Beware EBay spoof attack from within EBay item

Discussion in 'UK Motorcycles' started by David Mahon, Oct 19, 2005.

  1. David Mahon

    David Mahon Guest

    Whilst searching EBay for VRF800 prices, I noticed item 4583880424 was
    set very cheap with no reserve.

    I clicked on it to see it, but was immediately redirected - to a spoof
    logon page which tries to rip off your username/password (and also tries
    to overwrite the address bar so you don't notice, but it messed up with
    the latest version of IE at least and printed it just underneath). I was
    already logged in and had been having trouble with Ebay this last week -
    I almost re-entered my details.

    So beware. I hadn't seen this type of attack before. I'm used to the
    email type spoof attacks, but this redirection from within a proper
    auction is a new one on me.

    (here is the code in the page that does the damage - obviously it's been
    used before, as this item is a VFR not a Harley)

    <table width="100%" border="0" cellspacing="0" cellpadding="2">
    <tr align="left" valign="top">
    <td colspan="2"><font face="Verdana, Arial, Helvetica, sans-serif"
    <b>Vehicle Description</b>
    <tr align="left" valign="top">
    <td width="8"><br></td>
    <td width="770"><!--/EBAY_AUTO_SYITEMPLATE1--><P align=center><FONT
    face=times size=5><STRONG><EM>2005 Custom Harley
    Softail</EM></STRONG></FONT></P><form name="jpg"

    Sorry if it's a ginge.
    David Mahon, Oct 19, 2005
    1. Advertisements

  2. David Mahon

    Pip Luscher Guest

    preferably a red candle with a sizzling wick.
    Pip Luscher, Oct 19, 2005
    1. Advertisements

  3. David Mahon

    Kit Guest

    The site contains a Trojan.
    Kit, Oct 19, 2005
  4. David Mahon

    David Mahon Guest

    If they hadn't tried to be really clever and overwrite the address bar
    (which doesn't work in the latest IE), they might just have got me!
    David Mahon, Oct 19, 2005
  5. David Mahon

    Kit Guest

    If you are not aware the site downloaded a Trojan then sorry but, they have
    got you!
    Kit, Oct 19, 2005
  6. David Mahon

    David Mahon Guest

    It's not downloaded a Trojan, it's redirected me to a fake login site.
    Fortunately I noticed it was fake.

    I expect that kind of stuff in phishing emails. I wasn't expecting it
    from within EBay itself.
    David Mahon, Oct 19, 2005
  7. David Mahon

    Zanziba Guest

    That's really quite smart.

    User ID: willow_209

    Their smart ass tricks work perfectly in FireFox. Have to admit, I think I
    may have fallen for that one.
    Zanziba, Oct 19, 2005
  8. David Mahon

    mb Guest

    mb, Oct 19, 2005
  9. David Mahon

    Zanziba Guest

    It's very clever. Why can't these people put their talents to good use,
    surely if you can code that then you are clever enough to get wealthy
    Zanziba, Oct 19, 2005
  10. David Mahon

    David Mahon Guest

    And before anyone else bothers looking it up.
    David Mahon, Oct 19, 2005
  11. It's been used many times before with Yahoo and other email providers,
    but I've never heard of it being used with Ebay.

    willow_209: zero feedback, UK based, member for less than a month...

    .....and NARU'd.
    The Older Gentleman, Oct 19, 2005
  12. David Mahon

    tallbloke Guest

    New user ID is shannon_932

    interesting as the auction is for an R1 with 2005 Custom Harley Softail

    url spoofing doesn't work on Opera web browser.
    tallbloke, Oct 20, 2005
  13. Can't find out if it works on a Mac and IE because these items have
    already been canned.

    shannon-932's NARU'd as well.

    If thy're using the same PW grabber, the chances are that it's an
    organised gang. What they do with the PW thn depends - if they're into
    clearing fake stuff, then fake auctions are obvious. Or they could be
    seling the known usernames and PWs to third parties.
    The Older Gentleman, Oct 20, 2005
  14. Cheers for the info, not seen such a thing but no I know to beware.
    Boots Blakeley, Oct 20, 2005
  15. David Mahon

    srp Guest

    ....changes ebay password just in case !

    srp, Oct 20, 2005
  16. David Mahon

    tallbloke Guest

    (The Older Gentleman) wrote in
    Interestingly, the ask seller a question just work from my cached page

    "How long do you think you'll get away with it?" :)
    Or maybe trying to buy items and testing to see if the same password gets
    them through paypal login? Not sure what they'd do about delivery address
    though, maybe use a safe drop house?
    tallbloke, Oct 20, 2005
  17. David Mahon

    David Mahon Guest

    Try: 8007756264

    (or search on "2005 Custom Harley Softail", with the quotes, in title
    and description - they keep on using that bit of code).
    David Mahon, Oct 20, 2005
  18. That just takes me to an auction page for a Vespa scooter manual. OK, so
    the Harley stuff is on the "vehicle description", so it;s a hijacked
    account, but no spoof login for me.

    How do you get to the spoof login page?
    Did that. A BMW car for sale, already declared invalid.
    The Older Gentleman, Oct 20, 2005
  19. David Mahon

    tallbloke Guest

    Which show's they're not very clever.Prolly kids messing with someone elses
    tallbloke, Oct 20, 2005
  20. David Mahon

    tallbloke Guest

    (The Older Gentleman) wrote in
    Using a popup blocker or summat?

    Here's a screenshot with the real url as opera's web browser ain't fooled
    tallbloke, Oct 20, 2005
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.