Online scammers use CSS attack to deceive eBay consumers

As reported by Reuters, Internet scammers were exploiting unpatched vulnerabilities in the Firefox and Internet Explorer browsers to deliver counterfeit pages in order to lure online consumers to bid on fraudulent listings.

The violators deployed an XSS, or cross-site scripting, attack to inject forbidden javascript elements stored on third-party websites. This resulted in that outside email links and other unauthorized code appeared on eBay pages while still evading toolbars designed to detect fraudulent listings. Apart from links to prompt customers to email the seller at an aol.com address the scam also changed the number of the item each time the page was loaded. Inasmuch as eBay uses unique item numbers to enable reporting of fraudulent listings changing number of the fake listings made it difficult for eBay’s specialists to remove the problem.

The attacks targeted Firefox by exploiting the way the browser implements what's known as XBL, or XML binding language. By invoking a rogue CSS, or cascade style sheet, hosted on a third-party site, the Mozilla browser was tricked into running forbidden code that injected fraudulent content into the listings.

eBay spokeswoman Nichola Sharpe stated: "This is not a new security threat, our online security experts are already aware of this and have identified it as a known bug in Firefox. eBay utilizes sophisticated security technologies to protect our customers against attacks such as this. We continually update our security to deal with emerging threats - and have done so with this threat."

Interestingly it took eBay over 24 hours to remove one fraudulent listing after it was reported.

"eBay has to take some responsibility for sure," notes Cefn Hoile, a browser security expert. "They chose to serve this content which incorporated the third party stylesheet."