picture looks different.

    I remember when I was in college, and our primary T1 went down. We had a backup 56k line, so the connection didn't die, but everything slowed down. I did a traceroute and the numbers were in the 2000 to 3000 range. That really pissed me off until I recalled that those figures were milliseconds. Perspective restored, I sat back and waited the 2-3 seconds.

    I'd take 2-3 hours response time over the days it takes credit card companies to verify fraud or the months it takes some companies to even admit they had a breach of any kind.

  7. Anonymous Coward
    Anonymous Coward

    Well, duh !

    Who would of thought that clicking on a link that advertises an expensive product, for a ridiculously low sum, illustrated with a half naked woman, would be a risky thing to do !

    I have a great story about clicking on links on porn sites if you're interested - ends up much the same way. Only trouble is the story is about 10 years old now.

  8. Rupert Jabelman

    I spotted one of these last week.

    A very similar setup, on an ad for a VW camper. I reported it to eBay straight away, but they didn't seem to understand what was wrong:


    Thank you for your email. I understand your concern at the listing for a

    1965 Volkswagen (item: 200111255407).

    However, while we're always happy to help you, we can't tell from your

    email what exactly your inquiry is. Please write back with more details

    about your query or problem and any information you feel is important to

    help us solve it.

    We look forward to receiving your reply and helping you in any way that

    we can.


    I had to spell out in words of one syllable what was wrong with the auction, and why this was a bad thing before they figured it out.....

  9. Jennifer Royston

    Re. Well Duh.

    >Who would of thought that clicking on a link that advertises an expensive product, for a ridiculously low sum, illustrated with a half naked woman, would be a risky thing to do !

    I think that was why the author added the comment about it being the lister's daughter. I think, in his own English way, he was making the point that this DID look risky; which was presumably why he followed it.

    The point isn't really about whether it looked suspicious, the point is that eBay is allowing this sort of redirect from its site.

  10. Luca


    A while ago ebay contacted me saying my account was hijacked and there was a $10,000 bid under my account for a used car engine. After all the headache of resetting account, changing passwords, etc. I spoke to an ebay representative asking how my account could have possibly been hijacked and the answer was that ebay allows any kind of HTML code on their auctions because they don't feel sellers should be restricted when creating a web page so I could be on ebay one second and on a scam site the next. The only solution therefore, according to them, was to use ebay Toolbar (which only works on IE, I use Firefox).



  11. James Cleveland

    Listing freedom

    Really isn't worth it. Sure they should have some nice bbcode to put some images in but full HTML support? Who cares about flashy pages, all we want is an item.

    PS They all look sh*te anyway.

  12. A J Stiles

    Not eBay's fault

    It's not really eBay's fault.

    Let's suppose someone designed a car in such a way as to make it possible for somebody (ostensibly, only the manufacturer and then only in certain circumstances, although it's widely known -- though the car manufacturer strenuously deny this -- to be open to abuse) remotely to take over the steering, the pedals, the gears and the ignition.

    Furthermore, this car isn't sold to buyers in the usual way. It's given away gratis when you buy a bundle including a year's insurance policy, a year's worth of fuel and some accessories. The car manufacturer is also suspected of applying illegal pressure to insurance providers and fuel companies to dissuade them from insuring or gassing up any other makes of car, but the evidence always goes missing at the last minute (just before the senior investigating officer wins the lottery and retires to the sun, or has a nasty but improbable accident).

    As a result of this aggressive marketing technique, this car is the most popular model on the roads. The newest model is even fitted with a much-touted device to warn you if it detects someone trying to take over the controls; however, this is not 100% reliable and never can be, since the warning device itself can, by design, be overridden by the manufacturer (or anyone else who knows how to pretend to be the manufacturer -- who, of course, vehemently deny that this is possible).

    Now, someone drives to town in their free-but-hopelessly-insecure car to go shopping at Woolworth's; but finds their car being redirected to some other store instead.

    Is that really Woolworths' fault, for being a popular destination for shoppers driving insecure-by-design cars?

  13. Will Hill

    Infection Detected.

    The author claims, "So, it could be malicious code on the PC but both David and I would have to be infected in the same way; possible, but unlikely." but it's not true. He's already identified himself as a Windows user. The chances his friend is also a Windows user is about 80%.

  14. Adam


    I love some analogies that people come up with. The one above by A J Stiles goes to the top of the list as the biggest pile of rubbish I have heard for a long time.

    EBay have got full control over the HTML that is generated by their site, so if dodgy JavaScript/html/etc appears on their site it is totally their fault.

    It is simple enough to remove all html tags apart from simple formatting ones. Okay there is still the opportunity for suspect remote images to be loaded onto the site, but hopefully there shouldn't be any further problems like the wmf issue.

    Of course EBay will never admit the failings, but hopefully they will fix these problems behind the scenes.

