Gone phishing with eBay

Why is there a naked woman in that Bentley?


There I was, on Monday night, scanning eBay for car bits. This is not a problem. I have this under complete control. I can give up buying worn out parts and rusty bits of bodywork at any time. Really.

Anyway, I spotted a real bargain, a 2007 Bentley Continental for 0.01 GBP. Since these usually retail for something in the region of £135,000 I felt that this represented a considerable saving.

Unusually for the vendor of such a prestigious vehicle, the listor had decided to post an image of a young lady in place of the car itself. I reasoned that perhaps this was his daughter and the picture was meant to show that his family also loved the car.

Screenshot showing the Bentley advert.

True, my theory didn’t entirely explain why she was naked to the waist but I clicked on the link anyway, hoping to acquire a bargain.

Several screens flashed before my eyes (unnervingly like my life going past) and then good old IE7 told me that I was about to be phished. It was quite correct, I was very phished (or, as we say in the UK, phished off). How come I could be browsing eBay one moment and phished the next?

Screenshot showing the phishing alert.

The URL is:

http://ww.eb4y.cgl-bin.confirm-verify.534413cfg5.valid.i8.com/main.html?

SignIn&co_partnerId=2&pUserId=&siteid=0&pageType=&pa1=&i1=&bshowgif=&Using

SSL=&ru=&pp=&pa2=&errmsg=&runame=&ruparams=&ruproduct=&sid=&favoritenav=&c

onfirm=&ebxPageType=&existingEmail=&isCheckout=&migrateVisitor=&SignIn&co

_partnerId=2&pUserId=&siteid=0&pageType=&pa1=&i1=&bshowgif=&UsingSSL=&ru=&

pp=&pa2=&errmsg=&runame=&ruparams=&ruproduct=&sid=&favoritenav=&confirm=&e

bxPageType=&existingEmail=&isCheckout=&migrateVisitor=

My journalistic instincts were, inevitably, hooked and I decided to investigate but first, I reported the incident to eBay to try to ensure that other poor fish were not landed in the same way. The time was 21:54.

The first step was to try to isolate the problem – was it my machine or eBay? I emailed one of my long suffering Reg. Developer editors (David Norfolk) who, despite the time, obligingly tried the same listing and got the same result. So, it could be malicious code on the PC but both David and I would have to be infected in the same way; possible, but unlikely.

By repeatedly pressing PrtScr I managed to obtain a screen shot of the listing itself as it flashed past.

Screenshot showing the listing itself.

For those without a microscope, the bottom of the screen reads as:

Screenshot showing detail from Figure 3.

We’ve blanked the identity of the ‘seller’ because it is highly likely that he/she is innocent and the account was hijacked (see the response from eBay below).

Question - How do you hijack an eBay account in order to go phishing?

Answer - By phishing.

(Dictionary definition of recursion - see recursion.)

A little more investigation showed that the listings weren’t just aimed at potential Bentley owners.

Screenshot showing more dud adverts.

At about 00:15 Tuesday morning the listings finally disappeared.

Naturally, we were keen to find out what had happened: we had some evidence, including the source code of the original page, so we contacted eBay. The company’s response was interesting. We first contacted it on Tuesday and, despite repeated requests, found it very difficult to get any hard information.

Eventually, on Friday afternoon, as we were going to press, we received the following:

“In this particular case, a genuine user's eBay account was taken over by fraudsters who attempted to use it to post fraudulent listings. eBay’s systems identified the fraudulent listing and eBay’s customer support team moved quickly to remove it from the site and restore the account to its rightful owner. eBay takes any threat to the security of its users extremely seriously and we also work closely with ISPs and law enforcement to bring down the spoof websites we identify."

It would appear that this statement corroborates what we observed; nevertheless it is worth examining the statement in detail.

For a start, whilst it is true to say “fraudsters who attempted ….. to post fraudulent listing”; more information is conveyed by the equally true statement “fraudsters who succeeded …. in posting fraudulent listings”.

Secondly, there is no information here about the eBay systems that identified the fraudulent listing. Is it simply the feedback from users or are there also algorithmic systems that prowl the system looking for naughtiness?

Let’s assume for a minute that eBay does have effective internal systems for detecting fraudulent listings. In that case it would be far, far better for the users of eBay if these ran proactively, before the listing was posted. If on the other hand eBay doesn’t have such systems and relies on user feedback to identify fraudulent listings, the implication is that we can expect fraudulent listings to be up for an unknown period of time before removal. As a user of eBay are you happy about this? I’m not.

