Wednesday, March 28, 2007

Bulgarian Woman Arrested for eBay Fraud Scheme

March 28, 2007 3:21 PM


FBI has arrested a Bulgarian woman in connection with an international scheme that's responsible for defrauding eBay users of more than $350,000.

The agency announced on Monday that police in Budapest, Hungary had on March 22 arrested Mariyana Feliksova Lozanova, aka "Gentiane La France," aka "Naomi Elizabeth DeBont," with conspiracy to commit wire fraud and money laundering. Lozanova has waived extradition to the United States.

The indictment charges that Lozanova and others allegedly advertised expensive motor vehicles and boats on eBay. When U.S. buyers expressed interested, a purported seller contacted them directly by e-mail.

The modus operandi matches that described by eBay watchers who have tracked a sharp increase in fraud on the auction site over the past few months. So too does it match the boasts posted on eBay forums by hackers.

Namely, the crooks told their victims to wire payment through a non-eBay entity. In this case, the fraudsters called the entity "eBay Secure Traders," an outfit that has no actual affiliation to eBay but which served to trick buyers into thinking they were sending money into a secure escrow account pending delivery of their purchases.

In fact, the funds were allegedly wired straight into bank accounts in Hungary or Slovakia that were controlled by Lozanova or her co-conspirators.

The FBI alleges that Lozanova opened the accounts with a fraudulent Canadian passport that identified her as "Gentiane LaFrance" and a fraudulent U.K. passport that identified her as "Elizabeth Naomi DeBont."

The victimized buyers' cars and boats were never delivered., nor was their money ever returned. The indictment charges Lozanova with withdrawing the proceeds shortly after the funds had been wired into her account and distributing them to members of her gang in Budapest.

If convicted, Lozanova faces a maximum sentence of 20 years in prison for the wire fraud conspiracy and 10 years in prison for the money laundering conspiracy. She could also be looking at fines totaling more than $500,000, as well as forfeitures and restitution to victims.

eBay said that it just goes to show: "Crime doesn't pay," said Nichola Sharpe, a spokeswoman for eBay, in an interview with eWEEK. "It's so transparent. We have strong collaboration with the police. We do catch these people."

eBay doesn't release official figures for how many scammers the company and law enforcement are tracking. But as Sharpe pointed out, the online auction site has banned, for example, instant money transfer services, such as Western Union.

eBay has over 2,000 employees working in what the company calls its Trust and Safety division. Those employees' key role is to make the site a safe place to trade, Sharpe said, and that means they're practically everywhere that eBay is. "This is a global team," she said. "A lot of the different countries we're in, we have a different team. In Europe we have a team. These crimes are global, and we have a global team to reflect that."

Members of the team are often experienced law enforcement types, as well, she said, including one ex-Scotland Yard detective and a number of people with experience in law enforcement in the United States.

The FBI said in a statement that its investigation into the scam that allegedly involved Lozanova is ongoing.

* This entry was updated to include eBay's input.

Google seeks world of instant translations

By Adam Tanner 43 minutes ago

MOUNTAIN VIEW, California (Reuters) - In Google Inc.'s (Nasdaq:GOOG - news) vision of the future, people will be able to translate documents instantly into the world's main languages, with machine logic, not expert linguists, leading the way.

Google's approach, called statistical machine translation, differs from past efforts in that it forgoes language experts who program grammatical rules and dictionaries into computers.

Instead, they feed documents humans have already translated into two languages and then rely on computers to discern patterns for future translations.

While the quality is not perfect, it is an improvement on previous efforts at machine translation, said Franz Och, 35, a German who heads Google's translation effort at its Mountain View headquarters south of San Francisco.

"Some people that are in machine translations for a long time and then see our Arabic-English output, then they say, that's amazing, that's a breakthrough," said Och.

"And then other people who have never seen what machine translation was ... they read through the sentence and they say, the first mistake here in line five -- it doesn't seem to work because there is a mistake there."

But for some tasks, a mostly correct translation may be good enough.

Speaking over lunch this week in a Google cafeteria famed for offering free, healthy food, Och showed a translation of an Arabic Web news site into easily digestible English.

Two Google workers speaking Russian at a nearby table said, however, that a translation of a news site from English into their native tongue was understandable but a bit awkward.

FEEDING THE MACHINE

Och, who speaks German, English and some Italian, feeds hundreds of millions of words from parallel texts such as Arabic and English into the computer, using
United Nations and
European Union documents as key sources.

