Beware fake login pages on ebaY! You will NOT becovered by ebay buyer protection. You will be phished.

I just ran across this, which I haven’t seen for a while. Variation on a theme. This time the hackers are using a fake “Buy it Now” button and a tricky contact the seller link. Either will lead you to the obviously fake phishing page which looks identical to an ebay login screen, save the url, page info etc.

(click thumbnails for larger view in new tab or window)

I’m editing to add that my browser in the latest incarnation of firefox. My urlbar background is set for color #D7E5E5, a light blue. On secure pages it changes to a light yellow or gold. (unlike this fake page) Firefox saw fit to do away with favicons, so that’s the default for all sites. On an actual ebaY login screen you should a green outlined area with a green padlock. Clicking that calls up the page info. Learn more about the padlock and the Firefox Site Identity Button.

The victim here is europiece20-uk who shows registered in the United Kingdom, yet the listings show location to be San Jose, California, a widely believed haven for fraudsters.


The composite image shows a few of the peculiarities of  a sample bogus listing highlighted in red along with element/image properties. You can see the 2 images (one for “Buy it Now”, one for the terms etc) are sourced from 2 different places and the fake login is on a third as shown above.

The BiN button and the contact link were both javascript btw.

Another thing worth mentioning is the time remaining. Six days, 23 hours+ remaining.  This again demonstrates the hackers can get right by whatever filters may exist, while legit sellers wait for hours, even days before their items are visible. In fact, the gallery or thumbnail images may not have even had time to propagate yet from the looks of things?

Update: 04-13-2012


Last night I saw a new twist: A contact the seller form with spaces for victims to enter their phone numbers. The layout of the hacked listings was similar, but without javascripting, just plain html links. (not that that’s really important). The ask seller a question link redirected from the to this form at, a secure page btw. I’m not sure if I missed that the first time around or if the hackers changed things. You can see the victim-seller name on one of the tabs. Looks like they removed the fraud listings already. One other noteworthy thing, the gallery images and image at the listings top were placeholders just like you see above, however the listings were many hours old, so it looks like auctiva may be blocking that? The embedded images were sourced from I believe

I sure would stay clear of ebay. There’s been a sharp increase in these hacking or hijacking events and ebay is letting the fake listings remain in place, while deleting any warnings to their beloved community.

So I’m not sure what’s going in San Jose or ebaY these days? Maybe there’s something in the water? Bobbing corpses, industrial waste, radiation poisoning, bath salts? Who knows, but since truth is stranger than fiction there…