Will You Be Hacked Again Buying On eBay?
Hackers have been exploiting an old vulnerability in eBay that allows them to steal your passwords if you click on their fake listing.
There has been yet another eBay hack exposed, just four months after criminals had stolen millions of passwords, which forced everyone that has an eBay account to change their passwords.
In the newest wave of attacks, criminals are creating fake listings that will show up in search results. Clicking on one of these fake listing will redirect you to a fake eBay sign in page that will then ask for your user ID and password. If you did enter your details, you would effectively be handing them over your account, they can then try to buy items using your PayPal account, or even log in to your email account (as its shown in your eBay account details), were they can then look for sensitive information.
Unlike other types of phishing scams, these fake listings will look authentic – they will not have any spelling mistakes or badly worded phrases, they are that good they can fool the most cautious shoppers, these bogus listing can be anywhere on eBay.
According to the BBC, the first fake listing, was reported to be selling a digital camera, this was then reported to eBay back in February. Early in September there was yet another fake listing but this time for an iPhone. The BBC said this particular fake listing was still on eBay’s site 12 hours after it was reported and was only taken off when the BBC contacted eBay themselves, but leaving the listing live for so long was a huge mistake by eBay.
The BBC has done an investigation that uncovered 64 fake listings over a 15-day period in September, the listings were over a wide range of goods and not just limited to electrical goods. Kaspersky’s senior security researcher David Emm, thinks this is just the tip of the iceberg. He went on to say “Its certainly possible that there may be more, Even if there aren’t, there is no way of knowing just how many eBay customers have clicked the links and been redirected”.
The worrying thing is the listings don’t simply contain a malicious link in the product description; this would be a relatively straightforward type of attack. Instead, the hackers have somehow managed to tweak eBay’s code so they can infiltrate the search results; this exposes a deep security flaw in the sites security.
eBay has yet to comment on the BBC’s claims of finding at least 64 malicious listings, A spokesmen for eBay did confirm the fake iPhone listing and said it was taken down as soon as they were aware of it.
So what can you do to say safe?
Most reputable antivirus programs will come with a good anti-phishing tool, which should help identify fake eBay pages, but you should check to see if your anti-virus has this.
Avast antivirus analyst Jirl Sejtko also warns users to be “suspicious if a site requests you to log in or wants you to provide any personal details when you would not normally do so”. In the eBay attacks, by clicking on the listing it would then take you to a fake sign-in page, eBay would never normally ask you to sign in at that point. Most shopping sites will only want you to login when you purchase something.
The message from the experts is always defend your self-using good security software and always look out for anything odd. eBay’s security should be more sophisticated which would prevent this kind of attack. If hackers do mange to sneak past eBay’s security they need to react a lot faster, doing this would help its damaged reputation to recover.