  15. Stu

    eBay sucks

    I'm not surprised at all...

    A few months ago someone tried to buy my brand new spare mobile phone. He'd registered that day, and had zero feedback, so I was a bit suspicious.

    On checking the guy's details, his postcode didn't exist. I complained to eBay about this, and they refused to cancel his account and bid, leaving me in limbo for 7 days before I could file a "non payment" report. Then, they insisted I try ringing the bidder, using a mechanism built into the site that revealed both the buyer and seller's registered phone numbers to both parties. The phone number was a fake also. The buyer's account was never cancelled by eBay.

    eBay are threatening me with court action for not paying their listing fees. I say, bring it on. Talk about not fulfilling their duty of care in the prevention of fraud...

    Why could a big corporation such as eBay not make the following checks mandatory on all new accounts:

    1. VALID postcode for the country in question, that matches the specified address.

    2. Text message verification of the primary phone number entered - given that if you text a UK landline, Tom Baker will read the text for you anyway!?

  16. Anonymous Coward
    Anonymous Coward

    DON'T PAY STU!!!!

    In my experience Ebay are very slow to act against fraudsters, slow to help provide information (despite the privacy policy now saying they'll give all your details to "other third parties") and slow to suspend accounts.

    You're providing a service to Ebay by drawing their attention to this crook.

  17. Anonymous Coward
    Anonymous Coward

    If you don't tell eBay they never know

    Their *automated* sytem involves a minimum of 2 people complaining and then a person/trained monkey looks at the auction and tossing a coin to decide wether they should pull it (and lose income) or let it run at let some poor schmuck be conned and if they then complain hope that they paid with cash/Western Union and therefore don't need to care.

    Oh, am I sounding cynical?

This topic is closed for new posts.

Other stories you might like

  • Voicemail phishing emails steal Microsoft credentials
    As always, check that O365 login page is actually O365

    Someone is trying to steal people's Microsoft 365 and Outlook credentials by sending them phishing emails disguised as voicemail notifications.

    This email campaign was detected in May and is ongoing, according to researchers at Zscaler's ThreatLabz, and is similar to phishing messages sent a couple of years ago.

    This latest wave is aimed at US entities in a broad array of sectors, including software security, security solution providers, the military, healthcare and pharmaceuticals, and the manufacturing and shipping supply chain, the researchers wrote this month.

    Continue reading
  • Europol arrests nine suspected of stealing 'several million' euros via phishing
    Victims lured into handing over online banking logins, police say

    Europol cops have arrested nine suspected members of a cybercrime ring involved in phishing, internet scams, and money laundering.

    The alleged crooks are believed to have stolen "several million euros" from at least "dozens of Belgian victims," according to that nation's police, which, along with the Dutch, supported the cross-border operation.

    On Tuesday, after searching 24 houses in the Netherlands, officers cuffed eight men between the ages of 25 and 36 from Amsterdam, Almere, Rotterdam, and Spijkenisse, and a 25-year-old woman from Deventer. We're told the cops seized, among other things, a firearm, designer clothing, expensive watches, and tens of thousands of euros.

    Continue reading
  • Zscaler bulks up AI, cloud, IoT in its zero-trust systems
    Focus emerges on workload security during its Zenith 2022 shindig

    Zscaler is growing the machine-learning capabilities of its zero-trust platform and expanding it into the public cloud and network edge, CEO Jay Chaudhry told devotees at a conference in Las Vegas today.

    Along with the AI advancements, Zscaler at its Zenith 2022 show in Sin City also announced greater integration of its technologies with Amazon Web Services, and a security management offering designed to enable infosec teams and developers to better detect risks in cloud-native applications.

    In addition, the biz also is putting a focus on the Internet of Things (IoT) and operational technology (OT) control systems as it addresses the security side of the network edge. Zscaler, for those not aware, makes products that securely connect devices, networks, and backend systems together, and provides the monitoring, controls, and cloud services an organization might need to manage all that.

    Continue reading
  • Facebook phishing campaign nets millions in IDs and cash
    Hundreds of millions of stolen credentials and a cool $59 million

    An ongoing phishing campaign targeting Facebook users may have already netted hundreds of millions of credentials and a claimed $59 million, and it's only getting bigger.

    Identified by security researchers at phishing prevention company Pixm in late 2021, the campaign has only been running since the final quarter of last year, but has already proven incredibly successful. Just one landing page - out of around 400 Pixm found - got 2.7 million visitors in 2021, and has already tricked 8.5 million viewers into visiting it in 2022. 

    The flow of this phishing campaign isn't unique: Like many others targeting users on social media, the attack comes as a link sent via DM from a compromised account. That link performs a series of redirects, often through malvertising pages to rack up views and clicks, ultimately landing on a fake Facebook login page. That page, in turn, takes the victim to advert landing pages that generate additional revenue for the campaign's organizers. 

