Hackers are stealing eBay usernames and passwords by hosting phishing sites on eBay’s very own network.
This domain is typically used to host eBay listings descriptions, which later are displayed on eBay Listings page within iFrames.
The eBay listing used by hackers has since been deleted. However, the listings’ descriptions contained in the phishing content can still be viewed via direct browsing to the relevant URL at vi.vipr.ebaydesc.com.
Therefore, the phishing attack is still active and can potentially steal credentials from eBay users.
The image below shows one of the phishing sites targeting German users:
How does it work?
As soon as a user enters his username/password into the login form, these values get submitted to a PHP script that is being hosted by a Russian server. Once the credentials are hacked, the script redirects the user to a real eBay.de login page.
The page reports that the submitted username and password were invalid.
This error message makes the user suspicious and he checks the browser’s address bar to re-check if he was on the right website. But unfortunately, the hack has already been completed.
The victim is potentially left oblivious to the fact his credentials in eBay has been stolen and sent to Russia.
So be extra careful while typing your financial information on eBay sites.