Fraudulent classified ads posted on eBay
have been exploiting an opportunity to
establish convincing attacks against potential car buyers.
Simply viewing one of the sneaky eBay ads causes the victim's browser to
instead request the
same listing via an intermediate server, which subtly modifies the content of the
page to the fraudster's advantage.
Similar to a
man-in-the-middle attack, the modifications are performed on-the-fly by a web server located in the
1. Victim browses to one of the fraudulent listings on eBay.co.uk;
2. eBay returns the listing to the victim's browser;
3. The fraudulent listing automatically redirects the browser to the attacker's website, passing the eBay item number to a PHP script;
4. The attacker's website uses the item number to fetch the same listing directly from ebay.co.uk;
5. eBay returns the listing to the attacker's website;
6. The attacker modifies the real eBay page before returning it to the victim's browser.
within the item's description will automatically redirect the victim's browser to the
attacker's website. The eBay item number is passed to a PHP script on the
attacker's site, which allows it to fetch the same listing from ebay.co.uk
before delivering a slightly altered version to the victim.
Most customers would not expect their browser to end up on a different
website by merely viewing a listing on the real eBay website, which makes
this attack dangerously effective. Additionally, because the modified listing
looks extremely similar to the real thing (and displays the item they were expecting to see), it is likely that many victims would
have no cause to suspect that the bogus content is being served from a
completely different website. Although there are still a few small clues for the
wary, this apparent weakness in the eBay platform is certainly much easier to
exploit than a completely undetectable
The fraudulent sites can also display legitimate eBay listings, changing the seller's contact details on-the-fly.
Images are sourced directly from eBay's own web servers.
Interestingly, the only significant differences on the modified page are that
the Email the seller and the Ask a question links have been replaced with different links which
By encouraging victims to immediately establish an email dialogue outside of the eBay
website, the fraudster can attempt to secure money through non-reversible payment
methods without eBay being able to monitor even the initial communication.
Victims are unlikely to be spooked by having to deal directly with the seller. While eBay's terms and conditions forbid anyone to buy or sell outside eBay, this applies only to its auction-style and Buy-It-Now listing formats. This scam makes use of eBay's newer classified ad listing format, where a purchase can only be carried out by dealing directly with the seller. In these cases, the victim would not be covered under eBay's buyer
protection policy, nor would they be able to leave negative feedback which might alert other potential victims.
The fraudulent listings used in these attacks are posted from compromised eBay accounts, which allows the fraudster to piggyback on the trustworthiness and reputation of established sellers. If these compromised accounts have accrued lots of positive feedback from previous auctions, then this will also serve to leverage the trust of potential victims much more than a brand new account possibly could.
This type of attack is rather subtle considering the other opportunities that
could have been exploited by the fraudster. Most obviously, the fraudster could
have attempted to steal login credentials by presenting a spoof login form, but
clicking on the Buy it now or Make offer buttons, or the My eBay menu item,
actually directs the victim to the real eBay login page instead. However, the subtle changes that are made are the only ones necessary for these types of listings — when it is possible to score thousands of pounds with a single fraudulent sale via email, perhaps it is not worth attracting undue attention by also phishing for account details.
This automatically causes a browser to display the modified content from the fraudster's server, without any user interaction.
The man-in-the-middle scenario is made possible by the inclusion of arbitrary
user from eBay to another webpage, but this rule is clearly being flouted.
Accounts may be suspended for breaching the guidelines in this policy, which is another reason why it is
common to see fraudulent listings being posted from compromised eBay accounts –
whether or not these accounts get permanently suspended is largely inconsequential to
fraudsters aren't going to mind breaking the rules. Given the potential for misuse, the lack of sufficient
technical measures to prevent malicious scripts being embedded within an eBay
listing poses a security risk, and the fraudulent listings posted on eBay over the past week demonstrate that this issue can be exploited rather effectively.
Because the description of an eBay listing is displayed within an iframe, the attack relies on being able to use a hyperlink to change the location of the parent window. This could be prevented by using HTML5's sandboxing features, which would cause a hyperlink with a
target="_top" attribute to do nothing. The framed content would only be able to navigate within itself and not change the contact details in the surrounding top-level parent.
Although the fraudulent listings are eventually deleted by eBay, the same
fraudster keeps coming back for more.
Buster Jack — who regularly
reports such scams to eBay — noted a
by the same fraudster more than a week ago, which presented the modified content via
the yugoslavic.info domain. In terms of value, Jack told Netcraft that the used
car market is the most serious area of fraud on eBay.
Within the past week, Netcraft has blocked more than 20 other websites that the same fraudster had been using to modify the content of eBay listings.
All of these sites used the .info top-level domain, shared the same IP
were hosted by HostGator in the United States.
Scamwarners forum has documented similar cases of suspected fraudulent
activity on the car trading website
Autotrader. Here, the same fraudster has attempted to get potential buyers
to make contact via various email addresses under his regowner.co.uk domain,
rather than by phone or via the Autotrader website. The affected listings have
since been removed from the Autotrader website, but the regowner.co.uk domain is
still operational and able to receive email. The domain name itself lends
authority to the scam by pretending it has something to do with the
registered owner of
a vehicle, and the
of the email address (the part before the @ symbol) was the same as the car's
number plate, such
The regowner.co.uk domain was registered with eNom on 27 March and currently
points to a holding page hosted by Arvixe in the UK. Despite the domain's WHOIS
registration type being set to "UK
Individual", the registrant's address is purportedly in the United States.
The .info domains used by the man-in-the-middle scripts were also registered
last month, using an address in London.