eBay

billsbayou · ‎08-30-2018

I accidentally searched Google for ebay.com rather than entering it into my address bar. The very first link that I get is an ad showing ebay.com. It takes me to a phishing site. I could not find an easy way to report this. NOTHING on the eBay Security page covers Google phishing links.

Hover the mouse over the link in Firefox and the following is shown at the bottom of the window:
https : // www ebay com/b/ATV-Side-by-Side-UTV-Parts-Accessories/43962/bn_562707
DO NOT GO THERE

I clicked on that and was taken to a Microsoft look-alike site reporting a security issue and asking for me to sign in. I'm guessing they're phishing for usernames and passwords. This is a site that has a pop-up window that won't let you close the tab. CTRL-ALT-DELETE and I ended the Firefox application.

If I right-click over the Google result and copy link location, I get this: (AGAIN, DON'T GO THERE)
https :// www google com/aclk?sa=L&ai=DChcSEwiM697lj5XdAhUBHWkKHRTvDJQYABAAGgJpcQ&sig=AOD64_0VKsHN0Brb_Aj9EW8fL_XCrLHsAw&q=&ved=2ahUKEwj3mdrlj5XdAhVEQ6wKHcFFDpcQ0Qx6BAgCEAI&adurl

EDITED MESSAGE TO REMOVE ACTUAL LINKING TO THOSE LINKS

Not that I'm watching, but just what do you think you're doing?

bolara-1 · ‎08-30-2018

Most of the times the very first result will be a ad. They usually say AD before the URL link and it is not new. You had already typed ebay how much time were you trying to save by avoiding typing 4 characters .com?

berserkerplanet · ‎08-31-2018

Unless I'm missing something here, I don't see any phishing site. I traced out the link you posted (using sandboxed and armored browsers)

If there were actually a malicious site involved here, it is a google problem, not an eBay problem, and is not an eBay technical issue. You could probably go ahead and report the URL to eBay via email to spoof@ebay.com though.

Visiting your google URL in a locked down (and stupid) Firefox 2.0 browser results in the following dump from a stream capture using HttpFox:

00:00:02.828	0.297	711	280	GET	302	Redirect to:
 http://clickserve.dartsearch.net/link/click?url=https://www.ebay.com/b/ATV-Side-by-Side-UTV-Parts-
 Accessories/43962/bn_562707&ds_url_v=2&ds_dest_url=https://ebaykhaut.azurewebsites.net&ref=30
 &loc=4327&gclid=EAIaIQobChMI3s20-OWm2wIVktdkCh2ZiwgoEAAYASAAEgJfbvD_BwE

 https://www.google.com/aclk?sa=L&ai=DChcSEwiM697lj5XdAhUBHWkKHRTvDJQYABAAGgJpcQ&sig=AOD64_
 0VKsHN0Brb_Aj9EW8fL_XCrLHsAw&q=&ved=2ahUKEwj3mdrlj5XdAhVEQ6wKHcFFDpcQ0Qx6BAgCEAI&adurl

00:00:03.125	0.172	649	682	GET	301     Redirect to:
 https://clickserve.dartsearch.net/link/click?url=https://www.ebay.com/b/ATV-Side-by-Side-UTV-Parts-
 Accessories/43962/bn_562707&ds_url_v=2&ds_dest_url=https://ebaykhaut.azurewebsites.net&ref=30
 &loc=4327&gclid=EAIaIQobChMI3s20-OWm2wIVktdkCh2ZiwgoEAAYASAAEgJfbvD_BwE

 http://clickserve.dartsearch.net/link/click?url=https://www.ebay.com/b/ATV-Side-by-Side-UTV-Parts-
 Accessories/43962/bn_562707&ds_url_v=2&ds_dest_url=https://ebaykhaut.azurewebsites.net&ref=30
 &loc=4327&gclid=EAIaIQobChMI3s20-OWm2wIVktdkCh2ZiwgoEAAYASAAEgJfbvD_BwE

