Security hole on eBay
Mar 13th, 2008 by estreet

Ina Steiner of AuctionBytes.com writes an excellent piece about a huge security hole on eBay. In the article, a German watchdog group reports that criminals in Romania are exploiting a weakness within eBay listings to direct eBayers to a spoof site. When an eBayer views a malicious listing, the criminals retrieve the user’s email address, eBay user name, partial credit card info and watched item list.

Once they get this information, what do they do with it? I can see two ways to defraud victims:

1. The malicious listing includes links to a spoof eBay site. The user is prompted to log into a fake eBay page which supplies the criminals with the eBay username and password.

Now they can hijack the user’s account. They change the password, list lots of 1 day listings for Western Union or cash payment only, collect the money and run.

2. Once the exploiters know which items the eBayer is watching, they send fake Second Chance Offers for those items. Victims are lead to spoof sites or instructed to pay with Western Union or cash. Again, they run away with the money.

How do they do it? Using Javascript, you can send any information contained in a webpage to another site. The normal usage of Javascript in listings is to embed objects such as flash. Think of Auctiva’s showcase. They legitimately embed your Auctiva account info into your listings and send it to their server at load time so they can properly display your showcase content. I don’t know how, but the article clearly shows that there is a way to obtain an eBayer’s personal information from an eBay listing.

I assess that this is a complex operation that involves expert technical knowledge, money laundering and coordination of people. The technical expertise is not in the scripting, but how to not get caught. They have to design a system that keeps them untraceable or moves their IP addresses every few hours.

Why don’t people who are this intelligent just create a legitimate business? I suppose the governments and business climate in Eastern Europe and Africa don’t support small businesses and financial success. Or perhaps they do support small businesses that specialize in international crime. {Shrug} In either case, you have some super smart people creating opportunities for themselves.

»  Substance: WordPress   »  Style: Ahren Ahimsa