Phishing: “Phishing” is a form of Internet fraud that aims to steal valuable information such as credit cards, social security numbers, user IDs and passwords. (from New Zealand’s Digital Strategy)

I ran into a phishing scam on eBay today while checking prices on used watches. What makes this attack different is that it begins from the eBay website itself. An authentic entry-level Patek-Philippe wristwatch costs about USD$15,000, so warning bells came up when I saw an auction for a Calatrava at USD$1800. Clicking the link which should have brought up the bidding page instead did a quick redirect to some website on a new domain called ““. Hey? What’s going on?

This was my first encounter with the “eBay Flash-redirect scam” – a phishing attack that begins from a legitimate eBay auction. Phishing is a crime whereby the criminal obtains a user’s credentials by mimicking an authentic service. In this example, the criminal uses an authentic eBay auction to lure the bidder to a different web site under the criminal’s control. At the scammer’s web site, the page looks exactly like a real eBay auction page. Anyone bidding on the auction is prompted to login and when they do, their eBay credentials are sent to the fraudster.

eBay Flash-redirect scam: A type of phishing attack whereby a criminal obtains a user’s credentials by redirecting the victim from a legitimate website onto a criminal-controlled website. The redirection is caused by an embedded Flash object placed on a valid auction page.

Here is the scam step by step with a technical discussion.

Step One: Induction from ebay search result page

Inset of the fraudulent auction
In this scam, a quick auction is set up for a high-value item like a $15,000 watch. The auction is posted by one account and a shill bidder opens the auction at some low-ball value, like $1800; both accounts are likely controlled by the same fraudster. In this example, both accounts are new with no completed transactions.

Step Two: Redirection

Auction page should be from
From the search results, a user would click the auction link and load a page from a server named ‘’. This page is faithfully served by ebay.

Inset of the page served by ebay
Ebay allows images to be served from other web sites. If you want to use an image hosting service, you can do it. Ebay also allows Flash objects for things like slideshows and virtual inspections. The problem is that Flash allows designers to redirect the user’s browser and this scammer knows it. Let’s look at the code served by the ebay server.

Source code thumbnail
This little snippet of html source code causes a small Flash object to be embedded into the ebay bidder’s page. This object is served by ““. When executed, the Flash object redirects the user’s browser to a new page hosted by a web site called ‘’. In reality, the redirection happens almost instantaneously; as soon as the Flash object is loaded, it redirects.

Scam auction page inset
This scam auction page is not served by ebay; look at the web site address. On the fraudulent page, the auction magically changes to a ‘Buy it now’ auction at $1800 which is a fantastic price for a real Calatrava. OMFG! Time to close the auction!

Step Three: Stealing your ebay credentials

Phishing login inset
Attempting to place a bid leads to this form which prompts you to give your ebay login and password to the scammers. Unlike the email phishing attacks that many are aware of, this scam begins at the real ebay web site, so it is quite possible that a ebay user might not notice that the domain name has changed and that the pages are no longer coming from ebay. Interestingly, sending your credentials to the scammer results in an error page, which suggests that the scammer is actually verifying the submitted credentials with the ebay service. This gold-plating was unexpected.


What can you do to avoid being ripped off? What can EBay do to stop this kind of fraud?

  • You: Watch the web address bar for changes to your web site
  • You: Inspect the web browser’s SSL certificate before authenticating
  • You: If an offer is too good to be true, it probably is a scam
  • EBay: Host all pictures and objects for auction participants
  • EBay: Make all ebay pages SSL encrypted so a warning is raised on redirect or when serving non-SSL objects

The Flash-redirect scam is a variant of the eBay Phishing Script attack [Cyber Security Alert SA06-117A].