Anyone see the newly listed items on eBay this morning?

cmerlo1 · September 23, 2007 10:51PM

I decided to surf- and the first 5 items were PORN. I tried to get to the auctions to report them, but they redirect you to a phishing site login. I've never seen this kind of phishing redirect on eBay before, and this could be VERY dangerous...what's the best way to report it?

--Christian

ebaytrader · September 23, 2007 10:54PM

Link to the porn, please.

Newcomp103 · September 23, 2007 10:57PM

<< Link to the porn, please >>

AskRaq · September 23, 2007 10:58PM

Don't know how to report, but here's the sellers ID: limitednoti , he has 95 of these listed?? (stolen account??)

cmerlo1 · September 23, 2007 10:59PM

Since there have been so many requests...Coins:US and then sort by time: newly listed....

ricko · September 23, 2007 10:59PM

Will be a slow morning here... everyone will be tryiing to find the porn...

Cheers, RickO

cmerlo1 · September 23, 2007 11:03PM

eBay already took care of it...

The porn didn't bother me, but I know others would find it offensive, and it's definitely not what you would want your YN to stumble on. My main concern is that someone has figured out how to redirect to a phishing site when you click an eBay item to view it.

--Christian

AskRaq · September 23, 2007 11:13PM

They took care of one seller - but there's still a "featured listing" (identical) by, ID: my2choyz... with 9 listings (obviously a hacked account - never sold porn before, but lotsa other stuff)

Coxe · September 23, 2007 11:39PM

What an idiot. Here is the target domain info. Going through the original lot listing page source still. A bunch of javascript there, some ebay, some I don't know yet.

Domain name: rosstravis.com

Registrant Contact:

Travis Ross (nin_antichrist@hotmail.com)
+1.9058477686
Fax:
1292 Fairmeadow Trail
oakville, ON l6m 2m2
CA

Administrative Contact:

Travis Ross (nin_antichrist@hotmail.com)
+1.9058477686
Fax:
1292 Fairmeadow Trail
oakville, ON l6m 2m2
CA

Technical Contact:

Travis Ross (nin_antichrist@hotmail.com)
+1.9058477686
Fax:
1292 Fairmeadow Trail
oakville, ON l6m 2m2
CA

Status: Active

Name Servers:
ns3.tektonic.net
ns4.tektonic.net

Creation date: 13 Sep 2007 18:08:13
Expiration date: 13 Sep 2008 18:08:13

notwilight · September 23, 2007 11:41PM

Actually, if you search for those two sellers, they are still there one on still has legitimate items for sale. This is something I've never seen before. I can't see the actual auctions because as soon as I click on them IE gives me the red "This is a reported phishing site" screen. But it looks like the scammers have been able to have auctions show up in e-bay that direct you to another website when you click them. This is something that I don't believe can be done using the listing tool but they appear to have hacked in. Just speculation on my part. Perhaps more knowlegeable compuer jedi can come up with a better explanation. --Jerry

notwilight · September 23, 2007 11:42PM

So Coxe, how long before the knock on this guy's door? --Jerry

cmerlo1 · September 23, 2007 11:46PM

To me, the implications of this could be staggering. If they can redirect to a phishing site, they can also redirect to a real-looking item view page that takes you to a login screen when you click the bid button or 'My bBay'....

notwilight · September 23, 2007 11:49PM

<< To me, the implications of this could be staggering. If they can redirect to a phishing site, they can also redirect to a real-looking item view page that takes you to a login screen when you click the bid button or 'My bBay'.... >>

If you keep your IE updated it catches it. --Jerry

cmerlo1 · September 23, 2007 11:52PM

True, but how many people actually do that, and how many are going to be astute enough to recognize that they're no longer on eBay?

Coxe · September 24, 2007 12:03AM

There is a tinyurl redirect to the site. I looked over that server and found templates and active php code to get eBay logins and credit card info. This is on a relatively newly set up Apache server and new domain. Could be the perp's but more likely was overtaken before the person could configure it. If so, people need to make sure they secure any exposed system running any service before bringing live. The Apache version is not the latest and does have security issues.

Coxe · September 24, 2007 12:18AM

If eBay wanted to do the right thing, they would look at every logged in account that viewed those lot listings and watch for password changes. However, from what I saw, it looks like the immediate goal is to get credit card info. Either the server is down or they lock your ip out when they've gotten that data (bogus data in my case). Don't feel like running through a proxy to check that out right now though.

19Lyds · September 24, 2007 12:37AM

I saw if under seller id jetta6799 but that appears to have been cleaned up.