00:00:03.297	0.469	644	371	GET	302	Redirect to:
 https://ebaykhaut.azurewebsites.net?url=https://www.ebay.com/b/ATV-Side-by-Side-UTV-Parts-Accessor
 ies/43962/bn_562707&ref=30&loc=4327&gclid=EAIaIQobChMI3s20-OWm2wIVktdkCh2ZiwgoEAAYASAAEgJfbvD_BwE

 https://clickserve.dartsearch.net/link/click?url=https://www.ebay.com/b/ATV-Side-by-Side-UTV-Parts-
 Accessories/43962/bn_562707&ds_url_v=2&ds_dest_url=https://ebaykhaut.azurewebsites.net&ref=30
 &loc=4327&gclid=EAIaIQobChMI3s20-OWm2wIVktdkCh2ZiwgoEAAYASAAEgJfbvD_BwE

00:00:03.766	0.484	532	0	GET	(Error)	NS_ERROR_NET_INTERRUPT
 https://ebaykhaut.azurewebsites.net/?url=https://www.ebay.com/b/ATV-Side-by-Side-UTV-Parts-Accessor
 ies/43962/bn_562707&ref=30&loc=4327&gclid=EAIaIQobChMI3s20-OWm2wIVktdkCh2ZiwgoEAAYASAAEgJfbvD_BwE

That last entry is a load fail in the browser due to SSL considerations. Apparently azurewebsites.net (which is Microsoft cloud hosting) requires TLS 1.1 minimum security protocol that Firefox 2.0 can't do.

https://en.wikipedia.org/wiki/Microsoft_Azure_Web_Sites

Not a problem. Just need to transplant the final URL

https://ebaykhaut.azurewebsites.net?url=https://www.ebay.com/b/ATV-Side-by-Side-UTV-Parts-Accessories/
43962/bn_562707&ref=30&loc=4327&gclid=EAIaIQobChMI3s20-OWm2wIVktdkCh2ZiwgoEAAYASAAEgJfbvD_BwE

into Firefox 31 and see what happens...

00:00:21.094	2.787	454	191	GET	302	Redirect to:
 https://www.ebay.com/b/ATV-Side-by-Side-UTV-Parts-Accessories/43962/bn_562707
 https://ebaykhaut.azurewebsites.net/?url=https://www.ebay.com/b/ATV-Side-by-Side-UTV-Parts-Accessor
 ies/43962/bn_562707&ref=30&loc=4327&gclid=EAIaIQobChMI3s20-OWm2wIVktdkCh2ZiwgoEAAYASAAEgJfbvD_BwE

