ebaY Motors Hijacked
22 Oct 2006
Updated 25 Oct 2006
On the 4th of October 2006 a buyer who had been scammed
on ebaY Motors using a second chance offer and had previously
reported the scam to ebaY, was told that ebaY was not responsible,
quoth the email, " Please keep in mind that we
do include information on the messages sent through our system as well as on
our site that state items should not be purchased outside of the eBay platform
and should not be paid for using Western Union." The problem is, that as far
as the buyer knew, the purchase WAS made on the ebaY platform, by going to ebaY,
through the buyers normal links - NOT an email link - logging on to ebaY - NOT
a third party site - and clicking on the second chance offer on ebaY's listing
page. When the page opened, the buyer then clicked Buy It Now, his personal information
was populated into a confirm shipping address page with his name and address
from ebaY's servers, and when he got to the Pay Now page he was given the option
of Western Union Wire Transfer, which (unfortunately) he used.
Now all of you who read TAGnotes and visit our website know that it is never
safe to pay a stranger for a purchase with WU, but not everyone knows that. What
ebaY has always told users is that as long as you come to ebaY directly, and
log in to ebaY directly, and complete the sale on ebaY, you are safe. This is
no longer true. This buyer did come to ebaY and log in to ebaY, but due to a
security hole the size of Niagara Falls in ebaY's coding, was automatically redirected
from the ebaY link he clicked on, to a third party scam site, where he was robbed
of his money. This redirect happened so fast he never saw it happen.
ebaY has known about this problem at least since 4 October, and of course posted
no warnings about it, much less fixed it. On 22 October, an associate of the
subscriber who informed TAG of this scam was able to use the same process and "buy" a
fake vehicle from a scammer still using the same security hole. The buyer searched
ebaY, found an item, clicked on the ebaY search result link, was taken to a page
that looked identical to an ebaY listing, used Buy It Now, had their personal
information populated automatically into a confirm address section and was taken
to a Pay Now screen. To check that the personal information populated into the
form came from the ebaY site, they first went to their ebaY account and changed
some of their personal information to fake info, and the form populated with
the fake info from ebaY, the only place in the world the info existed.
From what we have been told (but not witnessed) this redirect scam is also being
used for second chance offers, as in our case at the start of this article. The
buyer follows ebaY's rule of going directly to the ebaY site to respond to a
second chance offer, and not use a link in an email, logs into ebaY, goes to
the second chance offer, and is redirected to a scam site where their money is
stolen. The implication here is that My ebaY is also compromised, but we have
not seen actual evidence of this yet, though it is also possible that the second
chance offer message is only appearing on the closed View Item page.
Needless to say, all the accounts used were hijacked accounts, and ebaY's claim
that these accounts are hijacked from information gained via external phishing
scams is getting very old and less believable all the time. TAG has always said
that ebaY must be considered as the prime suspect as the source for finding the
buyer email addresses, so the buyer can be contacted by the second chance scammer
on items the buyer bid on but for which they did not have the high bid. In light
of this major security breach, TAG wonders if any information is secure on ebaY.
Right now we have only seen this redirect happening in ebaY Motors, but that
does not mean it is not happening on other parts of ebaY. TAG has observed at
least 3 variations of this scam, making it likely that the scammer/hackers who
figured this out, shared the information with other scammers. We are sure to
see more and more of this unless ebaY manages to plug this security breach.
One Tech Guru theorized that this might have been caused by ebaY's band aid fix
for their broken search issues. ebaY search is broken, and to "fix" it ebaY is
using a javascript redirect from the broken search result (bad) to a usable search
result (good). Unfortunately this might be the open door that is taking a buyer
from a legitimate search result (good), to a scammers redirect page (bad) using
the same javascript code ebaY has bandaged and patched their problems with.
TAG feels ebaY should be responsible to reimburse every buyer who lost money
to these scams, since these items were found and reached through legitimate ebaY
links, directly from the ebaY site. TAG also recommends that NO purchases be
made on ebaY Motors until this huge security gap is fixed. As a temporary work
around, TAG further recommends that all users turn off /disable javascript in
their browser settings for all of ebaY.Com.
The following images are from an item we found on ebaY today.
The first shows the listing from ebaY's search result
The second shows
the item listed on the sellers ebaY item list
The third shows the
URL reached when clicking on the link from ebaY's search
result page and the item appearing on the ebaY site
The fourth shows
the URL now redirected to the scammers site
It
appears that at least one of the methods being
used is a redirect via a Shockwave Flash script
bounced through photobucket.com. You can protect
yourself from this by disabling javascript in your
browser for the ebaY site, and by disabling Flash.
In Internet Explorer, you need to disable Flash
Globally. Go to Tools, then Manage Add-Ons, Enable
and Disable Add-ons and disable Shockwave Flash
Object. In Firefox , you should have it set for
NoScript extension, you need to click on the "S" icon
at the lower left of your Firefox browser Go to
Options, click on it, it will bring up a set of
tabs, click on the far right tab. Check the box
for forbid Macromedia Shockwave and forbid Java
on untrusted sites and make sure ebaY is on your
list of untrusted sites.
Much information and assistance with this article came from The Folks at:
EBAY MOTORS SUCKS
And from other TAG subscribers and Gurus
Our thanks to all at Margaritaville for their invaluable assistance and advice.