Sign up for our newsletter
Technology / Cybersecurity

Hackers attack eBay through product listings

EBay is said to have been hacked once again with customers being led to a spoof site that steals their credentials.

The hackers have placed a malicious JavaScript code within the product listings pages that automatically redirected the users to the spoof site, according to security researcher Steven Murdoch of University College London.

The flaw was originally identified by eBay PowerSeller Paul Kerr when he clicked on a listing for iPhone and was redirected to a page with a suspicious web address.

Kerr reported the issue to the company, but said eBay removed the listing only after a follow up call 12 hours later.

White papers from our partners

Murdoch told the BBC: "EBay is a large company and it should have a 24/7 response team to deal with this – and this case is unambiguously bad.

"The websites the user is being redirected to are almost certainly compromised by the attacker to hide his or her traces."

At least three listings were redirected to malicious accounts, according to the BBC, but the ecommerce site said the problem was limited to a single item.

An eBay spokesman said: "This report relates only to a ‘single item listing’ on whereby the user has included a link which redirects users away from the listing page.

"We take the safety of our marketplace very seriously and are removing the listing as it is in violation of our policy on third-party links."

Kerr added that thousands of unsuspecting users might have given their login credentials and compromised their accounts.
This article is from the CBROnline archive: some formatting and images may not be present.

CBR Staff Writer

CBR Online legacy content.