Someone I know encountered a really sneaky eBay phish this weekend. It arrived through eBay’s official “Ask seller a question” system, and consisted of a simple request: Was his auction the same as the auction at the following About Me page?

The URL was a normal eBay URL of the form Pasting the link into another browser brought up the user’s About Me page… which consisted of a spoofed eBay login form that would submit the username and password to a page hosted at Yahoo.

So it not only came through eBay’s official messaging system, but the form appeared on eBay’s own website, meaning it bypasses many of the usual cues. It’s not a secured page, but use of SSL for login pages is still spotty enough that a user could easily miss that. And how many people have noticed that eBay only puts login forms on You have a slightly better chance if you have a browser like Opera, which shows you the target* of a form when you hover over a button. If you think to look at it.

I went looking and found another sighting at Conor’s Web of Esoterica, which has a screenshot of the bogus form.

This reminds me a lot of the password-stealing flaw found in Firefox and IE last November. In that case, the problem was that it was possible for a MySpace user to put a fake login form in his profile, which would get filled out by an overeager password manager. The immediate solution there was for MySpace to prevent their users from posting forms with password fields. Once again, the problem is that a malicious eBay user is able to post a form that imitates eBay’s real login form, only here the intent is to fool the user into filling it out instead of the browser.

Until eBay improves the filter on their About Me page, the best solution is to only sign in from the eBay home page. If another page brings up a login form, don’t trust it.

*Even that could probably be circumvented with some sneaky use of JavaScript to change the target, but I’m pretty sure eBay already blocks scripts on About Me pages.

7 thoughts on “Nasty Ebay “About Me” Phish

  1. It’s stuff like this that keeps certain technophobes away from this stuff.

    …and why I’m less hesitant than some to call them all “idiots” for being fooled by this or that cyber trick.

  2. I remember some discussion of phishing in the middle of last year, and there were people ranting about “Who falls for this? It’s so obvious!” I tried to explain that it isn’t always obvious anymore. It’s a lot more sophisticated than the badly-spelled, text-only, “Pleas rspond with all you personl informtion” messages with a link to a raw IP address that was the norm two or three years ago.

    I’ve seen some really clever phishes, some sent to me, some shown to me, and some landing in the spamtraps, but this has got to be the sneakiest one I’ve seen in a long time.

    Of course, the danger is still there with phone and mail scams. Even before I had a credit card, I was taught to give the number out only if I had called a company, not if they had called me. It’s just so much easier to send this garbage out via email.

  3. Your video clip is all about hacking into a database to retrieve account data, not about using social engineering and user-supplied content on eBay’s site to trick people into handing their login info to the wrong site. Furthermore, all the dates I saw were from this month. So how, exactly, is this “quite an old scam?”

    The solution for this scam is simple: Just as MySpace did last fall, eBay should disallow posting of password-type input fields on user-supplied content.

  4. Interesting. I often see these things as being connected to the lunar Eclipse. It all depends on the Eclipse if it will effect phishing or not. An eclipse connected to Neptune is usually a sign that phising will be rampant.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.