Auction site eBay has remained defiant about ‘active’ listings, despite multiple reports indicating that these are being used for eBay scams where users are directed outside the site to pages built for phishing attacks, according to Computer Weekly.
The issue originally came to light last week when a listing, which offered cheap iPhones for sale, was found to contain a malicious script which directed site users outside eBay to a site which resembled the auction site, but harvested usernames and passwords, according to TameBay.
This week, the BBC claims that such eBay scams have been active since at least February, with transcripts of chats between customers and support staff seeming to support this.
The broadcaster also found several dozen new listings with similar ‘cross-site scripting’ tactics.
eBay scams: Phishy listings
One transcript, from user Paul Castle, dated from February this year, showed Mr Castle explaining, "I was just browsing in Digital Cameras and came across a password-harvesting scam."
The problematic listing used a function which eBay relies on to provide listings using Javascript and Flash, but which allows malicious attackers the chance to direct users outside the side, known as ‘active content’.
Mr Castle said that the problematic February listing, "transfers immediately to a password harvest scam page".
E-Commerce Times reports that eBay defended the use of such ‘active’ listings, saying, “The criminals behind cross-site scripting and phishing activity intentionally adapt their code and tactics to try to stay ahead of the most sophisticated security systems.”
'Many sellers use active content'
"Many of our sellers use active content like JavaScript and Flash to make their eBay listings perform better," the site said in a statement. "We have no current plans to remove active content from eBay. However, we will continue to review all site features and content in the context of the benefit they bring our customers as well as overall site security.”
The site claimed in its statement that unauthorized account usage is at an all-time low on the auction service. However, the accounts used for the XSS phishing scam seemed to be highly rated accounts stolen from innocent users, some of which had been used for hundreds of bogus auctions.
Veteran security researcher and writer Graham Cluley comments that eBay has a responsibility to manage such ‘active content’ more effectively, saying, “There are plenty of reasons to be careful when buying items on eBay in the first place, but it is disappointing to find out you also need to keep a keen eye open for scams and malicious scripts that eBay’s security team should really have stamped out in the first place.”