Languages without considerable translated texts, such as some African languages, face greater obstacles.

"The more data we feed into the system, the better it gets," said Och, who moved to the United States from Germany in 2002.

The program applies statistical analysis, an approach he hopes will avoid diplomatic faux pas, such as when Russian leader
Vladimir Putin's translator miffed then German Chancellor
Gerhard Schroeder by calling him the German "Fuehrer." The word is verboten in that context because of its association with Adolf Hitler.

"I would hope that the language model would say, well, Fuehrer Gerhard Schroeder is ... very rare but Bundeskanzler Gerhard Schroeder is probably 100 times more frequent than Fuehrer and then it would make the right decision," Och said.

The center of Google's effort looks surprisingly modest. Och shares a spartan office with two others on his team, with little clutter other than a shelf of linguistic books above his desk. That's because the muscle work is performed by machines.

So far, Google is offering its own statistical machine translations of Arabic, Chinese and Russian to and from English at http://www.google.com/language_tools. Third-party software gives access on the site to German and other languages, Och said.

"So far, the focus is let's make it really, really good," Och said. "As part of a general Google philosophy, once it's really useful and it has impact, then there will be found ways how to make money out of it."

Miles Osborne, a professor at the University of Edinburgh, who spent a sabbatical last year working on the Google project, praises Google's effort but sees limitations.

"The best systems (e.g. Google) can be very good indeed for language pairs such as Arabic-English," he said.

But he added software will not overtake humans in expert translations as it has in playing chess; software should be used for understanding rather than polishing documents.

"It may also be useful when deciding whether to pay a human to do a good job: you could imagine looking at Japanese patent documents and seeing if they are relevant, for example," he said.

Google chairman Eric Schmidt also sees broad political consequences of a world with easy translations.

"What happens when we have 100 languages in simultaneous translation? Google and other companies are working on statistical machine translation so that we can on demand translate everything all the time," he told a conference earlier this year.

"Many, many societies have operated in language-defined communities where they really don't understand and are not particularly sympathetic to other peoples' views because of the barrier of language. We're about to have that breakthrough and it is a huge thing."

Tuesday, March 27, 2007

RFID Feared as Possible Terrorist Target

By Lisa Vaas
March 27, 2007


As if RFID chips in driver's licenses and passports weren't scary enough already, London's Royal Academy of Engineering is suggesting that someday a terrorist will be able to read personal details from a distance and, given the right antennas and amplification, set a bomb to go off when a particular person gets within range.

It's already widely acknowledged that unencrypted data stored on an RFID chip in a passport can be read covertly by anybody with a pass-by reader.

As the ACLU pointed out at Black Hat earlier in March, you can buy parts on the Internet to make a reader for as little as $20.

With a reader, you can pick up whatever the RFID chip is sending out: passport number; name; where an individual was at, at what time; name; address; Social Security number, etc.

The ability of RFID to be subverted in far more dangerous ways was only one example of how advancing technology can be exploited in the future, according to the Royal Academy.

The Academy on March 26 released a report titled "Dilemmas of Privacy and Surveillance: Challenges of Technological Change," by Nigel Gilbert, chairman of the Academy's group on Privacy and Surveillance.

Here are some other technology shocks that have already occurred or that may come to pass, according to Gilbert:



Unencrypted data can be forged. The United Kingdom, for one, introduced biometric passports in March 2006.
The e-Passport, as it's called, uses facial recognition to link an individual with a paper passport, with iris and fingerprint data used as backup, and other countries have expressed interest in using biometrics as well.

Because the data will be read at places such as passport control to verify the identity of the holder, the data have to be quickly and reliably transmitted—hence, use of RFID chips have been proposed.

A forged passport could include a passport carrier's biometric information but with forged personal details, including name, date of birth and citizenship.

Of course, passports could be checked against a central database to ensure that the data on a given passport matches the master set. But then, it's unnecessary to store the data on a passport, since it can be retrieved from the central database.

"Encrypting the data on the e-Passports can help to avoid these problems," Gilbert writes, "but even then there is potential for failure. Firstly, if the encryption codes can be broken, then the two vulnerabilities reappear. Secondly, a problem with current plans for e-Passports in the U.K. is that the key for the data on the chip is stored on the passport itself—so the encryption does not in fact lock out eavesdroppers."

The only way to keep RFID passport information truly safe, Gilbert says, is to encrypt with extremely tough algorithms and to disable the access to encrypted data on the passport by using a key stored on the passport itself.