Thirdly, it took eBay at least two hours to respond to this after it was reported. Do you consider this to be moving “quickly”?

As we were trying to find out exactly what had happened, an apparently related incident was also brewing.

The bottom line is that the evidence we have seen suggests that it may be possible for users to post listings on eBay that redirect off the site.

It ought to go without saying, but we’ll do it anyway. Be careful out there.

Similar topics


Other stories you might like

  • Facebook phishing campaign nets millions in IDs and cash
    Hundreds of millions of stolen credentials and a cool $59 million

    An ongoing phishing campaign targeting Facebook users may have already netted hundreds of millions of credentials and a claimed $59 million, and it's only getting bigger.

    Identified by security researchers at phishing prevention company Pixm in late 2021, the campaign has only been running since the final quarter of last year, but has already proven incredibly successful. Just one landing page - out of around 400 Pixm found - got 2.7 million visitors in 2021, and has already tricked 8.5 million viewers into visiting it in 2022. 

    The flow of this phishing campaign isn't unique: Like many others targeting users on social media, the attack comes as a link sent via DM from a compromised account. That link performs a series of redirects, often through malvertising pages to rack up views and clicks, ultimately landing on a fake Facebook login page. That page, in turn, takes the victim to advert landing pages that generate additional revenue for the campaign's organizers. 

    Continue reading
  • Watch out for phishing emails that inject spyware trio
    You wait for one infection and then three come along at once

    An emailed report seemingly about a payment will, when opened in Excel on a Windows system, attempt to inject three pieces of file-less malware that steal sensitive information.

    Researchers with Fortinet's FortiGuard Labs threat intelligence unit have been tracking this mailspam campaign since May, outlining how three remote access trojans (RATs) are fired into the system once the attached file is opened in Excel. From there, the malicious code will not only steal information, but can also remotely control aspects of the PC.

    The first of the three pieces of malware is AveMariaRAT (also known as Warzone RAT), followed by Pandora hVCN RAT and BitRAT.

    Continue reading
  • Ransomware attack sends US county back to 1977
    Also: Uni details its malware-catching AI, signs of China poking the Russian cyber-bear, and more

    In brief Somerset County, New Jersey, was hit by a ransomware attack this week that hobbled its ability to conduct business, and also cut off access to essential data.

    "Services that depend on access to county databases are temporarily unavailable, such as land records, vital statistics, and probate records. Title searches are possible only on paper records dated before 1977," the county said in a statement.

    The attack, which happened on Tuesday, took down email services for county government departments as well as leaving the county clerk's office "unable to provide most services which are reliant on internet access." Somerset County residents were asked to contact government offices via Gmail addresses set up for various departments, or via phone. 

    Continue reading
  • Microsoft seizes 41 domains tied to 'Iranian phishing ring'
    Windows giant gets court order to take over dot-coms and more

    Microsoft has obtained a court order to seize 41 domains used by what the Windows giant said was an Iranian cybercrime group that ran a spear-phishing operation targeting organizations in the US, Middle East, and India. 

    The Microsoft Digital Crimes Unit said the gang, dubbed Bohrium, took a particular interest in those working in technology, transportation, government, and education sectors: its members would pretend to be job recruiters to lure marks into running malware on their PCs.

    "Bohrium actors create fake social media profiles, often posing as recruiters," said Amy Hogan-Burney, GM of Microsoft's Digital Crimes Unit. "Once personal information was obtained from the victims, Bohrium sent malicious emails with links that ultimately infected their target's computers with malware."

    Continue reading
  • Emotet malware gang re-emerges with Chrome-based credit card heistware
    Crimeware groups are re-inventing themselves

    The criminals behind the Emotet botnet – which rose to fame as a banking trojan before evolving into spamming and malware delivery – are now using it to target credit card information stored in the Chrome web browser.

    Once the data – including the user's name, the card's numbers and expiration information – is exfiltrated, the malware will send it to command-and-control (C2) servers that are different than the one that the card stealer module uses, according to researchers with cybersecurity vendor Proofpoint's Threat Insight team.

    The new card information module is the latest illustration of Emotet's Lazarus-like return. It's been more than a year since Europol and law enforcement from countries including the United States, the UK and Ukraine tore down the Emotet actors' infrastructure in January 2021 and – they hoped – put the malware threat to rest.

