eBay scripting trick used to boost seller ratings (Shockwave redirection ploy)

The Register (U.K.) ^ | March 18, 2008 | John Leyden

[Stoat]

eBay scripting trick used to boost seller ratings

Shockwave redirection ploy in mystery auction attack

By John Leyden → More by this author

 

 

Published Tuesday 18th March 2008 17:04 GMT

---

Hackers have been caught using a malicious scripting scam in an apparent attempt to boost their rating on eBay.

An auction for a 4WD car on eBay.co.uk featuring the ruse was brought to our attention by Reg reader John early on Monday. eBay pulled the auction on Monday afternoon but The Reg has this screenshot.

The auction for a 2007 Range Rover Sport HSE offered a car valued at £40K for £12K. Clicking on the auction generated a suspicious pop-up, served up from Russia. Having established something was amiss we called up security experts at Sophos to analyse the attack, which we initially took to be a scripting variant of the Bayrob Trojan scam.

Not so.

Sophos established that surfers who click on the dodgy listing see a regular item page along with an embedded tag pointing to a Shockwave file. This Shockwave file redirects the user to an .aspx page in Russia. At the root of the page are two other similar .aspx pages - linking to other (already completed) vehicle auctions. ASPX is an html file format used to create Webforms.

The approach may have been used to harvest email addresses, or more likely as a way for dodgy sellers to give themselves a better reputation. Following the removal of the auction it's hard to be certain, but Sophos was able to make an educated guess about the purpose of the ruse.

Fraser Howard, a principal virus researcher at Sophos, concludes: "The scam appears to be hiding behind several other eBay sellers to piggyback on their reputations. The main listing itself (on the eBay site) is using a seller normally associated with online jewellery sales, a power seller. When you click through the the details page, and get redirected to the .aspx page on the .ru site, the seller is different again."

Sophos plans to add detection for the dodgy Shockwave file as the ReDir-A Trojan with its next update.

[Stoat]

Ping

[smith288]

Simple fix. Don’t use the outdated 1999 website called ebay.

[Attention Surplus Disorder]

Ebay has recently changed their “checkout” page, and it is a complete and total piece of garbage, complete with OBVIOUS security flaws, freight and insurance miscalculations, elimination of the ability to make mutually-agreed-upon changes to an invoice, and reductions of choices as to payment methods. It is generating howls of protest and ebay blithely talks past the complaints and objections in a magnificently Orwellian fashion. Under the guise of “convenience” these changes are sure to create massive, massive problems requiring literally millions of hours of corrective work on the part of users. It’s quite unfathomable. Half of my “favorite sellers” have left ebay or, at least last I checked, are not offering anything for sale (and these were 500+ pieces-of-crap-for-sale sellers)

Classic case of fixing what’s not broken. I am taking an ebay sabbatical after I complete my current round of buys. These changes just suck.

[Dad yer funny]

FR bookmark

[Stoat]

Several of my favorite sellers have hung up their keyboards as well.

I'm noticing that Paypal (owned by eBay) is offering (for five dollars) a keychain bauble with an LCD screen and a button, which generates additional digits which you add to your existing login password. The obvious statement being made here is "our security isn't nearly good enough, but instead of actually fixing it we're going to charge and inconvenience our customers further and then beat our chests, bellowing about how magnificently proactive on security we are".

 

 

Kitty doesn't like it.

[Izzy Dunne]

A used pink bathrobe.

A rare mint snow globe.

A SMURF TV tray.

I bought on Ebay.

Weird Al

[fieldmarshaldj]

On Saturday, I was proceeding to pay off a bill on eBay for 4 small lots from the same dealer. The bill I received in my email was correct, but when I went to checkout, the bill was padded by $25 for “insurance” (not the dealer’s fault, but eBay’s). There was no way for me to correct the amount and after half an hour of trying to fix it, I had to go and pay the amount manually on PayPal, bypassing eBay’s checkout (meaning no recording that the individual lots had been paid off).

Yet another one of eBay’s “problems” were their modifications to the multiple-auctions page to leave feedback. When you roll the mouse over one of the lots to begin a preview, it freezes the whole page and takes upwards of two minutes for the preview to appear (I don’t want the preview, it takes all of 10 seconds to just click on the link). Thanks to that mess, it took me an hour and a half to leave feedback for about 70 lots whereas previously it would take about 15 minutes prior to their “helpful upgrade.”