"Otherwise, efforts should be focused on an altogether different way of designing e-Passports," he said.


Plans for more dangerous data leaks than ever are in the works.
It's a pedophile's dream come true: children's data stored in a national database.

The U.K. is reportedly planning to take fingerprints as well as names and addresses from children as young as 11 and store it all in a government database.

The children's data, as a subset of the U.K.'s biometric passport scheme, will be transferred to the country's new national identity database when the children turn 16.

The consequences of data breaches or leaks on such a database could be "extremely serious," Gilbert says. "This information could be used by pedophiles to target those children for abuse," he writes.



Other serious data leaks that have happened or could still happen, Gilbert points out: leaks of credit-card data used to embarrass public figures; leaks of the addresses of staff who work at sensitive sites, such as abortion clinics or research centers that practice animal experimentation; leaks of health records that could doom the employment prospects of patients or even expose them to risk of violence, including HIV status or a record showing that a woman had had a pregnancy terminated (if this was unknown to her partner or parent), or data (such as DNA or blood group) showing that the paternity of a child could not be the presumed father.

The report details other worst-case scenarios, including identity fraud assisted by the Semantic Web and its extensive publicly accessible personal details of individuals as well as the use of fingerprint images to fool a pay-by-touch system.

The future of technology misuse may look dire, but Gilbert offers ways to secure even the scariest technology.

For example, A biometric pay-by-touch system that requires two forms of identification—a PIN and a fingerprint—would be "much more successful" in preventing fraud than one that relies only on a fingerprint, he said.

To read more about privacy and security concerns surrounding RFID.
http://www.eweek.com/article2/0,1895,2073670,00.asp

Regarding RFID-enabled passports and the possibility that they could be linked to bombs or other, less dramatic abuses, one workaround is to forgo RFID chips for a technology such as that now being developed by Ingenia Technology called "Laser Surface Authentication."



LSA technology takes into account the unique surface qualities of a given document. Paper documents and credit card plastics have unique microscopic surface qualities attributable to how paper fibers are arranged or how the plastic has been set.

"These qualities cannot be controlled and cannot be copied, and they are unique in every case—rather like human fingerprints," Gilbert writes.

"Ingenia have devised a way of scanning documents to reveal these surface properties, which they refer to as the 'LSA fingerprint.' The system they have created is 'read-only', the document is passive, it is simply scanned and a record of its surface features is recorded."

Check out eWEEK.com's Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK's Security Watch blog.
http://securitywatch.eweek.com/

Friday, March 23, 2007

Trojan Spreading Via Skype

March 23, 2007 3:53 PM


A Trojan is using the free Skype VOIP service to spread to users' friends, family and colleagues, Websense Security Labs reported on March 22.

The Trojan, a copy of the Trojan named Warezov or Stration, is not propagating itself. However, when it runs, its sends a URL to all users within the victim's Contacts list, according to Websense.

An earlier version of the same attack hit Skype in late February, as reported by F-Secure. This latest rendition differs in that it's carrying new URL information and a new version of the malicious code.

Websense reports that Skype users are receiving a message that says "Check up this," with a URL containing a hyperlink. Websense's advisory contains a sanitized screenshot at the bottom.

Users who click on the link are redirected to a site hosting a file named file_01.exe. Users are then prompted to run the file. If the user does so, the Trojan downloads and runs several other files. Websense notes that there is no Skype vulnerability at play in this attack.

Below are the files the Trojan loads from different domains, according to Websense. The domains were up and running at the time of Websense's Thursday alert:

1e61617b7498c5cad41c4d26b8e4ca8c file_01.exe
7c2b181ab4fbe858e22bbbdc725e4f53 gdi32.exe
7306bed6c39560ed78fe67cfc5e643c8 ndis.exe
5262a217d2ca7f28be6fc398d8f8aee3 sk.exe

The victim's contacts also receive the URL within Skype. After the Trojan hitches itself to a system, it tries to connect to a Yahoo mail server to send an SMTP message. However, that server appears inoperative, and the communication fails. Websense conjectures that the inoperability is "probably an attempt to notify the attacker that a certain machine has been infected."

The other files downloaded by the Trojan are alternate versions of the Warezov/Stration malicious code. The code opens backdoors to victims' systems and also downloads new code.