    Continue reading
  • Now Windows Follina zero-day exploited to infect PCs with Qbot
    Data-stealing malware also paired with Black Basta ransomware gang

    Miscreants are reportedly exploiting the recently disclosed critical Windows Follina zero-day flaw to infect PCs with Qbot, thus aggressively expanding their reach.

    The bot's operators are also working with the Black Basta gang to spread ransomware in yet another partnership in the underground world of cyber-crime, it is claimed.

    This combination of Follina exploitation and its use to extort organizations makes the malware an even larger threat for enterprises. Qbot started off as a software nasty that raided people's online bank accounts, and evolved to snoop on user keystrokes and steal sensitive information from machines. It can also deliver other malware payloads, such as backdoors and ransomware, onto infected Windows systems, and forms a remote-controllable botnet.

    Continue reading
  • Costa Rican government held up by ransomware … again
    Also US warns of voting machine flaws and Google pays out $100 million to Illinois

    In brief Last month the notorious Russian ransomware gang Conti threatened to overthrow Costa Rica's government if a ransom wasn't paid. This month, another band of extortionists has attacked the nation.

    Fresh off an intrusion by Conti last month, Costa Rica has been attacked by the Hive ransomware gang. According to the AP, Hive hit Costa Rica's Social Security system, and also struck the country's public health agency, which had to shut down its computers on Tuesday to prevent the spread of a malware outbreak.

    The Costa Rican government said at least 30 of the agency's servers were infected, and its attempt at shutting down systems to limit damage appears to have been unsuccessful. Hive is now asking for $5 million in Bitcoin to unlock infected systems.

    Continue reading
  • Suspected phishing email crime boss cuffed in Nigeria
    Interpol, cops swoop with intel from cybersecurity bods

    Interpol and cops in Africa have arrested a Nigerian man suspected of running a multi-continent cybercrime ring that specialized in phishing emails targeting businesses.

    His alleged operation was responsible for so-called business email compromise (BEC), a mix of fraud and social engineering in which staff at targeted companies are hoodwinked into, for example, wiring funds to scammers or sending out sensitive information. This can be done by sending messages that impersonate executives or suppliers, with instructions on where to send payments or data, sometimes by breaking into an employee's work email account to do so.

    The 37-year-old's detention is part of a year-long, counter-BEC initiative code-named Operation Delilah that involved international law enforcement, and started with intelligence from cybersecurity companies Group-IB, Palo Alto Networks Unit 42, and Trend Micro.

    Continue reading
  • It's 2022 and there are still malware-laden PDFs in emails exploiting bugs from 2017
    Crafty file names, encrypted malicious code, Office flaws – ah, it's like the Before Times

    HP's cybersecurity folks have uncovered an email campaign that ticks all the boxes: messages with a PDF attached that embeds a Word document that upon opening infects the victim's Windows PC with malware by exploiting a four-year-old code-execution vulnerability in Microsoft Office.

    Booby-trapping a PDF with a malicious Word document goes against the norm of the past 10 years, according to the HP Wolf Security researchers. For a decade, miscreants have preferred Office file formats, such as Word and Excel, to deliver malicious code rather than PDFs, as users are more used to getting and opening .docx and .xlsx files. About 45 percent of malware stopped by HP's threat intelligence team in the first quarter of the year leveraged Office formats.

    "The reasons are clear: users are familiar with these file types, the applications used to open them are ubiquitous, and they are suited to social engineering lures," Patrick Schläpfer, malware analyst at HP, explained in a write-up, adding that in this latest campaign, "the malware arrived in a PDF document – a format attackers less commonly use to infect PCs."

    Continue reading
  • Another ex-eBay exec admits cyberstalking web souk critics
    David Harville is seventh to cop to harassment campaign

    David Harville, eBay's former director of global resiliency, pleaded guilty this week to five felony counts of participating in a plan to harass and intimidate journalists who were critical of the online auction business.

    Harville is the last of seven former eBay employees/contractors charged by the US Justice Department to have admitted participating in a 2019 cyberstalking campaign to silence Ina and David Steiner, who publish the web newsletter and website EcommerceBytes.

    Former eBay employees/contractors Philip Cooke, Brian Gilbert, Stephanie Popp, Veronica Zea, and Stephanie Stockwell previously pleaded guilty. Cooke last July was sentenced to 18 months behind bars. Gilbert, Popp, Zea and Stockwell are currently awaiting sentencing.

    Continue reading

Biting the hand that feeds IT © 1998–2022