Phishers set hidden traps on eBay

Click on a specially crafted listing, and you could get a nasty surprise. But eBay is on the case.

Joris Evers Staff Writer, CNET News.com
Joris Evers covers security.
Joris Evers
3 min read
Click on an eBay auction listing, and you could get an unwanted result: a fake eBay login page, created by scammers looking to pilfer your username and password.

With about 181 million users worldwide, eBay is arguably the world's most popular online marketplace. As such, the San Jose, Calif., company, with its online payment unit PayPal, is among the biggest targets for online scammers--including phishers.

Phishing scams use forged Web sites that look like legitimate sites in an attempt to dupe Internet users into giving up sensitive data, such as usernames, passwords and credit card details. Cybercrooks typically use spam e-mail to lure people to their Web traps. But on eBay, they also take advantage of the auction listings on the site itself.

Some of the scams run on the auction Web site are almost invisible to the untrained eye. eBay lets sellers customize their auction pages using Web programming techniques and automated tools. However, attackers are abusing this freedom to build auction pages that include a rigged listing. When potential customers click on the link, it sends them to a phishing site.

eBay is aware of such abuse of its service for trickery by cybercrooks, Catherine England, an eBay spokeswoman, said Friday.

"Our sellers really use the dynamic content aspect of our listings," she said. "The benefits overwhelmingly outweigh the red skin that we have gotten."

CNET News.com reader Neal Cahill of Kansas City, Mo., said he had come across the scam. "When you click on the listing, it runs a script or small program that automatically takes you to a new page that requests login info," he wrote in an e-mail interview.

The page users are redirected to what appears to be an eBay login page, but is in fact a copy stored elsewhere--a classic phishing scam. "This page looks just like the eBay login page, only the Web address is different," Cahill wrote. The bad listings are usually for really appealing items or related to adult entertainment, he wrote.

eBay lists about 78 million items at any given time, and 6 million items are added daily, England said. The company has methods in place to fight fraud and employs about 1,000 people whose fulltime job it is to keep the marketplace safe. But sometimes a page with malicious code does get onto its Web site, she added.

"By the time something gets up there, we're usually so quick to get it and pull it down that it is really a moot point," she said. "We feel that it is not a huge concern or issue--it is miniscule."

Online fraudsters have targeted eBay and PayPal for years using a variety of techniques, including listing design abuse, England said. "This tactic for phishers has been around for a long time," she said.

Despite industry efforts, phishing is still on the rise, and experts predict that scams will become increasingly sophisticated. A record 9,715 phishing Web sites were spotted in January, according to the Anti-Phishing Working Group.

eBay offers a browser toolbar to help protect customers against fake copies of its Web sites. The company also provides extensive security information on its Web site, including a "spoof tutorial."