Monday, March 19, 2007

We're Number One! ... For Malicious Internet Activity

By Lisa Vaas
March 19, 2007


Romanian hackers, eat your hearts out: The United States has far and away the most malicious code, spam, phishing, attack and botnetwork activity on the planet, according to Symantec's most recent semi-annual Internet Security Threat Report.

In this, its 11th edition of the report, Symantec has for the first time ranked countries as far as their Internet malfeasance is concerned. Tapping into its global intelligence network, Symantec found that the United States spawned 31 percent of the worldwide total for malicious activity. China came in second with 10 percent, and Germany came in third with 7 percent.

But bear in mind that not all of the bad U.S. apples necessarily originate within the United States, said Dave Cole, a director in Symantec's Security Response division. "Inside U.S. borders can be a playground for international hackers," he said in an interview with eWEEK. "How much is U.S.-based and how much is driven from outside is anyone's guess."

Because Symantec was aware that industrialized countries' higher rate of Internet users skews test results, the company also broke the numbers down according to the percentage of a country's Internet users that are up to no good. "The more [Internet users] you have, the more likely more will be bad apples and that more people will be targeted," Cole said. "Though [owners of zombie PCs] are innocent except for maybe not cleaning their machines when they're hacked."

Taking the amount of a country's malicious activity and dividing by the number of that country's Internet users, Symantec found that Israel has the most per capita malicious Internet users, at 9 percent. Taiwan came in second, with 8 percent, and the United States came in third, with 6 percent.

Between July 1 and Dec. 31, 2006, Symantec also found that 51 percent of all underground economy servers known to the company were located in the United States—the highest total of any country. In that underground economy, your credit card, with a card verification number, will fetch between $1 and $6. Your identity is more pricey, going for $14-$18 including your U.S. bank account, credit card, date of birth and government-issued identification number.

Symantec also notes that your credit card and identity is more attractive to e-thieves nowadays, as opposed to the allure of financial services in previous periods. "The attackers here are just playing the numbers," Cole said. "The biggest attack for many, many years has always been financial services. They'd go where the money's at, sneak in the back door, get in and steal the customer database and quickly get in and out before anybody notices."

Unfortunately for online thieves, banks got smart and beefed up their security. Security at banks being so much harder, hackers have decided to pick customers' pockets instead of sticking up the bank itself, Cole said. "Why do 'Oceans Eleven' [a film featuring painstakingly elaborate thievery] when you can just hold up 7-11?" Cole asked.

Cole emphasized that these observations pertain to loosely organized online criminals, not organized crime. Of non-organized criminals, 93 percent are targeting home users, Symantec estimates.

Preferred methods of online scams differ region to region. According to Symantec's research, banking Trojans are popular in South America. In China and Asia, where online gaming is popular and a market for virtual possessions is thriving, gaming Trojans are common, Cole said. "We're seeing threats getting more regionalized, and the threat depends on what region you're interested in," he said.

Malicious activity on the Internet has obviously changed considerably since the Slammer worm, Cole said. "[Slammer] pretty much crashed through the Internet and knocked things over," he said. "Guys were pounding their chests and slapping their buddies' hands when they wrecked havoc. Nowadays, they'd rather drive across town in a Ferrari with their pals and their ill-gotten goods."

Malicious code sniffing out confidential information such as credit card numbers increased from 48 percent of Symantec's Top 50 malicious code reports in the first half of 2006 to 66 percent in the second half. Threats that log keystrokes and export sensitive user and system data increased, with keystroke loggers now making up 79 percent of threats to confidential information.

This report is the first in which Symantec assessed data breaches that exposed information that could result in identity theft. The company found that during this time period, the government sector accounted for most of the data breaches that could lead to identity theft, with 25 percent of the total.

The preferred way for companies to lose our data was theft or loss of a computer or other data storage/transmittal medium, such as a USB key or a backup disk. Fifty-four of all identity theft-related data breaches in the second half of 2006 were made up of such losses. The second most common cause of data breaches that could lead to identity theft was insecure policy, which accounted for 28 percent of incidents.

Zombies thrived in this time period, as well. Symantec detected 11 percent more active bot-infected computers than the period before, with an average of 63,912 spotted daily. The worldwide total of distinct bot-infected systems rose to about 6,049,594—a 29 percent increase. The number of command-and-control servers decreased by 25 percent to 4,746. Symantec theorizes that this is due to network owners consolidating and expanding their networks. Zero-day vulnerabilities also rose during this period. Trojans taking advantage of zero-day vulnerabilities numbered 12—a significant increase over the first half of the year and the second half of 2005, when only one zero-day vulnerability was documented for each reporting period. Most of the zero-days in late 2006 were client-side vulnerabilities affecting Office applications, Internet Explorer and ActiveX controls. Symantec noted that attackers are "increasingly using zero-day vulnerabilities as the first step in establishing coordinated networks of malicious activity," the company said in a release.




