Such spoof sites work only because civilian sites such as eBay/PayPal are not knowledgeable about military-style dual verification.
ATM machines have the same vulnerability. Many an ATM user has been unknowingly burned by crooks who set up fake ATM's in shopping malls and convenience stores. Innocent people insert their ATM cards, key in their PIN's, and get a message about the system being down, try again later.
In the meantime, the fake ATM machine has read their ATM cards, copied their PIN's, and the crooks will soon be making up duplicate *valid* ATM cards to drain your checking account.
...And again, it is because most banks are unfamiliar with military-style dual verification.
Dual Verification means that *you* verify that the other guy is real, and the other guy verifies that you are real. Then information can be exchanged securely.
But ATM keosks don't allow you, the consumer, to verify that the ATM is real...which is the very first thing that you have to establish in order to have a secure transaction.
What *should* happen is that every ATM should *first* show you a 4 digit number after you insert your ATM card (prior to you entering your PIN). If you don't see the correct number, then you should phone the bank and be given a reward for catching a fake ATM keosk scam.
On the other hand, should the ATM show you the correct number, then you should feel confident typing in your PIN.
The fake ATM's won't know which 4 digit number to first show you. You'll get a reward for calling the bank anytime you are shown an incorrect number...and thereby honest citizens will easily put the fake ATM crooks out of business.
That's dual verification. The ATM shows *you* a special, pre-agreed number, and only then do you show the ATM your PIN. Since fake ATM's aren't tapped into the bank's database, those fake ATM's won't know which number to show to you. The reward for catching machines that display the incorrect dual verification number will quickly shut them down.
...And the same thing goes for web sites like paypal and ebay. They should be showing *you* a unique number or phrase before you enter your final password to log on (or to input requested private information such as bank account numbers).
The eBay spoof sites run by crooks won't know which phrase or number to show you, so you'll know to call eBay to get your reward for identifying a criminal web site.
Simple dual verification, combined with public rewards, will shut down such criminal web sites.
Our military and spy agencies have been using this sort of security system for decades. It's time that civilians caught up.