« Interesting perspective: sellers grow up or die | Main | ecommerce superstar guest gcheckout blogger! »

August 17, 2006

New eBay fraud tactic: Viral Porn Trojan Horses (VPTH)

A new tactic (which we have dubbed VPTH) has hit eBay hard the last couple of days.  Unfortunately it's a really clever way to get lots of eBay uids/passwords AND it's very viral so it appears to be growing at an exponential rate.   

Here's how the bad guys do it:

1. They use normal Phishing techniques to get an ebayer's uid/pwd (preferably a seller with some good feedback).

2. They post toins of malicious listing to popular categories.  In the listings they:

  • Use something like porn imagery to draw heavy click-through to the listing
  • Turn on every eBay bonus feature you can imagine: bold, highlight, gallery plus, featured plus, etc. (hey they aren't paying so why not?!)
  • Lots of timese these are 1 day auctions so they are indexed quick and TnS doesn't have much time to a) find and b) react.
  • Now here's the trick - they put in the listing some malicious javascript that redirects anyone that clicks on the listing to a page at badguy.com that is 100% identical to an eBay login page and it says: "To view this item you must login".

3. Now the bad guys have tons of BUYER userid's and logins, which they then use to get into paypal accounts, launch more auctions and cause general mayhem.

4. Some of these are so clever you can't find which listing is doing it.  They'll post a porn listing and then 10 regular ones all with the javascript in there.  A seller saw one yesterday that seemed to infect every listing in the category - it somehow was changing the search results pages around.

In the last two weeks this scheme is happening more and more frequently.  Yesterday the entire shoe category was full of these things.

Here's a real world example from yesterday (the black boxes are mine as this is a family oriented blog)->


If you saw this and clicked on the first listing, then entered your user ID and password, you can say goodbye to your ebay identity, potentially your paypal plus your account would be harvested for emails and you would be on every spammers list very quickly.  Most likely your password would be immediately changed (I'm sure they have spiders for this) and your account added to the hijacked list, then more listings would be introduced from your account (this is where the geometrical progression/viral part of the scheme comes in).

Buyer and seller tips to avoid this scheme:

1. Never ever ever click on a link in an email.
2. Whenever you do login to eBay, make 100% sure to look at the URL and make 100% sure you are at ebay.com (the front part, one trick these guys use is they make the URL so long it's truncated in the addr field and you see the back end and miss the badguy.cz part)
3. eBay's advice would be to use the eBay toolbar, I'm not sure that would help in this particular situation and there isn't a big penetration of the eBay toolbar.
4. Sellers - use something like this with your employees, it will catch these bad logins: http://www.roboform.com/pass2go.html and keep your login info more secure.
5. Finally (and I know this is a tough one), if you see some porn in a category that doesn't seem to make sense, I'd recommend fighting the urge to click on it. ;-)

Trust and Safety at eBay, we implore you:
0. You guys have a tough job, these bad guys are really targeting eBay heavily and we feel your pain.  But, eBay just makes it too easy for this to happen, let's raise the bar much much higher!

1. eBay must immediately stop the practice of having any links in any eBay emails.  The pay now button, the yellow button, outbid notices, payment reminders, feedback reminders, all of these emails have clickable links and the phishers are insanely good at faking these messages.  I'm sure folks in marketing will fight this ("buyers won't come back, etc."), but this is such a widespread problem that we have to collectively take that risk.  If buyers feel safe they will spend more long-term, let's focus on that vs. some short term concern over the "pay now" button not going out in an email.


2. Javascript in listings is very useful for many instances.  In fact we at ChannelAdvisor and many other CSPs use it to track traffic patterns, search patterns, counters, etc.  Today trust and safety has some filters that look for certain javascript words that indicate the javascript will be malicious, but in the world of programming you can get really clever with this stuff and a "reactive filter" will never work.

Solution: let's switch to a "white list filter", instead of trying to find out what the bad javascript looks like, let's create a list of "good guy javascript".  Round up the CSPs (we're standing by) and we'll submit our javascript to you. Add this to a list of accepted javascript.  Then only allow javascript that is a) from that CSP and b) matches 100% the white list.  REJECT ALL OTHER JAVASCRIPT.  Sure some sellers use it to have dancing money, flying ponies, singing uncle sam, but let's face it, we can live without that stuff and suffer some short-term pain with sellers if we can 100% guarantee no more malicious javascript.

3. (bonus solution) The phishers also are somehow (maybe there's a database out there?) able to use the seller and bidder/buyer's ID on eBay and match that to an email for the buyer/bidder and leverage that information to very cleverly send out these outbid notice, paynow notice, fake second-chance-offers, and make them look like they come from the seller etc.  No third party should be able to inject themselves into the transaction and hiding emails isn't working so it's time to somehow obscure or mask ebay user IDs.  Only the seller should see the ID of the winning bidder.  In fact, maybe sellers shouldn't see the underbidders (let eBay handle SCOs) and the seller ID should be somehow obfuscated as well.

4. The eBay login screen should have a spider defeater (CAPTCHA thingy) on the login forms so that spiders can't fill these out.

5. Send all top-sellers a free ebay-branded, USB-powered ebay password encryption system and turn off the site for these sellers.  Something like this solution: http://www.roboform.com/pass2go.html

6. There are all kinds of low cost new devices and technologies for security.  This company has a biometric FOB.  Many citibank customers now get a special encryption device that downloads a unique number you enter into the web page to prove its you.

            Protect your top sellers!


TrackBack URL for this entry:

Listed below are links to weblogs that reference New eBay fraud tactic: Viral Porn Trojan Horses (VPTH):

» New eBay Fraud Tactic from PowerSellerKing
eBay Strategies has posted some information about a new scam tactic surfacing on eBay: A new tactic (which we have dubbed VPTH) has hit eBay hard the last couple of days. Unfortunately it's a really clever way to get lots... [Read More]

» http://trading-web-solutions.com/blog/?p=82 from Mark Kenny's Blog
Scot Wingos, over at http://ebaystrategies.blogs.com/ebay_strategies/ has discovered further spoofing attempts which take advantage of eBay users once again. Unlike more traditional spoof emails, which many users are becoming alert to these spoo... [Read More]

» Viral Porn Trojan Horses from Florida Venture Blog by Dan Rua
OK, so the provocative title was a sellout, but it's a real topic -- stay with me. One of my favorite entrepreneurs (and good friend), Scot Wingo, has a great post at eBay Strategies describing a recent shooting-fish-in-an-eBay-barrel phishing scheme... [Read More]

blog comments powered by Disqus