Tuesday, March 6, 2007

What's Bugging eBay?

By Lisa Vaas
March 6, 2007

Updated: The auction behemoth is being skewered by Vladuz, the Romanian impaler, and the e-villagers are whispering that he's sucking customer and service rep account lifeblood directly from eBay's internal databases. Is he that spookily talented, or is he just another, albeit talented and lucky, phisher who also stumbled on an e-mail with internal accounts?

The eBay villagers are whispering that he can creep through eBay's internal databases and suck the lifeblood of customer accounts—log-ins and passwords—right out of their pulsing, 222 million-plus customer heart. He's putting up bogus listings as fast as eBay can take them down, and that proves he's walked through a security hole as big as a barn door.

No, eBay insists, this hacker, this Romanian wiseguy who goes by the handle Vladuz, is "nothing new." He's just another phisher, says eBay spokeswoman Catherine England, one of hundreds the huge auction site has to deal with constantly.

He may be getting loads of publicity from posting onto eBay forums as a service rep and taunting eBay—"Durzy is full OF sh*t," he wrote about eBay spokesperson Hani Durzy in a February posting after Durzy said that Vladuz had not accessed internal systems. But that just means he got lucky once and hit upon an internal e-mail that had a screenshot containing customer service reps' e-mail account information, eBay maintains.

Some eBay watchers attribute eBay's recent crackdown on cross-border sales to the recent spike in hijacked accounts. The spike in traffic might not be wholly attributable to Vladuz's work, but he or she is being credited for most of it. The multitalented hacker is leaving a calling card behind with his or her name, spelled backwards, attached to malicious code injected in live auctions. He's taunting eBay by posting to its forums as a customer service rep. His name is associated with a company name that is in turn associated with eBay hacking tools being found for sale online.

Hijacked accounts occur after phishers weasel log-in names and passwords out of legitimate eBay account holders and then use them to run auctions that look like they're taking place in a country with a reputation for legitimate sales, such as the United States or Canada.

This is nothing new, but eBay watchers say the number of hijacked accounts and their changed behavior makes it begin to look as if somebody had set up tools to automatically skim customer accounts from eBay's internal accounts—and such are Vladuz's reputation and braggadocio, at this point, that experts believe he or she could be responsible.

eBay watchers say the trigger for the spike was eBay's recent crackdown on counterfeit goods being sold from countries notorious for it, such as China. Like rats leaving a sinking ship, the thinking goes, crooks such as Vladuz are turning to hijacked accounts because the counterfeit e-business has gone belly-up.

eBay retools its technology platform to scale for rapid growth.

"In the last few months, eBay has really taken a look at the trust and safety of our marketplace and our Web site," England told eWEEK. "We've been incorporating a lot of new measures. My understanding is it's been a little frustrating for this fellow. He's spent some quality time poking around our site and trying to find a way in. He did find access to a small amount of customer service rep e-mail accounts. He used those to go on discussion forums, as a pink—when an employee posts, it's highlighted in pink. He did that in an attempt basically to say, 'Ha ha, look what I did.'"

Lies, lies, lies, says online auction activist Rosalinda Baldwin, who runs an auction watchdog group called The Auction Guild (TAG).

"There's always been phishing [attempts to get account information and second-chance offers made to bidders who didn't win] and other fraud going on," she said. "It became huge mid-December [when eBay began to prevent Chinese sellers from selling to eBay U.S., eBay Canada, etc.]. It seems to have been the trigger: [The collection of phishing attempts and hijacked accounts] went from one without pattern to one" that definitely showed a pattern, she said.

"I know eBay pretty well," Baldwin said. "They can use all the excuses and lies they want, but they have yet to explain how what is happening on this site could be happening if what I'm saying is not true: that somebody has access to the back end."

Quantifying the hijacking of accounts is another eBay watcher, Genie Livingstone. Livingstone is a PHP programmer and runs the Internet host and domain name registration site Dotyou.Com.