Trojans increased significantly in late 2006 as well. They made up 45 percent of the volume of malicious code reports, compared with 23 percent in early 2006. While Trojans made up 45 percent of malicious code reports, they made up 60 percent of attempted infections.

"Symantec has observed high levels of coordinated activity between threats, including spam and phishing," Symantec said in its release. "Often, Trojans are used to install spam zombies or phishing Web sites on compromised computers in order to facilitiate fraud or other criminal activities."

In late 2006, spam made up 59 percent of all monitored e-mail traffic, Symantec found—an increase over early 2006, when 54 percent of e-mail was classified as spam.

Symantec found that the rise in spam was primarily due to pump and dump stock scams. The company found that top detected spam category, at 30 percent, was related to financial products and services. Unique phishing messages in late 2006 increased, with 166,248 unique messages, or an average of 904 unique phishing messages per day. Phishing attacks primarily used financial services as bait, with that topic accounting for 84 percent of unique brands used in phishing attacks. Financial services also made up 64 percent of phishing Web sites. Forty-six of all known phishing sites were found in the U.S.

Here's what Symantec forecasts for future threats:


More Vista threats will appear, with vulnerabilities, malicious code and attacks focused against Vista's Teredo platform Vista's Teredo platform, which is a bridge protocol between IPv4 and IPv6.

Attackers will focus on third-party applications that run on Vista.

New phishing economies will develop in which phishers expand their targets to include new industry sectors, such as massively multiplayer online games.

Phishers will develop new techniques, such as ready-made phishing kits, to evade antiphishing solutions such as block lists.

Spam and phishing will increasingly target SMS and MMS on mobile platforms.

New attacks will be developed to hit virtual environments as a way of compromising host systems.

Check out eWEEK.com's Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK's Security Watch blog

http://securitywatch.eweek.com/

Tuesday, March 13, 2007

Al-Qaeda Plan to Bomb British Internet Foiled

March 13, 2007 11:40 AM

Scotland Yard has foiled a planned attack on the British Internet by al-Qaeda, according to The Sunday Times.

According to reports, authorities carried out a series of raids that netted computer files revealing that terrorist suspects had targeted a high-security Internet hub in London. Scotland Yard also arrested suspects who had allegedly targeted the headquarters of Telehouse Europe, a facility that contains dozens of servers and which The Sunday Times refers to as Europe's "biggest Web hotel."

Investigators reportedly found evidence on a seized hard drive that the suspects plotted to infiltrate the hub and possibly blow it up from the inside, thus causing havoc in the London Stock Exchange and to British businesses.

Allysa Myers of McAfee's Avert Labs posted an analysis of the situation and came up with three takeaways for any business:

1. A significant number of security problems are due to employees and contractors, not outside parties.
2. It's equally important to have physical security considerations as well as those for "cybersecurity."
3. Don't allow a single point of failure.

Monday, March 12, 2007

Romanian Hacker Broadcasts eBay Customer Accounts

03.12.07 Total posts: 1


By Lisa Vaas
eBay has confirmed that, early on the morning of March 8 EST, an alleged Romanian hacker calling himself "Born_To_Scam_American_Guys" posted records for 15 eBay users on an eBay forum for between 40-60 minutes before the company removed them.

The posts were put up on the Trust & Safety board. According to other forum members who claimed to have taken part in the discussion and begged eBay to take down the information, the hacker signed in under a hijacked account and began taunting others, with the final result being the posting of the 15 accounts.

According to Firemeg.com, a site dedicated to eBay watching, the post that kicked it all off appeared at 1:52 EST on the forum. The initial post, according to Firemeg.com, reads:

"read many opinions here.... All I saw it's just [misspelled obscenity]....Alot of things about scamms..stupid things I think. Romanian guys are the best boys !!!! We are in each country...each city...and every day alot of money from your pocket intro in pur bank accounts....You know why ?? I will tell you my opinion...because you are so stupid ..... anyone can scam you very easy....not only with fake escrow and shipping websites....


"For us nothing is not imposibile....Paypal...bank accounts...credit cards...spam....wire transfers... alot of things boys !!! WHy ??? Because we are the best !!!!

