Custom-built botnet steals eBay accounts

Brute-force identity theft may have started in early August, claims researcher

Online auction site eBay has been targeted by identity thieves, who are wielding a botnet that uses brute force to uncover valid account log-in information, a Tel Aviv-based security company said Monday.

The attacks against eBay may have started as long ago as early August, said Ofer Elzam. He said that he and other researchers at Aladdin Knowledge Systems Ltd. have not been successful in notifying eBay of their weekend findings.

According to Elzam, the product manager of Aladdin's eSafe threat-protection line, the brute-force attacks are launched by a large botnet that the identity thieves have built using a sophisticated, multistage campaign that begins with compromised legitimate Web sites.

"My best estimate is that there are at least 300 compromised sites," said Elzam, who noted that they are spread worldwide and in several languages. Two sites are based in Israel, he said, including a price-comparison Web site and another operated by one of the country's largest unions. Other sites identified in a search run with information provided by Elzam included scores of real estate Web sites in Florida and Massachusetts, and a Microsoft security message forum in Italian.

Seeding genuine Web sites with malware is nothing new, but the practice has been gathering steam this year. In June, for example, hackers launched a massive bot-building attack from more than 10,000 hijacked Web sites, most of them hosted in Italy.

"These sites are compromised by SQL injection vulnerabilities, and then IFrame attack code is inserted," said Elzam, describing a common method of hacking legitimate Web sites and infecting their visitors. "The IFrame code redirects visitors to other sites which host a Trojan," he added. The Trojan horse hijacks the PC and turns it into a zombie, or bot.

"This is a very sophisticated, very complex attack," Elzam claimed, ticking off obfuscation techniques, multipart malware downloads and encryption among the tactics used by the thieves.

The resulting botnet is being used to call an eBay application programming interface (API) with pairs of possible usernames and passwords, said Elzam. The API allows the Trojan horse-infected PC -- the bot -- to communicate directly with the eBay database using XML-formatted code. If the database contains the username-password pair, it responds, which the Trojan horse notes, then later transmits to a hacker controlled server.

With enough username-password combinations -- the brute-force part of the attack -- the criminals can uncovering a limited number of real credentials.

"Each bot may be using as few as six pairs of usernames and passwords" in an attempt to come in under the security radar of eBay, said Elzam. "I don't think that eBay is even aware of the attack. The distributed nature of the attack may make it look like a merchant sending confirmations to buyers," he said.

Although Aladdin pieced together the evidence only Tuesday, Elzam said that clues indicate it might have started in early August.

It's unknown what the identity thieves have done with stolen eBay log-ons. One eBay user, however, may have offered up a possibility Tuesday in a blog post.

"I woke up this morning to a nightmare," wrote a Texas-based book collector identified on his blog only as Sam Houston. "Someone in England hacked into my personal eBay data and changed it to reflect a completely fraudulent identity with an English mailing address. That person than proceeded to send out at least 25 e-mails to individuals in the U.K. who are trying to sell Sony laptop computers on the site. He offered them more than they are asking for the laptops and wanted them mailed to him as soon as possible."

According to the blogger, the attacker has also compromised his PayPal account and tried to pay for the 25 notebooks using funds from the checking account linked to PayPal.

EBay did not reply to a request for comment Monday night.

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.
Gregg Keizer

Gregg Keizer

Computerworld
Show Comments

Essentials

Brother MFC-L3745CDW Colour Laser Multifunction

Learn more >

Mobile

Exec

Sony WH-1000XM4 Wireless Noise Cancelling Headphones

Learn more >

Budget

Back To Business Guide

Click for more ›

Brand Post

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Tom Pope

Dynabook Portégé X30L-G

Ultimately this laptop has achieved everything I would hope for in a laptop for work, while fitting that into a form factor and weight that is remarkable.

Tom Sellers

MSI P65

This smart laptop was enjoyable to use and great to work on – creating content was super simple.

Lolita Wang

MSI GT76

It really doesn’t get more “gaming laptop” than this.

Jack Jeffries

MSI GS75

As the Maserati or BMW of laptops, it would fit perfectly in the hands of a professional needing firepower under the hood, sophistication and class on the surface, and gaming prowess (sports mode if you will) in between.

Taylor Carr

MSI PS63

The MSI PS63 is an amazing laptop and I would definitely consider buying one in the future.

Christopher Low

Brother RJ-4230B

This small mobile printer is exactly what I need for invoicing and other jobs such as sending fellow tradesman details or step-by-step instructions that I can easily print off from my phone or the Web.

Featured Content

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?