I just ran across this, which I haven’t seen for a while. Variation on a theme. This time the hackers are using a fake “Buy it Now” button and a tricky contact the seller link. Either will lead you to the obviously fake phishing page which looks identical to an ebay login screen, save the url, page info etc.
(click thumbnails for larger view in new tab or window)
I’m editing to add that my browser in the latest incarnation of firefox. My urlbar background is set for color #D7E5E5, a light blue. On secure pages it changes to a light yellow or gold. (unlike this fake page) Firefox saw fit to do away with favicons, so that’s the default for all sites. On an actual ebaY login screen you should a green outlined area with a green padlock. Clicking that calls up the page info. Learn more about the padlock and the Firefox Site Identity Button.
The victim here is europiece20-uk who shows registered in the United Kingdom, yet the listings show location to be San Jose, California, a widely believed haven for fraudsters.
The composite image shows a few of the peculiarities of a sample bogus listing highlighted in red along with element/image properties. You can see the 2 images (one for “Buy it Now”, one for the terms etc) are sourced from 2 different places and the fake login is on a third as shown above.
The BiN button and the contact link were both javascript btw.
Another thing worth mentioning is the time remaining. Six days, 23 hours+ remaining. This again demonstrates the hackers can get right by whatever filters may exist, while legit sellers wait for hours, even days before their items are visible. In fact, the gallery or thumbnail images may not have even had time to propagate yet from the looks of things?
Update: 04-13-2012
Last night I saw a new twist: A contact the seller form with spaces for victims to enter their phone numbers. The layout of the hacked listings was similar, but without javascripting, just plain html links. (not that that’s really important). The ask seller a question link redirected from the totastyle.com to this form at myad.wufoo.com, a secure page btw. I’m not sure if I missed that the first time around or if the hackers changed things. You can see the victim-seller name on one of the tabs. Looks like they removed the fraud listings already. One other noteworthy thing, the gallery images and image at the listings top were placeholders just like you see above, however the listings were many hours old, so it looks like auctiva may be blocking that? The embedded images were sourced from buyersprotection.us I believe
I sure would stay clear of ebay. There’s been a sharp increase in these hacking or hijacking events and ebay is letting the fake listings remain in place, while deleting any warnings to their beloved community.
So I’m not sure what’s going in San Jose or ebaY these days? Maybe there’s something in the water? Bobbing corpses, industrial waste, radiation poisoning, bath salts? Who knows, but since truth is stranger than fiction there…
Cappnonymous 
April 12, 2013 at 3:49 am
Readers here might want to see this:
The Hackfest continues… – CAPP forum
http://bit.ly/robwfG
Looks like more active scripting/redirect related security issues are popping up on ebay.
I’ll stop now to keep from making this a rant… LoLz!
October 6, 2014 at 8:04 pm
I know this website proides quality based articles or reviewas
and extra material, is there any other web page which
provides these data in quality?
March 5, 2015 at 7:47 pm
click the following article
Hacked ebaY Listings with Fake Login Page and Phone Number ASQ | Cappnonymous