Injecting malicious content into the heart of eBay, an ongoing string of phishing attacks is continuing to take advantage of veteran sellers and collecting the financial details of some of the auction site's most discerning shoppers.

While traditional phishing attempts present web users with a malicious clone of legitimate sites, eBay has been suffering from attacks that are being embedding between authentic listings for merchandise. eBay users who stumble onto one of the malicious listings and attempt to buy the advertised merchandise are redirected into a payment portal, where their financial details are directed into the palms of hackers.

eBay has taken heat from security firms for the lack of urgency it has had in addressing the phishing attempts. After the BBC gave light to several of the malicious listings, an eBay spokeswoman said the attacks made use of common scripting languages and weren't new to the site.

"This is not a new type of vulnerability on sites such as eBay," said an eBay spokeswoman. "This is related to the fact that we allow sellers to use active content like JavaScript and Flash on our site. Many of our sellers use active content like JavaScript and Flash to make their eBay listings more attractive. However, we are aware that active content may also be used in abusive ways."

eBay user Paul Castle complained to eBay about the baited listing back in February 2014. eBay was said to have responded to Castle by notifying him that the issue had been escalated up its chain.

"I was just browsing in Digital Cameras and came across a password-harvesting scam," said Castle in an email to eBay. "[Following the link] "transfers immediately to a password harvest scam page."

The series of phishing attempts embedded in eBay's sites comes just months after over 145 million username and password pairs were discovered to have been compromised sometime around March 2014.

Though eBay has yet to release a formal statement on the latest series of phishing attempts, it launched a full investigation into the password breaches and delivered a report of its findings.

"Cyberattackers compromised a small number of employee log-in credentials, allowing unauthorized access to eBay's corporate network," eBay stated in a release. "Working with law enforcement and leading security experts, the company is aggressively investigating the matter and applying the best forensics tools and practices to protect customers."

eBay advised users to change their passwords, though it said it found no evidence that suggesting any of the hacked financial and personal data was compromised.

ⓒ 2021 All rights reserved. Do not reproduce without permission.