Fraudsters Exploiting Un-patched IE, Firefox Flaws in eBay to Trick Shoppers

Internet scammers are taking advantage of un-patched security flaws that affect the Internet Explorer and Firefox browsers to produce bogus eBay pages to entice online shoppers into bidding on fake listings.

Web security experts state that the fraudsters responsible for the eBay attack tried and succeeded in installing a Cross-Site Scripting (XSS) to insert rogue JavaScript code into the eBay pages. This code enabled external e-mail links along with other illegitimate codes to be installed on the bogus eBay pages, avoiding tools that identify fake listings.

Apart from pushing a link into the pages that encourages users to send e-mail at an aol.com ID to address the seller, the scam employed a generator of random numbers so that new numbers replaced the original ones of the products whenever fresh items were loaded on the pages. Each product number is unique that helps in notifying the fake listings; therefore, changing of number resulted in difficulty for the fraud busters of eBay to eliminate the phony auctions.

Nevertheless, the auction site has been able to arrest the exploit and prevent it from acting on the site's domains. Nichola Sharpe, Spokeswoman for eBay, said that the current security threat was not the first one for eBay, as reported by Ecommerce Journal on March 9, 2009.

Nichola further said that the site's security specialists knew about the problem and they had detected the already known loophole in IE and Firefox. According to her, eBay possessed advanced security mechanisms with which the company protected its consumers against such attacks. She also added that eBay constantly updated its security technologies so that the emerging threats could be adequately tackled.

Browser Security Specialist, Cefn Hoile, who was the first to point out the Firefox problem, said that it took eBay over 24 hours to eliminate each fake listing, as reported by TheRegister on March 8, 2009. Hoile added that it was necessary that eBay took some responsibility.

Security specialists further said that users could be effectively guarded against such attacks if the 'safe' XSS functions were white list filtered and the rest blocked.

Related article: Fraudster Acquiesce To Online Bank Theft

» SPAMfighter News - 3/13/2009