Bargain sought – getting computer virus
Geändert am 31.05.2010
Just had been looking for an extra bargain on eBay, and suddenly your computer is infected by a virus. This recently happened to hundreds of people on eBay.
It is well known for several years that there is a risk with allowing active contents to be included in eBay item descriptions. eBay always declined and stated that this issue is of »no particular importance«.
A recent case shows that this vulnerability is actively exploited and used to install malicious software on victims' computers. Two too good to be true bargain offers of 400 iPads and PlayStations found a lot of interest on May 25, 2010. Apparently, the seller was a trustworthy eBay power seller with 32000 feedback ratings and the status of a »Top rated seller«. Both offers were sold out within a few hours.
Clipping of the selling list with the fraudulent offers. Please click on the picture for the complete view. More than 400 items were sold in two offers.
What viewers and buyers of the auctions didn’t know: the account of the power seller had been hijacked and fraudsters had submitted the listings. They were a steal indeed.
A small excerpt of the JavaScript included in the auction. It had been
obfuscated in order to hide its real function.
Included in the item descriptions was a JavaScript program, which was executed upon viewing the listing, appending a hidden area to it. The script would load special prepared HTML code from a server in Latvia into this »iframe« which itself would load and execute a special Java applet. This Java applet exploited a well known vulnerability to install malicious software on the victim’s computer without noticing. Similar attacks have been known since February 2010, the »Heise online« news service reported attacks on the German news sites »zeit.de« and »handelsblatt.de«.
Infected with the virus were computers of eBay members with Java 6 in a version prior to update 17 (Java 5: prior update 22) enabled in the Internet browser. In addition JavaScript had to be enabled, but this is anyway a requirement to use main functionalities of the eBay platform. Anti-virus software with the current virus patterns weren’t able to protect most of the victims; at the time of the attack only 6 out of 41 virus scanners flagged up the utilized software as malicious.
Apart from installing a »Keylogger«, a program to log key strokes like eBay or PayPal passwords, the malware downloaded and installed extra backdoor software that had the ability to install additional Trojans or components. Even if victims had been able to clean their systems with an anti-virus scanner, they have to assume that their computer is still under control of criminals and that all sensible information has been monitored. The only remedy after such an attack is restoring the most recent backup made prior to the attack or a completely re-install of the system. All the passwords used and/or stored have to be changed as well.
The prices of the fraudulent offers were unbeatable, so several bargain sites on the Internet linked to the auction pages. Apart from the 400 buyers, it is estimated that thousands of other visitors had viewed the infective auction description, even after the 400 iPads and PlayStations were long „sold“. It is not known at this moment how many victims were affected by this attack. Most of them have no knowledge at all that their computers has been infected with malware by just looking at an eBay auction description. eBay has not commented yet whether it is possible to identify affected users in the system log files.
No Danger?
The danger of such a manipulation using JavaScript in the article description is well known for years, »falle-internet.de« reported on this problem previously. In a comment (translated) made by eBay on the »fraudulent use of malicious software in auction descriptions« on 12 March 2008 it is stated that »the use of malicious software did not and currently has no practical relevance to eBay’s trading platform. Nevertheless, since the September 2005 eBay requires certain preconditions to be met when using technologies such as JavaScript or Flash. Only sellers that are members of the power seller program, are verified eBay or verified PayPal members or had been with eBay for more than 500 days and have more than 500 feedback ratings are allowed to use technologies such as JavaScript on the German eBay trading platform. It is „nearly impossible“ that these members „would use the eBay market place in such a fraudulent way“«.
In an answer by »falle-internet.de« at that time, the issue was raised: »Each day account data with such a profile fall into the hands of criminals«. In May 2010, »falle-internet.de« identified around 300 accounts hijacked by criminals and reported them to eBay. More than half of them met the necessary requirements for the use of active contents. But the accounts reported by »falle-internet.de« are only a small number compared to the number of hijacked accounts worldwide. Online criminals have control over thousands of compromised eBay accounts at any given time and can use these to spread their malicious software.
eBay: No Response – No resources?
In this specific case, a timely response from eBay would have prevented further damage. The affected seller informed eBay by telephone immediately that he had no longer access to his account. Even using the »live-chat« facilities didn’t speed up the process. Other eBay members did also recognize the danger and reported to eBay. But despite all that, the listings remained online for nearly a day and each viewer suffered from an infection attempt. Only after the incident was described at eBay's German Trust and Safety board, eBay took action and removed the fraudulent auctions.
A timely response is important, especially when dealing with hijacked member accounts:
- Bargain hunters pay immediately after a the assumed buy.
- Malicious software is distributed with every view.
- Hijacked member accounts are used as multiplier(s) in targeted phishing attacks over the eBay mail system.
Why eBay didn’t recognize the danger of these manipulated article descriptions and why they took no immediate action after receiving reports from different members is not known at the moment. But in early 2010, eBay Germany gave notice to 400 of their 630 employees in Dreilinden, even the security department suffered from the cuts. The department for investigating hijacked membership accounts was closed completely. eBay does not want to confirm or deny that the latest incidents are related to these cuts when questioned by »falle-internet.de«.
falle-internet.de recommends:
Always use the latest software updates as soon as they are available. The latest incidents show that even current anti-virus solutions only offer a limited protection against certain malicious software.
As long as eBay does not block active contents like JavaScript or Flash or limits the usage to eBay approved contents, there is no effective protection against such attacks hidden in auction descriptions.
Wherever possible, a script-blocker (like No-script for the Firefox browser) should be used and only selected scripts necessary for the eBay site should be allowed. In contrast to completely disabling JavaScript in the browser eBay stays usable that way – albeit with limitations.