Fraudsters modify eBay listings with JavaScript redirects and proxies

Fraudulent classified ads posted on eBay have been exploiting an opportunity to establish convincing attacks against potential car buyers. Simply viewing one of the sneaky eBay ads causes the victim's browser to instead request the same listing via an intermediate server, which subtly modifies the content of the page to the fraudster's advantage.

Similar to a man-in-the-middle attack, the modifications are performed on-the-fly by a web server located in the US.

1. Victim browses to one of the fraudulent listings on; 2. eBay returns the listing to the victim's browser; 3. The fraudulent listing automatically redirects the browser to the attacker's website, passing the eBay item number to a PHP script; 4. The attacker's website uses the item number to fetch the same listing directly from; 5. eBay returns the listing to the attacker's website; 6. The attacker modifies the real eBay page before returning it to the victim's browser.

When a customer views one of the fraudulent ads on eBay, specially crafted JavaScript embedded within the item's description will automatically redirect the victim's browser to the attacker's website. The eBay item number is passed to a PHP script on the attacker's site, which allows it to fetch the same listing from before delivering a slightly altered version to the victim.

Most customers would not expect their browser to end up on a different website by merely viewing a listing on the real eBay website, which makes this attack dangerously effective. Additionally, because the modified listing looks extremely similar to the real thing (and displays the item they were expecting to see), it is likely that many victims would have no cause to suspect that the bogus content is being served from a completely different website. Although there are still a few small clues for the wary, this apparent weakness in the eBay platform is certainly much easier to exploit than a completely undetectable man-in-the-middle attack.

The fraudulent sites can also display legitimate eBay listings, changing the seller's contact details on-the-fly.
Images are sourced directly from eBay's own web servers.

Interestingly, the only significant differences on the modified page are that the Email the seller and the Ask a question links have been replaced with different links which send an email directly to EBAY@REGOWNER.CO.UK. On the real eBay website, these parts of the page cannot be altered because the item description is displayed within an iframe, making any JavaScript within the description unable to directly alter the contents of the parent window. By encouraging victims to immediately establish an email dialogue outside of the eBay website, the fraudster can attempt to secure money through non-reversible payment methods without eBay being able to monitor even the initial communication.

Victims are unlikely to be spooked by having to deal directly with the seller. While eBay's terms and conditions forbid anyone to buy or sell outside eBay, this applies only to its auction-style and Buy-It-Now listing formats. This scam makes use of eBay's newer classified ad listing format, where a purchase can only be carried out by dealing directly with the seller. In these cases, the victim would not be covered under eBay's buyer protection policy, nor would they be able to leave negative feedback which might alert other potential victims.

The fraudulent listings used in these attacks are posted from compromised eBay accounts, which allows the fraudster to piggyback on the trustworthiness and reputation of established sellers. If these compromised accounts have accrued lots of positive feedback from previous auctions, then this will also serve to leverage the trust of potential victims much more than a brand new account possibly could.

This type of attack is rather subtle considering the other opportunities that could have been exploited by the fraudster. Most obviously, the fraudster could have attempted to steal login credentials by presenting a spoof login form, but clicking on the Buy it now or Make offer buttons, or the My eBay menu item, actually directs the victim to the real eBay login page instead. However, the subtle changes that are made are the only ones necessary for these types of listings — when it is possible to score thousands of pounds with a single fraudulent sale via email, perhaps it is not worth attracting undue attention by also phishing for account details.

A fragment of JavaScript used by one of the fraudulent eBay listings.
This automatically causes a browser to display the modified content from the fraudster's server, without any user interaction.

The man-in-the-middle scenario is made possible by the inclusion of arbitrary JavaScript in the fraudulent listings. eBay's HTML and JavaScript policy explicitly prohibits the use of JavaScript to redirect a user from eBay to another webpage, but this rule is clearly being flouted. Accounts may be suspended for breaching the guidelines in this policy, which is another reason why it is common to see fraudulent listings being posted from compromised eBay accounts – whether or not these accounts get permanently suspended is largely inconsequential to the attacker.

Banning nefarious JavaScript through policy alone is rather ineffective, as fraudsters aren't going to mind breaking the rules. Given the potential for misuse, the lack of sufficient technical measures to prevent malicious scripts being embedded within an eBay listing poses a security risk, and the fraudulent listings posted on eBay over the past week demonstrate that this issue can be exploited rather effectively.

Because the description of an eBay listing is displayed within an iframe, the attack relies on being able to use a hyperlink to change the location of the parent window. This could be prevented by using HTML5's sandboxing features, which would cause a hyperlink with a target="_top" attribute to do nothing. The framed content would only be able to navigate within itself and not change the contact details in the surrounding top-level parent.

Although the fraudulent listings are eventually deleted by eBay, the same fraudster keeps coming back for more. Buster Jack — who regularly reports such scams to eBay — noted a similar attack by the same fraudster more than a week ago, which presented the modified content via the domain. In terms of value, Jack told Netcraft that the used car market is the most serious area of fraud on eBay.

Within the past week, Netcraft has blocked more than 20 other websites that the same fraudster had been using to modify the content of eBay listings. All of these sites used the .info top-level domain, shared the same IP address, and were hosted by HostGator in the United States.

The Scamwarners forum has documented similar cases of suspected fraudulent activity on the car trading website Autotrader. Here, the same fraudster has attempted to get potential buyers to make contact via various email addresses under his domain, rather than by phone or via the Autotrader website. The affected listings have since been removed from the Autotrader website, but the domain is still operational and able to receive email. The domain name itself lends authority to the scam by pretending it has something to do with the registered owner of a vehicle, and the local part of the email address (the part before the @ symbol) was the same as the car's number plate, such as KX60YSJ@REGOWNER.CO.UK.

The domain was registered with eNom on 27 March and currently points to a holding page hosted by Arvixe in the UK. Despite the domain's WHOIS registration type being set to "UK Individual", the registrant's address is purportedly in the United States. The .info domains used by the man-in-the-middle scripts were also registered last month, using an address in London.