Friday, March 9, 2007

Trojan Targeting eBay Motor Buyers

March 9, 2007 11:38 AM

E-mails with legitimate slide shows of cars for sale on eBay are quietly dropping a Trojan that redirects a victim when he or she clicks on a link to a legitimate auction. If the victim bids, his or her money winds up going to the criminal with no car going anywhere.

Symantec says if the infected recipient decides to check on the seller's ratings page, the Trojan.Bayrob file also presents a fake feedback page that raves about the seller.

Symantec calls this man-in-the-middle attack "very unusual" and also "difficult to code correctly." The security company first blogged about the attack on March 5 but has since uncovered more details of how it works.

Symantec says that the e-mail probably contains two crucial components: a link to a real eBay auction and an executable. The executable drops two files into a temp folder: a legitimate slide show of the car being auctioned and the Trojan.Bayrob file.

In a typical attack, a victim receives an e-mail about a car for sale, opens it and runs the attachment. As he or she is viewing the photos, the Trojan has already been installed. The victim decides he or she is interested in the car and clicks on the link to the real eBay auction.

In the background, Trojan.Bayrob is directing Web traffic bound for eBay through a local proxy server, which listens on local host port 80. To accomplish that, Symantec found, the Trojan changes files on the infected PC to force traffic bound for these sites through the local proxy server:

My.ebay.com Cgi.ebay.com Offer.ebay.com Feedback.ebay.com Motors.search.ebay.com Search.ebay.com
Next, the Trojan connects to these servers and downloads configuration data and an updated list of the control servers if possible:

Superdigitalprices.com Wai-k-mart.com Wal-stop-mart.com Onemoreshoot.com Jdo24nrojseklehfn.com
These sites have all been taken offline since Symantec first starting tracking the Trojan. Symantec says that the servers were clones of each other, each containing these scripts:

Var.php Cfp.php Hst.php Var-user.php Ping.php Isup.php Ban.php Setvar.php Getip.php Hostname.php Hst-user.php Exe.php Contact.php
The var.php script downloads variables including tokenized versions of legitimate eBay pages.

Meanwhile, the victim, if having checked the feedback page, is reading a fake page that claims that the seller is genuine and trustworthy.

"At this point, the attack is almost complete," Symantec's blog says. "All the attacker has to do now is wait for the victim to complete the purchase and for the money to arrive."

Although the controlling servers have been taken offline, Symantec says the attackers are sure to set up new ones.

How to avoid being victimized? As always, never click on e-mail attachments from sources you don't trust.

eBay hadn't responded to a request for feedback by the time this was posted, but the online auction giant reportedly knows about the issue and is working with Symantec to stop the spread of infection.

eBay is a favorite target for criminals. It's been enjoying the attentions of Romanian criminals in particular, with one by the name of Vladuz giving the company headaches for months now. Check out this slideshow to see Vladuz's handiwork.

http://www.eweek.com/slideshow/0,1206,pg=0&s=25954&a=202474,00.asp

Tuesday, March 6, 2007

What's Bugging eBay?

By Lisa Vaas
March 6, 2007

Updated: The auction behemoth is being skewered by Vladuz, the Romanian impaler, and the e-villagers are whispering that he's sucking customer and service rep account lifeblood directly from eBay's internal databases. Is he that spookily talented, or is he just another, albeit talented and lucky, phisher who also stumbled on an e-mail with internal accounts?

The eBay villagers are whispering that he can creep through eBay's internal databases and suck the lifeblood of customer accounts—log-ins and passwords—right out of their pulsing, 222 million-plus customer heart. He's putting up bogus listings as fast as eBay can take them down, and that proves he's walked through a security hole as big as a barn door.

No, eBay insists, this hacker, this Romanian wiseguy who goes by the handle Vladuz, is "nothing new." He's just another phisher, says eBay spokeswoman Catherine England, one of hundreds the huge auction site has to deal with constantly.

He may be getting loads of publicity from posting onto eBay forums as a service rep and taunting eBay—"Durzy is full OF sh*t," he wrote about eBay spokesperson Hani Durzy in a February posting after Durzy said that Vladuz had not accessed internal systems. But that just means he got lucky once and hit upon an internal e-mail that had a screenshot containing customer service reps' e-mail account information, eBay maintains.

