Hacker redirects eBay shoppers to fake site

Sep 19, 2014 | E-commerce and E-retailing, Regulation

EBay has been compromised so that people who clicked on some of its links were automatically diverted to a fake site created to steal their personal and financial details. The spoof site had been set up to look like the online marketplace’s welcome page. The US firm was alerted to the hack on Wednesday night […]

EBay has been compromised so that people who clicked on some of its links were automatically diverted to a fake site created to steal their personal and financial details.


The spoof site had been set up to look like the online marketplace’s welcome page.
The US firm was alerted to the hack on Wednesday night but removed the listings only after a follow-up call from the BBC more than 12 hours later.
The cross-site scripting (XSS) attack involved the attackers placing malicious Javascript code within product listing pages.
This code in turn automatically redirected affected users through a series of other websites, so that they ended up at the page asking for their eBay log-in and password.
Users only had to click the original listing to have their browser hijacked.
The issue was originally identified by Paul Kerr, an IT worker from Alloa in Clackmannanshire who is also an “eBay PowerSeller”.
He called the firm shortly after he had clicked on a listing for an iPhone and been redirected.
This is not the first technical setback eBay has suffered in recent months.
The site has experienced several periods when members have been unable to sign into their accounts and have received incorrect password alerts.
In May, the firm made users change their passwords after revealing that a database containing encrypted passwords and other non-financial data had been compromised.
In addition, it announced in July that 1,600 accounts on its StubHub ticket resale site had been broken into resulting in a scam that defrauded the service of about $1m (£600,000).