One of the grand-daddy brands of e-commerce, eBay hasn’t had a great security public relations time of it in 2014. Following a run of password hacking earlier this year which took far longer than it should to be made public, the story broke this last week about security risks on the site itself.  It’s not surprising that people are wondering whether or not the world’s biggest online auction site is still safe to use.

ebay security breach

Another breach at eBay?

What’s been happening is that certain auction listings are actually not what they appear to be at first glance.  And this is tricky, because eBay’s approach – particularly in recent years when they have opened up the way listings are constructed to attract business sellers in particular – now makes it possible for sellers to have a huge influence over the way a listing appears on the site.

It’s this ability to insert javascript in a listing which has enabled malicious code to be placed, directing people away from the site to somewhere different – where their payment and login details can be captured and mis-used.  It’s called cross-site scripting, if you want to Google it…  And ironically the sheer variety in the appearances of eBay listings the functionality makes possible, helps them to get away with it – by making it harder for users to spot that something is amiss.

The scammers exploit the fact that you trust eBay – especially if you’ve used it for years, and a lot of us expats in Spain got to know it well as a seller just before we emigrated and needed to shift huge numbers of possessions.  It’s been around for a long time, and now we have all dutifully updated our passwords following the breach earlier this year we’ve felt pretty safe.

But what the BBC have uncovered, is that what has happened when you clicked on certain listings on the site, was that the click to you to a page far from eBay itself – designed to look like a legitimate listing and eBay page, and convince you to part with passwords and payment information. This video, captured by a sharp-eyed user, shows how it works – you need to put it in full screen and keep an eye on the address in the browser bar.  Note the point at which it diverts to a page NOT anywhere on the eBay site at all.

The malicious listings look real, because they are made using hacked accounts belonging to real sellers, with established reputations and 100% good feedback.  Russell Dearlove from York told the BBC his account had been “acting strangely”. He was temporarily locked out of his account, and listings had been posted by an unknown person.

“I kept getting messages flashing up on my email saying, ‘Congratulations you’ve sold your iPad’. I didn’t have an iPad to sell!

“I emailed eBay to say there’s something not quite right here. I got no response but they have sent me a statement saying I owed about £35 [for selling/listing fees] “

An eBay spokesperson told the BBC:

“This report relates only to a ‘single item listing’ on whereby the user has included a link which redirects users away from the listing page.

We take the safety of our marketplace very seriously and are removing the listing as it is in violation of our policy on third-party links”

However as the BBC researchers managed to uncover dozens of compromised listings this is demonstrably untrue, and one eBay user Paul Castle has a transcript of an eBay support dialogue from February this year where he had identified a similar scam.

So what is eBay playing at, and is it safe to use the site?  It seems that the corporation may have failed to learn from the PR disaster of their earlier password breach, and chosen to hush-up this failure and try to fix before disclosure.  Of course exactly how eBay security works and their precise strategy in the continual arms race against attacks on their site must remain confidential in detail, but for users this once again smacks of a serious lack of transparency.

If you are using eBay or any website, you must keep your wits about you, and whenever you are prompted to enter log in or payment details take a GOOD look at the address bar – this won’t hurt whatever site you are using.

Of course you will expect to see a big long URL defining a particular page, but the beginning of the address MUST be on the site you expect it to be –for example, .  Pay particular attention to the bit just before the top-level domain (the .es, .com or – this is the part that matters most, and watch out for for example or – because these are NOT on the eBay website, they are trying to trick you and things are not what they seem.

Remember that what you click on in an email or on a webpage, the text in the link, may bear no relationship to where the link takes you – it’s the address in the browser bar on the page which matters.

Be aware, be safe, and let @Costaconnected know about anything you discover going on at eBay or elsewhere which could affect us all.

Costa Connected, for Costa Blanca News, October 3rd 2014

©Maya Middlemiss,

Casslar Consulting SL

Share →