Some eBay watchers attribute eBay's recent crackdown on cross-border sales to the recent spike in hijacked accounts. The spike in traffic might not be wholly attributable to Vladuz's work, but he or she is being credited for most of it. The multitalented hacker is leaving a calling card behind with his or her name, spelled backwards, attached to malicious code injected in live auctions. He's taunting eBay by posting to its forums as a customer service rep. His name is associated with a company name that is in turn associated with eBay hacking tools being found for sale online.

Hijacked accounts occur after phishers weasel log-in names and passwords out of legitimate eBay account holders and then use them to run auctions that look like they're taking place in a country with a reputation for legitimate sales, such as the United States or Canada.


This is nothing new, but eBay watchers say the number of hijacked accounts and their changed behavior makes it begin to look as if somebody had set up tools to automatically skim customer accounts from eBay's internal accounts—and such are Vladuz's reputation and braggadocio, at this point, that experts believe he or she could be responsible.

eBay watchers say the trigger for the spike was eBay's recent crackdown on counterfeit goods being sold from countries notorious for it, such as China. Like rats leaving a sinking ship, the thinking goes, crooks such as Vladuz are turning to hijacked accounts because the counterfeit e-business has gone belly-up.

eBay retools its technology platform to scale for rapid growth.

"In the last few months, eBay has really taken a look at the trust and safety of our marketplace and our Web site," England told eWEEK. "We've been incorporating a lot of new measures. My understanding is it's been a little frustrating for this fellow. He's spent some quality time poking around our site and trying to find a way in. He did find access to a small amount of customer service rep e-mail accounts. He used those to go on discussion forums, as a pink—when an employee posts, it's highlighted in pink. He did that in an attempt basically to say, 'Ha ha, look what I did.'"

Lies, lies, lies, says online auction activist Rosalinda Baldwin, who runs an auction watchdog group called The Auction Guild (TAG).

"There's always been phishing [attempts to get account information and second-chance offers made to bidders who didn't win] and other fraud going on," she said. "It became huge mid-December [when eBay began to prevent Chinese sellers from selling to eBay U.S., eBay Canada, etc.]. It seems to have been the trigger: [The collection of phishing attempts and hijacked accounts] went from one without pattern to one" that definitely showed a pattern, she said.

"I know eBay pretty well," Baldwin said. "They can use all the excuses and lies they want, but they have yet to explain how what is happening on this site could be happening if what I'm saying is not true: that somebody has access to the back end."

Quantifying the hijacking of accounts is another eBay watcher, Genie Livingstone. Livingstone is a PHP programmer and runs the Internet host and domain name registration site Dotyou.Com.

Here's an example (check out the five links at the bottom) of the Web monitors, based on RSS eBay tools, that Dotyou.com is using to track eBay scam auctions in real time. Livingstone is also tracking eBay listing totals on MedVed.net.

What she's found for the past few weeks is that the daily count of eBay listings has been "a series of sharp spikes of 1 [million] to 3 million items, instead of the usual gradual curve that reflects items being listed and sold," she said.

The seesawing appears, she said, "as if someone is flooding the site with hacked listings that eBay is pulling down, only to have them immediately relisted, only to have them pulled down, etc., etc."

eBay adds 10 terabytes of new storage every week. Click here to find out how it manages all that storage.

This is MedVed's graph for eBay listings in February 2007, compared with February 2006. Notice the seesawing that begins on Feb. 22, 2007, with sharp increases and decreases that are of equal value, as if the same number of listings are being posted, delisted and posted again, in multiple daily cycles.

eBay's England said that she looked into site activity over the past six months and found "absolutely no significant movement in number of account takeovers." However, she has not yet looked into the flux of listings numbers, she said.

Still, she insists, there's nothing new to see here, even if Livingstone credits eBay with having perfected automated tools to remove the bogus listings, which recently have been coming down after only 30 seconds.

"We've had a variety of automated tools in place for a long time," said England, in San Jose, Calif. "This is nothing new. I wish I could say it's some big, exciting thing. It's your standard, typical phishing scam that's been happening a long, long time. I think this person, because [he or she] went on discussion boards and posed as an employee, it got more attention. The reality is these scams have been around years and years. As [we] shut these guys down, they adapt. They're obviously intelligent people. But as they evolve, so do we."


Vladuz first came to Dotyou.com's attention a few weeks ago—Valentine's Day, as a matter of fact.

Dotyou had written some RSS tools to track scam auctions. First, they manually identified the improper English typically used by non-native English-speaking scam artists. The listings with bad English had another consistent feature: They tried to lure buyers into contacting them outside of eBay, through an e-mail address at Yahoo or Hotmail, for example, and then asked that the buyers pay them through Western Union.