00:00:23.898	0.398	2018	302	GET	200	text/html
 https://www.ebay.com/b/ATV-Side-by-Side-UTV-Parts-Accessories/43962/bn_562707
00:00:24.355	0.057	240	(7934)	GET	(Cache)	text/css
 https://ir.ebaystatic.com/rs/c/inception-6129da.css
00:00:24.359	0.150	253	(65138)	GET	(Cache)	text/css
 https://ir.ebaystatic.com/rs/c/browse-page-desktop-pr-82dd23.css
00:00:24.528	0.281	335	(10737)	GET	304	text/css
 https://ir.ebaystatic.com/rs/v/vbfgz414rqz5lnmzcfypj25lbyd.css?proc=DU:N
00:00:24.531	0.069	294	(3164)	GET	(Cache)	image/png
 https://ir.ebaystatic.com/cr/v/c1/67892_082518_GG_SM_RW34_Football_Doodle_150x30_Final.png
00:00:24.556	0.139	247	(64)	GET	(Cache)	image/gif
 https://ir.ebaystatic.com/cr/v/c1/s_1x2.gif
00:00:24.560	0.170	224	(41375)	GET	(Cache)	application/x-javascript
 https://ir.ebaystatic.com/rs/c/inception-7d2624.js
00:00:24.565	1.162	261	198384	GET	200	application/x-javascript
 https://ir.ebaystatic.com/rs/c/browse-page-desktop-pr-b0d5dc.js
00:00:24.569	0.190	235	(34033)	GET	(Cache)	application/x-javascript
 https://ir.ebaystatic.com/rs/v/qcj0qozmfm0cdcdzkrx0lvuhsyg.js
00:00:24.573	0.189	254	(1917)	GET	(Cache)	application/x-javascript
 https://ir.ebaystatic.com/rs/c/makeebayfasterscript-src-scripts-body-78a2168a.js
00:00:24.578	0.188	235	(3255)	GET	(Cache)	application/x-javascript
 https://ir.ebaystatic.com/rs/v/10341xh50yz21mhhydueu4m5wad.js
00:00:24.581	0.206	235	(7695)	GET	(Cache)	application/x-javascript
 https://ir.ebaystatic.com/rs/v/it02syay0qyozhdaszhv1jl4yyd.js
00:00:25.926	0.070	235	(10067)	GET	(Cache)	application/x-javascript
 https://ir.ebaystatic.com/cr/v/c1/ScandalCommon-1.1.60.min.js
00:00:25.956	0.046	247	(4458)	GET	(Cache)	application/x-javascript
 https://ir.ebaystatic.com/cr/v/c1/globalheader_widget_platform-bedab06.js
00:00:26.041	0.338	2233	16914	GET	200	application/json
 https://www.ebay.com/gh/useracquisition?correlation=gci%3D7...[REDACTED]....

It loads the eBay search/browse page in your first posted link

https://www.ebay.com/b/ATV-Side-by-Side-UTV-Parts-Accessories/43962/bn_562707

which is just an eBay category search/browse page.

The 2nd through 4th lines in the codebox above show that - everything after that is just normal eBay search page elements (html, scripts, css, images)

clickserve.dartsearch.net from the first sequence is a Google owned and controlled adclick tracking domain

https://support.google.com/searchads/answer/4490647?hl=en

ebaykhaut.azurewebsites.net don't know who controls it. Presumably whoever is running the ad campaign on google. Could be eBay or could be malicious actors. Maybe there is something there but it doesn't trigger for Firefox 31.

Interestingly

https://ebaykhaut.azurewebsites.net

with all the parameters stripped off produces exactly the same result and redirects to the same eBay page, which tells me it is hardcoded for that destination and the string of parameters is probably just campaign tracking.

I loaded up the full ebaykhaut.azurewebsites.net link with all the parameters (same as would occur in normal redirection sequence coming from google) in Firefox 52 (sandboxed but no scripting or other restrictions) and nothing happened there either except that the eBay page loaded.

So not sure what you saw or what happened. As I mentioned above, if something is/was really there, maybe it is fairly sophisticated and targeting only newer/newest browser version (based on User agent sniffing on first load), but that's really about all it could be doing. No scripts (or actually anything) load from the ebaykhaut.azurewebsites.net final link - all it does is a 302 redirect to eBay directly.

I did run into one of those unclosable Microsoft security alert pages, going full screen any time anything was clicked with a defcon-4 female alarm and voice repeatedly warning, and a call Microsoft at 1-800-555.... popup in Firefox 52 the other day on a streaming video site.

I normally (first time this year?) never see any of that garbage in my older Firefox browsers that have "armor" installed", but couldn't get the site to function in FF3.6.24 or FF 31 so went to FF52. I didn't tear into the site's scripting to see exactly what it did (suspect an simple onclick event with popups), but did run the FF webdeveloper profiler while it was happening, and saw what it was loading and trying to load continuously, and shut it down.

Couple of hints. When it happens, you can hit Ctrl-W in Firefox to close the tab - that key sequence doesn't trigger the never ending popup sequence. You can also use the browser network profiler to see what external site is loading, and add that site to the Windows HOSTS file which will stop the (annoying/malicious?) site from continuously reloading and regain some browser control/CPU cycles (there appears to be no way I'm aware of to shut down an individual script that may be running the whole mess when it happens - only way is to kill the tab the script resides in)