I am a bit concerned over this since how in the world did they get a re-direct on the main EBay search results pages???

TwoSides2aCoin · September 24, 2007 12:44AM

Porn : A New Miss Matic

Great thread

Coxe · September 24, 2007 12:51AM

<< I saw if under seller id jetta6799 but that appears to have been cleaned up.

I am a bit concerned over this since how in the world did they get a re-direct on the main EBay search results pages??? >>

Yes, that was the account. The redirect was not formt he search results page. Any of the porn lots did redirect. It was accomplished through an embed src tag to a tinyurl redirect in the eBay description section.

cmerlo1 · September 24, 2007 12:54AM

Thanks for the cyber-detective work, Coxe...hopefully eBay is working on a fix (but I doubt it)...

--Christian

cullenbryant · September 24, 2007 1:14AM

wow, thanks for posting. very disturbing for ebay users.

DorkGirl · September 24, 2007 1:46AM

There was some of the same thing happening about 6 months ago. Whatever eBay did, stopped it for a while.

MajorDuty · September 24, 2007 2:46AM

I've seen this before. I just wish the pictures were bigger. ;-)

TomB · September 24, 2007 2:54AM

Unfortunately, this has been going on with ebay for quite some time, perhaps even up to a year.

SirAnthonyAC · September 24, 2007 2:55AM

<< If they can redirect to a phishing site, they can also redirect to a real-looking item view page that takes you to a login screen when you click the bid button or 'My bBay'.... >>

They already do that... that's the number one way that people have their EBay password stolen.

You click the auction, then you're asked to log in... but... you have to look at the URL!

IE7 does a pretty good job stopping that crap though. I had it twice last week and reported both auctions.

It's so common, you click a link in EBay and you're asked to log in, if it wasn't for IE7, a sharp eye, or some other tool... my password would have been a goner!

Type2 · September 24, 2007 3:36AM

You are all so lucky this never happens to me.

fc · September 25, 2007 4:01AM

thanks coxe. so basically one should keep an eye on what
domain or IP address your browser is surfing too. i always watch
the address bar for that crap.

otherwise, does ebay.com/ somehow magically stay in the address
bar during this exploit/phishing attempt/cross site scripting crap?
something tells me one can obfuscate it but one would need another
exploit of the browser to make is say one thing but do another...
fancy hack that.

LALASD4 · September 25, 2007 4:12AM

<< To me, the implications of this could be staggering. If they can redirect to a phishing site, they can also redirect to a real-looking item view page that takes you to a login screen when you click the bid button or 'My bBay'.... >>

That had already been done long ago. I have seen it before.

LALASD4 · September 25, 2007 4:14AM

<< 

<< I saw if under seller id jetta6799 but that appears to have been cleaned up.

I am a bit concerned over this since how in the world did they get a re-direct on the main EBay search results pages??? >>

Yes, that was the account. The redirect was not formt he search results page. Any of the porn lots did redirect. It was accomplished through an embed src tag to a tinyurl redirect in the eBay description section. >>

The redirected to site could also be a victim, who knows.

Coxe · September 25, 2007 4:19AM

Oh, there are a number of obfuscation tricks in the address bar. Many have closed by security updates to IE, for those who use that browser. A very easy one that many will fall for though is something like http://www.ebay.com.badd.com/login.asp or similar. Once you have your own domain, badd.com in this case, there's nothing to prevent you from naming subdomains and hosts as you please under it. This could be a perfectly valid DNS enrty that, at a glance, appears to be going to ebay.com. Throw in from hex equivs (like %2E for dot) and it further looks valid unless you look closely.

The other thing is that people often have the status bar at the bottom and rely on it. Can that ever be made to say whatever you want it to say for IE.

Coxe · September 25, 2007 4:25AM

<< 

<< 

<< I saw if under seller id jetta6799 but that appears to have been cleaned up.

I am a bit concerned over this since how in the world did they get a re-direct on the main EBay search results pages??? >>

Yes, that was the account. The redirect was not formt he search results page. Any of the porn lots did redirect. It was accomplished through an embed src tag to a tinyurl redirect in the eBay description section. >>

The redirected to site could also be a victim, who knows. >>

Yes, that is possible, since it was a new domain and a fresh install of a known vulnerable apache server version.

19Lyds · September 25, 2007 4:31AM

<< I've seen this before. I just wish the pictures were bigger. ;-) >>

You are sooooo BAD!

Anyone see the newly listed items on eBay this morning?

Comments

Leave a Comment