    Continue reading
  • Heineken says there’s no free beer, warns of phishing scam
    WhatsApp messages possibly the worst Father's Day present in the world

    There's no such thing as free beer for Father's Day — at least not from Heineken. The brewing giant confirmed that a contest circulating on WhatsApp, which promises a chance to win one of 5,000 coolers full of green-bottled lager, is a frothy fraud.

    "This is a scam. Thank you for highlighting it to us. Please don't click on links or forward any messages. Many thanks," the beermaker said in a tweet.

    The phony WhatsApp giveaway includes an image of a cooler of 18 Heinekens and a link to a website purporting to run the giveaway. That page asks visitors vying to bag free booze for their personal information, such as names, email addresses, and phone numbers, which is all collected by miscreants.

    Continue reading
  • Interpol anti-fraud operation busts call centers behind business email scams
    1,770 premises raided, 2,000 arrested, $50m seized

    Law enforcement agencies around the world have arrested about 2,000 people and seized $50 million in a sweeping operation crackdown of social engineering and other scam operations around the globe.

    In the latest action in the ongoing "First Light", an operation Interpol has coordinated annually since 2014, law enforcement officials from 76 countries raided 1,770 call centers suspected of running fraudulent operations such as telephone and romance scams, email deception scams, and financial crimes.

    Among the 2,000 people arrested in Operation First Light 2022 were call center operators and fraudsters, and money launderers. Interpol stated that the operation also saw 4,000 bank accounts frozen and 3,000 suspects identified.

    Continue reading
  • Emotet malware gang re-emerges with Chrome-based credit card heistware
    Crimeware groups are re-inventing themselves

    The criminals behind the Emotet botnet – which rose to fame as a banking trojan before evolving into spamming and malware delivery – are now using it to target credit card information stored in the Chrome web browser.

    Once the data – including the user's name, the card's numbers and expiration information – is exfiltrated, the malware will send it to command-and-control (C2) servers that are different than the one that the card stealer module uses, according to researchers with cybersecurity vendor Proofpoint's Threat Insight team.

    The new card information module is the latest illustration of Emotet's Lazarus-like return. It's been more than a year since Europol and law enforcement from countries including the United States, the UK and Ukraine tore down the Emotet actors' infrastructure in January 2021 and – they hoped – put the malware threat to rest.

    Continue reading
  • Now Windows Follina zero-day exploited to infect PCs with Qbot
    Data-stealing malware also paired with Black Basta ransomware gang

    Miscreants are reportedly exploiting the recently disclosed critical Windows Follina zero-day flaw to infect PCs with Qbot, thus aggressively expanding their reach.

    The bot's operators are also working with the Black Basta gang to spread ransomware in yet another partnership in the underground world of cyber-crime, it is claimed.

    This combination of Follina exploitation and its use to extort organizations makes the malware an even larger threat for enterprises. Qbot started off as a software nasty that raided people's online bank accounts, and evolved to snoop on user keystrokes and steal sensitive information from machines. It can also deliver other malware payloads, such as backdoors and ransomware, onto infected Windows systems, and forms a remote-controllable botnet.

    Continue reading
  • Microsoft seizes 41 domains tied to 'Iranian phishing ring'
    Windows giant gets court order to take over dot-coms and more

    Microsoft has obtained a court order to seize 41 domains used by what the Windows giant said was an Iranian cybercrime group that ran a spear-phishing operation targeting organizations in the US, Middle East, and India. 

    The Microsoft Digital Crimes Unit said the gang, dubbed Bohrium, took a particular interest in those working in technology, transportation, government, and education sectors: its members would pretend to be job recruiters to lure marks into running malware on their PCs.

    "Bohrium actors create fake social media profiles, often posing as recruiters," said Amy Hogan-Burney, GM of Microsoft's Digital Crimes Unit. "Once personal information was obtained from the victims, Bohrium sent malicious emails with links that ultimately infected their target's computers with malware."

    Continue reading
  • Costa Rican government held up by ransomware … again
    Also US warns of voting machine flaws and Google pays out $100 million to Illinois

    In brief Last month the notorious Russian ransomware gang Conti threatened to overthrow Costa Rica's government if a ransom wasn't paid. This month, another band of extortionists has attacked the nation.

    Fresh off an intrusion by Conti last month, Costa Rica has been attacked by the Hive ransomware gang. According to the AP, Hive hit Costa Rica's Social Security system, and also struck the country's public health agency, which had to shut down its computers on Tuesday to prevent the spread of a malware outbreak.

    The Costa Rican government said at least 30 of the agency's servers were infected, and its attempt at shutting down systems to limit damage appears to have been unsuccessful. Hive is now asking for $5 million in Bitcoin to unlock infected systems.

    Continue reading

Biting the hand that feeds IT © 1998–2022