Bargain sought – getting computer virusGeändert am 31.05.2010
Just had been looking for an extra bargain on eBay, and suddenly your computer is infected by a virus. This recently happened to hundreds of people on eBay.
It is well known for several years that there is a risk with allowing active contents to be included in eBay item descriptions. eBay always declined and stated that this issue is of »no particular importance«.
A recent case shows that this vulnerability is actively exploited and used to install malicious software on victims' computers. Two too good to be true bargain offers of 400 iPads and PlayStations found a lot of interest on May 25, 2010. Apparently, the seller was a trustworthy eBay power seller with 32000 feedback ratings and the status of a »Top rated seller«. Both offers were sold out within a few hours.
Clipping of the selling list with the fraudulent offers. Please click on the picture for the complete view. More than 400 items were sold in two offers.
What viewers and buyers of the auctions didn’t know: the account of the power seller had been hijacked and fraudsters had submitted the listings. They were a steal indeed.
in order to hide its real function.
Apart from installing a »Keylogger«, a program to log key strokes like eBay or PayPal passwords, the malware downloaded and installed extra backdoor software that had the ability to install additional Trojans or components. Even if victims had been able to clean their systems with an anti-virus scanner, they have to assume that their computer is still under control of criminals and that all sensible information has been monitored. The only remedy after such an attack is restoring the most recent backup made prior to the attack or a completely re-install of the system. All the passwords used and/or stored have to be changed as well.
The prices of the fraudulent offers were unbeatable, so several bargain sites on the Internet linked to the auction pages. Apart from the 400 buyers, it is estimated that thousands of other visitors had viewed the infective auction description, even after the 400 iPads and PlayStations were long „sold“. It is not known at this moment how many victims were affected by this attack. Most of them have no knowledge at all that their computers has been infected with malware by just looking at an eBay auction description. eBay has not commented yet whether it is possible to identify affected users in the system log files.
In an answer by »falle-internet.de« at that time, the issue was raised: »Each day account data with such a profile fall into the hands of criminals«. In May 2010, »falle-internet.de« identified around 300 accounts hijacked by criminals and reported them to eBay. More than half of them met the necessary requirements for the use of active contents. But the accounts reported by »falle-internet.de« are only a small number compared to the number of hijacked accounts worldwide. Online criminals have control over thousands of compromised eBay accounts at any given time and can use these to spread their malicious software.
eBay: No Response – No resources?
In this specific case, a timely response from eBay would have prevented further damage. The affected seller informed eBay by telephone immediately that he had no longer access to his account. Even using the »live-chat« facilities didn’t speed up the process. Other eBay members did also recognize the danger and reported to eBay. But despite all that, the listings remained online for nearly a day and each viewer suffered from an infection attempt. Only after the incident was described at eBay's German Trust and Safety board, eBay took action and removed the fraudulent auctions.
A timely response is important, especially when dealing with hijacked member accounts:
- Bargain hunters pay immediately after a the assumed buy.
- Malicious software is distributed with every view.
- Hijacked member accounts are used as multiplier(s) in targeted phishing attacks over the eBay mail system.
Why eBay didn’t recognize the danger of these manipulated article descriptions and why they took no immediate action after receiving reports from different members is not known at the moment. But in early 2010, eBay Germany gave notice to 400 of their 630 employees in Dreilinden, even the security department suffered from the cuts. The department for investigating hijacked membership accounts was closed completely. eBay does not want to confirm or deny that the latest incidents are related to these cuts when questioned by »falle-internet.de«.
Always use the latest software updates as soon as they are available. The latest incidents show that even current anti-virus solutions only offer a limited protection against certain malicious software.