Using the bad-English phrases in one RSS stream and cross-referencing the non-eBay e-mail addresses in another RSS feed keeps the list of bogus sites current, Livingstone said. Using this list, they kept track of hijacked seller accounts and were tracking some 30 to 70 accounts per day. Each account, however, would typically post from 70 to 200 expensive items, to make as much use of the hijacked account as possible before eBay would shut it down.

But in 2007, Dotyou noticed that the hijacked accounts were only running one auction per hijacked seller; the frugality had disappeared. "It appeared as though something [had] changed," Livingstone said in an e-mail exchange. "As if there is [a] larger and larger pool of available phished eBay IDs so the scammers do not need to be frugal with them any longer."

The trend culminated with Vladuz temporarily unveiling his auctions to the public, she said. Instead of putting up fake auctions, he began to inject legitimate auctions created by real sellers, updating the auction with big "EMAIL ME" statements. The typical hijacked auction on Feb. 14 looked like this listing, with a "Buy It Now" message luring buyers to a Gmail address.

Phishers cast bait for bigger catch.

What's alarming about the new trend, Livingstone said, was that it went beyond fake listings—a "regular Romanian modus operandi"—that were the result of successfully phished legitimate accounts and, through a security hole or a tool, entered a new level of sophistication, picking up on real auctions and modifying them.

As of Feb. 5, Dotyou.com was in the process of updating an archive of what Livingstone said are live Vladuz auctions, identifiable by his signature toward the bottom: his handle spelled backward, as zudalv.

TAG's Baldwin said that Vladuz first came to her attention through his sale of eBay hacking tools. She saw that somebody on a chat board posted a tale of having been offered the chance to buy a tool called Second Chance Offer. The modus operandi of the tool was to contact an auction bidder who came in second and therefore hadn't won whatever he had bid on. Second Chance offers to sell the bidder a similar item, but in this case, Vladuz appeared to have created a tool that allowed the user to look as though the e-mail was coming from eBay's e-mail system. Actually, the tool creates fake offers, a way to coax a buyer into making a payment and receiving nothing in return.


Baldwin searched for any reference of the Second Chance Offer tool and came up with a company called SGI Enterprises—a name to which the handle vladuz was connected. She started tracking postings of vladuz back to 2002, finding postings on Chinese hacker sites.

Then Vladuz e-mailed her, offering a look at his or her new tool. It was posted as a Firefox plug-in, Baldwin said, that would automatically decipher and type in the text encoded in a garbled image file.

eBay denies that Vladuz has anything but old screenshots of the back ends of tools eBay created and used. "He didn't have access—he pulled screenshots," England said.

At this point, Vladuz is shrouded in an aura of invincibility. eBay watchers, almost superstitiously, point to his ability to "cherrypick accounts" according to a certain pattern—usually those with a medium amount of feedback that are fairly inactive. News accounts have referenced his ability to offer up hijacked accounts in sequential order as proof that he has access to eBay's internal databases.

That's taking it a bit far, said Dave Jevans, chairman of the Anti Phishing Working Group.

"There are of course automated phishing kits, and they are becoming both more sophisticated and widely available," he said. "However, they typically mine eBay auctions and find user names, and then send e-mails or Second Chance rebid opportunities to those people. That's the only way I can see that automated harvesting would work."


The sequential order of hijacked accounts is typical, he said, when phishers batch-process information and offer it for sale.

Still, given the range of brazen hacks to which the name is attached, Vladuz is scary, and eBay is hot on the Romanian spammer/phisher/hacker's trail.

England said that eBay has spent the past few months tracking the crook, working with Romanian law enforcement. But although Vladuz is known as a "career criminal" in Romania, she said, there's no guarantee he or she will be found and prosecuted soon. That's due to differences in laws surrounding IP tracking, for example, but also due to a lack of resources in a country such as Romania.

In an impoverished country such as Romania, money talks, Livingstone said. On that point, England agrees. Back in 2002 when eBay was dealing with a separate hacker issue in Romania, the police knew where the criminal was, she said. Unfortunately, he was some 30 to 40 miles away from the station, and they couldn't afford the gas to go get him.

eBay was more than happy to lend a helping hand.

Editor's Note: This story was updated to include more information on Vladuz's reported activities.

Check out eWEEK.com's Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK's Security Watch blog.

http://securitywatch.eweek.com/