Scammers are exploiting cross-scripting vulnerabilities on the website of online auction giant eBay in order to redirect users to capture their credentials.
The malicious listing was discovered by Briton Paul Kerr, as first reported by the BBC, who noticed that an auction for an Apple iPhone 5s redirected to a bogus site that asked him to enter his eBay credentials.
eBay was notified about the malicious listing and two further auctions, but took over twelve hours to take them down.
Paul Kerr demonstrates the malicious eBay auction he discovered.
At the time, eBay said it would not prevent active content in auctions and that it had technological solutions in place to protect users against malicious code.
eBay has been plagued by a string of security issues over the past 12 months, including a May hack that saw attackers access a database with customer details and which led to a joint investigation by three American states into its security practices.
Legal action related to the incident commenced in the United States against eBay in July this year, alleging the company was slow to respond to the security breach and failed to protect private information of customers.
eBay Australia has been contacted for comment.