The Breitling Watch Source Forums

Hi all,

I discovered an interesting Ebay fraud today. Check out auction number 220952042307 for a Rolex Deepsea. When the auction loads, the website loads again after about one second and displays a faked Ebay page. Firstly, the Ebay ID of the seller changes from 'ncw-s' to 'now-s', the script also adds a fake 'Buy it now' button (in German 'Sofort Kaufen') and it also removes some stuff from the page. Some of the links have been manipulated, too (try clicking on the seller's name or sales credits). When clicking on the 'Sofort Kaufen' button, it opens a new pop-up asking for contact details as the seller needs to approve bidders (how stupid is that suggestion?).

The script is started by an embedded code in the article description area, it refers to an external website (http://dayvan.org/de/rolex/grupfpzzoq4w ... 0631725043), the code is even documented. I only have limited programming knowledge, but thanks to the documentation I would probably be able to adjust the script to anothe auction.

I have never seen anything like this before, this opens a whole new world of possibilities for fraudsters - when you think you are on Ebay you might actually be somewhere else. Imagine the possibilities to defraud innocent shoppers: if I were the fraudster I wouldn't ask shoppers to register their email for a bid-approval but would try to get my hands on their paypal passwords.

I have notified Ebay through the online chat, but the customer rep wasn't too impressed and thought their specialists would look at the auction within the next 24 to 48 hours. Great. I have also contacted the account owner (who I think is not involved, probably victim of phishing) and he has stopped the auction. So what you see now is the stopped auction, but the script is still active.

Scary, isn't it?

Raffe

Wow very interesting. Scary indeed. Nice find. Can never be too cautios about sellers on the bay

This is why I have only bought once from E-bay.
Too scary...Too many crooks on there IMO

_________________
"In the end there can be but one"

Totally with you on this one.

Never use it for important amounts.

_________________


- This is Ghost Rider requesting a fly-by. - Negative Ghost Rider. The pattern is full.

Listing has gone now.

It's frightening how casual the reaction of eBay was.

_________________

For more information on identifying Breitling replicas, please visit my web site
http://f4buz.com/watches/breitling/fakes/fakes.html

I spoke to an Internet security expert over the weekend. They have alerted Ebay to a similar security loophole already in 2008 and as of today it is still unresolved. See the details here: http://www.falle-internet.de/de/html/pr_exme_engl.php

What did you expect Sharkie? Resolving a serious issue like this takes time. And, of course, money.


Sent from my Galaxy SII using Tapatalk

_________________


- This is Ghost Rider requesting a fly-by. - Negative Ghost Rider. The pattern is full.

I can't try it, since it's gone now, but I'm curious if it would have worked with Firefox and NoScript, which I use, to prevent just this sort of thing.

I tried with several browsers, and they all fell for it. NoScript did work to block it, just as ScriptNot for Chrome, but then you are lacking a lot of functionality on Ebay (e.g. the photo viewer, which runs on Java).

But with NoScript you can selectively enable by domain. Wouldn't that take care of it?

Sure. I have been using it now for two days with Ebay set to "no scripts". However, I cannot browse through photos anymore unless the seller has them in the item description (via photobucket or similar). The small Ebay gallery doesn't work anymore. I am also not able to bookmark items for my watchlist as that button is Java, too. Haven't tried to bid on an item, but wouldn't be surprised if that required Java as well.

So I don't think its a great alternative to just disable scripts. We just need to be VERY careful...

+1

_________________


- This is Ghost Rider requesting a fly-by. - Negative Ghost Rider. The pattern is full.

I believe the domains I enabled were ebay.com, ebaystatic.com and ebayrtm.com, and I use the photos normally, both with and without the window for enlarged pictures, and add items to my watch list often. Other domains should be blocked.

Sure. But the script was on Ebay's server, so it would execute neatly with your configuration...

Thanks. That's what I wanted to know.