Shopping online at eBay may put you at risk from hackers as revealed in a recent cyber attack.

Hackers waged a "cross-site scripting attack" on e-retailer eBay's website by exploiting an existing weakness. The hackers were able to redirect consumers to a phony page, which was designed to steal login data.

The fake website was made to look similar to eBay's welcome page. This ploy was adapted to mislead users into thinking that they were surfing the authentic eBay site. Users simply had to click on certain listings on the website and were redirected via several sites to the phishing page, which asked for the user's eBay password and login details.

So how did the issue come to light? Paul Kerr, who is an IT worker from Scotland, spotted some iPhone listings on eBay that seemed suspicious. Kerr is also an eBay PowerSeller.

On Sept. 17, Kerr notified eBay of the attack after the iPhone link he clicked on redirected him to a phishing page. However, eBay only removed the suspicious listings on its site more than 12 hours later and only after the BBC had followed up the issue.

According to the BBC, the eBay listings for the iPhones had a malicious JavaScript code, which alters the manner in which a site behaves. When a user clicked on the malicious listing, the code was embedded into the user's browser by default and directed them to the phony eBay page.

This vulnerability has been tapped into by several people as the BBC reports to have identified nearly 64 malevolent listings from the past two weeks.

"A brief search by the BBC uncovered 64 listings from the past 15 days that posed a danger to users. In each case, it appears cross-site scripting (XSS) has been used to hijack the user's browsing -- placed in the listings page using Javascript," reports the publication.

eBay, however, claims that it does not allow cross-site scripting and has several security features in place to find and remove the malicious codes.

The e-retailer has assured users that it takes safety of its marketplace "very seriously" and, therefore, removed the malicious listings as it violated the retailer's policies pertaining to "third-party links."

However, to be safe, users are advised to re-check their address bar if eBay asks you to log in after you're redirected to a new page. Refrain from sharing personal data and alert eBay if you spot something suspicious.

Kerr has made a video to show how the phishing scam works. Check it out and stay vigilant.

ⓒ 2024 TECHTIMES.com All rights reserved. Do not reproduce without permission.
Join the Discussion