I cannot believe they are not receiving an epic number of complaints at the f’d up mess they have made. The checkout alone (which if you’re not careful, you’ll fail to notice that when you’re paying off a SINGLE lot, that EVERY OTHER LOT YOU HAVE BID ON is also on the page, too — why the hell are all those there when you’re dealing with just ONE lot ?!?!? Imagine you’re paying monthly bills, and you’re trying to pay off the gas bill, and when you go to pay it off, every other utility, grocery, entertainment expense, etc. is all there too ? F’d up, totally).

9 years I’ve been on eBay and it has NEVER been worse.

[ShadowAce]

[Attention Surplus Disorder]

You’re echoing each and every complaint I have about it, PLUS...and few know this...when you pay via PayPal but DON’T use ebay’s “pay now” button (visible on your completed, won auction) there are some subtle losses of buyers’ protections that can occur. To escape this so-called “convenience” you have to go and contact the seller and request a separate invoice. Esp if you have mutually agreed to combine shipping. It’s truly a PITA.

[Tennessee_Bob]

The bauble sounds like a version of the VPN Token we use here at DHS. The number on the token is randomly generated and that in combination with a PIN is your password for logging in.

[martin_fierro]

lol

[adm5]

They have also screwed up how someone searches for items, taking Buy It Now, and other search variants off, and onto the sidepage, but you have to click on the box and manually hit “buy it now” in a new smaller window and also a search within a set search is screwy too.

FeeBay’s motto: If it’s not broken, fix it.

[tubebender]

I have purchased over 3500 local postcards on eBay and they have really messed in their nest the last couple of months. I paid cash for anything under $15.00 and now I have to look close for the option to use anything other than PainPal. On the larger items I want a separate checkout and invoice.

[sbMKE]

I joined Ebay in 1998 and was a very avid user for years until they ramped up rates and “buyer protections” to the point where I was getting scammed once a week.

Last time I logged into my account I found that it had been hacked and “designer” clothes were being sold through it. 500+ positives and 1,000 + total sales and I’m out completely.

[fieldmarshaldj]

I’d love to walk away from eBay, but I mainly just do business with about 5 dealers and there’s nowhere else I can get these items from (because of their obscurity). Why they have initiated these “changes”, which I have no doubt 90% of eBayers oppose for making doing business incredibly inconvenient or just completely confusing, I have no idea. Why they especially decided to do away with the option of pay all your eBayers at once and FORCE IT upon you without a choice makes me red faced with outrage. If I could get a contact number, I’d complain immediately. A task that took me 5 minutes to do months ago took 45 minutes on Saturday. Absolutely outrageous.

I don’t know why they don’t have two versions of eBay, the previous one that worked and that 99% of eBayers prefer to use as an option, and the new version that the .0000000001% of eBayers that are masochists can choose to option. Y’know, the ones that don’t mind paying $25 of insurance on a $5 lot.

[tubebender]

I just bought 3 holsters for my 3225 Kyocera cell phone. Can't find them anywhere else and they were only $1.00 a piece but the shipping was &14.00 shipping for the three.

[tubebender]

oopppps...shipping was $1o plus sales tax and ins...I think

[fieldmarshaldj]

I’ve seen a lot of price gouging with respect to shipping. Since I buy paper-sized items (usually no larger than a sheet of paper), the costs shouldn’t be high. I give them some leeway of wanting to add a buck or two (and I understand adding perhaps 50c per lot, since PayPal and eBay add on the listing fees), but I remember 5 years ago a guy charged $6 to ship a single sheet of paper. When I got the item, it had obviously cost about 75c or so to mail (the item itself only was a buck or two, but I’d have paid $10 for it excluding shipping) and I left “neutral” feedback, saying he shipped cheap and charged high. He went ape$hit and insulted me in email. What bugged him was that he had already left me positive feedback before I had and he couldn’t retaliate.

Fortunately the ones that engage in funny business like that don’t last long on eBay at all. I had one guy sign up to sell a letter I wanted. He was probably expecting it would sell for $50 or more. I won it for a few bucks (you take a risk on buying from somebody with a zero feedback, but, as they say, you have to start somewhere, and you’re not taking much of a risk on something under $5) and after repeated attempts to contact him, he never answered back and soon deregistered from eBay.

[tubebender]

Several years ago I bought eight small ashtrays for the minimum eight bids and sent a check. The check cleared but he never shipped and would not return my messages. One day I emailed him and told him I was filing a Mail Fraud charge with the USPS and tax evasion charges with the IRS. I had a reply in 3 minutes asking for my address. Got the ashtrays 4 days later.

Every time I posted a negative on him he reciprocated. My only negatives I ever had...