What ebaY has always told users is that as long as you come to ebaY directly, and log in to ebaY directly, and complete the sale on ebaY, you are safe. This is no longer true.
A followup article from The Auction Guild's email newsletter:
Quote:EBAY REDIRECT PHISHING SCAMS MULTIPLY
************************************************************
The hackers and scammers continue to get through ebaY's bad coding and subvert
the site. The redirect schemes are going on both ebaY Motors and the main ebaY
site.
In addition to the ebaY Motors scam we previously reported on, a second
information (phishing) scam is prevalent on ebaY. Usually the victim is lured in by a
scantily clad woman, on a listing where such an image is entirely inappropriate.
Often when a user tries to report the listing, or clicks on something in the listing, a
pop up appears asking them to log in to ebaY. The victim fills out the information
in the pop up, and this info goes right to the scammer who now has access to the
persons complete ebaY account.
Protect yourself, and your friends and family. Never input your info in a pop up,
only through your normal access links. Block pop ups, block flash, block JavaScript,
especially on ebaY. If the listing requires pre approval to bid, and it sounds like a
great deal - be suspicious.
As always, ebaY will only end items that are reported, and sometimes not even then.
They do not appear to be doing anything to either fix their coding, or to monitor for
these listings themselves. Their big solution is to hide user IDs for buyer who bid
over $200. All that will do is help the shill bidders - but what the heck - the higher
the bid the more ebaY makes, so why do they care if the bidding is illegal.
http://www.auctionguild.com
Another report of an unpatched redirection flaw on the eBay site:
Quote:A redirection script error on eBay's site remains open to abuse 18 months after The Register first reported it.
The flaw - actively exploited in phishing scams since February 2005 - creates a means to make fraudulent emails look more convincing.
Shortly after publishing a report on the problem, eBay assured us that it had plugged the hole. Despite this the site remains open to abuse through the same back door, as an email from Reg reader Adrien this week reminds us...
full article:
http://www.theregister.co.uk/2006/11/13/...tion_ruse/