Threaded Mode | Linear Mode

***mandy*** · (This post was last modified: 02-18-2007, 09:53 AM by mandy.)

Account hijackings at eBay that may be related to a security flaw on the eBay site.The hijackers are using a redirected page on the eBay site to phish account info.

At least 429 listings from multiple sellers altered/hacked.Â The hijackers only change to the listings is adding an email address with a message to contact seller via email.

Quote:The sellers all had their accounts stolen with this question,

Q: Hello, My name is Ace Schmidt. I just saw this item of yours and I remember seeing the same item two days ago, take a look:

Code:
http://search.shipping.ebay.com/?fcid=1&fpos=90210&vlm=1&requesturl= http%3A%2F%2Fsearch-completed.ebay.mydyn.net/ws/eBayISAPI.dll.php?SignIn&UsingSSL=1&pUserId=&co_partnerId=2&siteid=0&save=Save

Please note the URL
The scammer is routing through ebay's servers and having ebay send the victims to his scam login page.
The scammer's url comes after the (requesturl) in the above URL

PLEASE DO NOT CLICK ON THE LINK IF YOU ARE NOT SURE WHAT YOU ARE DOING!

Quote:Massive, worldwide, multiple user hijacks
just*abbyÂ (0 ) View Listings | Report Feb-17-07 18:26 PST
Hi

Im after a bit of help and support for the UK boards.

Its hearly 2.30am here, and a massive global multi-hijack scam has been discovered.

Search for the words "Dont forget to include the item number in your message" in worldwide listings and you'll find the problem

http://forums.ebay.com/db2/thread.jspa?t...1000442423&start=0
http://forums.ebay.co.uk/thread.jspa?thr...1200089939&start=0

sneakymagenta · 02-18-2007, 04:50 PM,

Quote:The hijackers are using a redirected page on the eBay site to phish account info.

I

Ebay.

**amy** · 02-18-2007, 11:11 PM,

Quote:Please note the URL
The scammer is routing through ebay's servers and having ebay send the victims to his scam login page.

Phishers did the same thing using a redirected page on eBay Motors last October. : Smile

dimucci · (This post was last modified: 02-19-2007, 03:08 AM by dimucci.)

The Auction Guild, February 1, 2007

http://www.auctionguild.com/generic148.html

Cons In Control of ebaY

Those of us who have watched ebaY from a users perspective, for many years, have seen an every increasing ability for scammers to manipulate the site. In the last year, this access has gone from being outside manipulation of flaws and stolen personal information, to complete inside control.

These are the facts:

Every day thousands of listings from China selling brand name counterfeit goods are listed using hijacked accounts. These are usually 1 day listings, the accounts used fit a standard profile and are often accessed in alphabetical order. These listings are for brand name clothing, DVDs, sunglasses, and expand into other categories regularly. The scammer does not need a password to access these accounts.

ebaY Motors has ever increasing fraudulent listings. There are redirects from ebaY search results, manipulation of information in valid running listings, and ever more sophisticated cons, in addition to the all American fraud, found in some used car salesmen, that has been a caricature in our society since the advent of the automobile.

There is a brilliant hacker/codewriter who uses the moniker Vladuz, who makes ebaY his specialty. He has been writing ebaY hacks since 2003, as far as we can trace. This individual recently sent us a link to his latest hack, a tool that he posted on Firefox's plug ins. There have been several screen shots of ebaY's control utilities database posted on the net, on ebaY and off, all with a visible Vladuz watermark on the pages. Vladuz made the posts on ebaY, as far as TAG can tell.

ebaY knows about this problem, and has been removing any threads that appear on their site about it. They just removed a long running thread on ebaY DE, one on which Vladuz has posted on under various guises, including hacked ebaY pink accounts. At the end of December, TAG contacted ebaY through their Trust and Safety live support, and specifically told them what was going on. ebaY cannot say they did not know.

Here is what we have theorized based on all we have seen, and the facts we have:

Vladuz appears to have written a program that gives the scammers complete access to what we are calling ebaY's back end. This back end is the control utilities database used by ebaY, to track everything on their site, that contains all information about ebaY employees and its users. The following images are samples of what Vladuz has made available to the scammer marketplace.

The scammers who have purchased, or otherwise acquired the Vladuz access programs, appear to be able to manipulate the account information of every registered user ID on ebaY. They can monitor in real time what is happening in an account, read email sent through ebaY's system and respond to it through ebaY's system, change any parameter in the user ID account, so, for example, they can receive the PayPal payments the legitimate account holder would have otherwise received. They can add or remove information on a currently running listing without the legitimate account holder knowing it, and conduct business as they please; using all the hijacked accounts they please. No password access is needed. In the article ebay Insider Hijack Scam? we theorized that this was being done by an ebaY insider, as that was the only thing that could explain what we were observing. What we did not realize, and what even TAG found hard to believe, was that the scammers now had insider access, not by working for ebaY, but by using the program built by Vladuz.

The Auction Guild, December 16, 2006-January 4, 2007
In trying to analyze what was going on, it appeared that the hijacker or hijackers had to have access to accounts independent of passwords, and have the ability to set account parameters so the legit account holder would not know what was going on. If this is so, it either points to someone working inside ebaY, or to a security hole so big, you can drive a tractor trailer through it. Neither situation is tolerable.
whole article: ebaY Insider Hijack Scam? http://www.auctionguild.com/generic146.html

BellisimaJ. · 02-19-2007, 01:43 PM,

dimucci, ty for the article! Thumbsup

This is totally.........I can't find words.

All owners of hijacked accounts should be aware that ebay is aware of this situation and can therefore be held liable.

sneakymagenta · 02-19-2007, 05:00 PM,

Quote:All owners of hijacked accounts should be aware that ebay is aware of this situation

Mass panic would ensue after Ebay made the announcement.

***mandy*** · (This post was last modified: 02-22-2007, 09:48 AM by mandy.)

Quote:Eagle-eyed conspiracy buffs have pounced on a recent rash of compromised eBay user accounts as proof of a mile-wide hole in the auctioneer's front lines, giving new life to a theory that could one day rival the intrigue surrounding Roswell UFO crashing and Kennedy assassinations...

Even more suspicious, according to AuctionBytes, is the recent removal of a link from an eBay forum that exposed account holders' names, addresses, and user names and passwords. Indeed, eBay officials appeared to have purged an entire forum thread where conspiracy theorists were discussing the vast cover up. (A capture of a more recent thread can be found here.

Not quite as compelling a plot as The X-files or Oliver Stone's JFK. But with all the round and round, we get the feeling this one may have more staying power...

full article: http://www.theregister.co.uk/2007/02/20/...onspiracy/

Letters to the editor:
http://www.theregister.co.uk/2007/02/22/...y_letters/

***mandy*** · 02-22-2007, 01:43 PM,

Auctionbytes:

Quote:eBay spokesperson Hani Durzy told AuctionBytes on Wednesday that at no time did the fraudster have access to any member's personal or financial information. Durzy said a Romanian had obtained access to a handful of email accounts from some customer service representatives. The only information he had access to was information contained in emails, which did include some screenshots of some backend tools, Durzy said. Email servers are kept separate from servers hosting member data, he said...

Durzy claims the perpetrator was a "known Romanian fraudster" going by the handle Vladuz. "Our number one priority is to see him caught and locked up," Durzy said...

full article: http://www.auctionbytes.com/cab/abn/y07/m02/i22/s03

***mandy*** · (This post was last modified: 02-23-2007, 11:10 AM by mandy.)