Another eBay scam: Too good to be true.

Filed Under: SophosLabs

Earlier this week SophosLabs was alerted to another potential eBay scam (see article on The Register). A high performance vehicle, included as a featured listing, and at a ridiculously low price had attracted suspicion.

rr-listing.png

Clicking on the item resulted in a rapid redirect to a remote (non-eBay) site. Looking through the eBay-hosted page identified the cause - an embedded Shockwave file (now detected as Troj/ReDir-A).

rr-embed.png

The Shockwave file (created with SWF Quicker), performs the redirect with a standard getURL(") directive.

rr-action.png

The result is that the details page for the listing is loaded from a remote, Russian site.

rr-ru-listing.png

As you can see, the page is crafted to look just like the official page, except that the embedded forms point to a mailto address, not back to eBay. Phishing for eBay credentials does not appear to the purpose of this scam - clicking on the 'sign in' link takes you back to the offical eBay sign-in page. Clearly the scammers are happy to abuse legitimate eBay sellers, typically those with good reputations. The seller listed in this scam was a power seller, normally associated with jewellery items.

Clicking on the bid or 'buy it now' buttons creates an email to the seller in the default email client, which generates a warning popup from Internet Explorer.

rr-popup.png

Looking through the root of the Russian site, it would appear this is not the first scam.

rr-root.png

Just another demonstration of the dangers embedded Flash content can present (see previous blog about poisoned adverts). This is due to its support for ActionScript, a scripting language based on ECMAScript (i.e. akin to Javascript). Stricter input validation by eBay would have prevented users being able to embed Flash content in description pages.

,

You might like

About the author

Fraser is one of the Principal Virus Researchers in SophosLabs. He has been working for Sophos since 2006, and his main interest is in web related threats.