Here's an example (check out the five links at the bottom) of the Web monitors, based on RSS eBay tools, that Dotyou.com is using to track eBay scam auctions in real time. Livingstone is also tracking eBay listing totals on MedVed.net.

What she's found for the past few weeks is that the daily count of eBay listings has been "a series of sharp spikes of 1 [million] to 3 million items, instead of the usual gradual curve that reflects items being listed and sold," she said.

The seesawing appears, she said, "as if someone is flooding the site with hacked listings that eBay is pulling down, only to have them immediately relisted, only to have them pulled down, etc., etc."

eBay adds 10 terabytes of new storage every week. Click here to find out how it manages all that storage.

This is MedVed's graph for eBay listings in February 2007, compared with February 2006. Notice the seesawing that begins on Feb. 22, 2007, with sharp increases and decreases that are of equal value, as if the same number of listings are being posted, delisted and posted again, in multiple daily cycles.

eBay's England said that she looked into site activity over the past six months and found "absolutely no significant movement in number of account takeovers." However, she has not yet looked into the flux of listings numbers, she said.

Still, she insists, there's nothing new to see here, even if Livingstone credits eBay with having perfected automated tools to remove the bogus listings, which recently have been coming down after only 30 seconds.

"We've had a variety of automated tools in place for a long time," said England, in San Jose, Calif. "This is nothing new. I wish I could say it's some big, exciting thing. It's your standard, typical phishing scam that's been happening a long, long time. I think this person, because [he or she] went on discussion boards and posed as an employee, it got more attention. The reality is these scams have been around years and years. As [we] shut these guys down, they adapt. They're obviously intelligent people. But as they evolve, so do we."

Vladuz first came to Dotyou.com's attention a few weeks ago—Valentine's Day, as a matter of fact.

Dotyou had written some RSS tools to track scam auctions. First, they manually identified the improper English typically used by non-native English-speaking scam artists. The listings with bad English had another consistent feature: They tried to lure buyers into contacting them outside of eBay, through an e-mail address at Yahoo or Hotmail, for example, and then asked that the buyers pay them through Western Union.

Using the bad-English phrases in one RSS stream and cross-referencing the non-eBay e-mail addresses in another RSS feed keeps the list of bogus sites current, Livingstone said. Using this list, they kept track of hijacked seller accounts and were tracking some 30 to 70 accounts per day. Each account, however, would typically post from 70 to 200 expensive items, to make as much use of the hijacked account as possible before eBay would shut it down.

But in 2007, Dotyou noticed that the hijacked accounts were only running one auction per hijacked seller; the frugality had disappeared. "It appeared as though something [had] changed," Livingstone said in an e-mail exchange. "As if there is [a] larger and larger pool of available phished eBay IDs so the scammers do not need to be frugal with them any longer."

The trend culminated with Vladuz temporarily unveiling his auctions to the public, she said. Instead of putting up fake auctions, he began to inject legitimate auctions created by real sellers, updating the auction with big "EMAIL ME" statements. The typical hijacked auction on Feb. 14 looked like this listing, with a "Buy It Now" message luring buyers to a Gmail address.

Phishers cast bait for bigger catch.

What's alarming about the new trend, Livingstone said, was that it went beyond fake listings—a "regular Romanian modus operandi"—that were the result of successfully phished legitimate accounts and, through a security hole or a tool, entered a new level of sophistication, picking up on real auctions and modifying them.

As of Feb. 5, Dotyou.com was in the process of updating an archive of what Livingstone said are live Vladuz auctions, identifiable by his signature toward the bottom: his handle spelled backward, as zudalv.

TAG's Baldwin said that Vladuz first came to her attention through his sale of eBay hacking tools. She saw that somebody on a chat board posted a tale of having been offered the chance to buy a tool called Second Chance Offer. The modus operandi of the tool was to contact an auction bidder who came in second and therefore hadn't won whatever he had bid on. Second Chance offers to sell the bidder a similar item, but in this case, Vladuz appeared to have created a tool that allowed the user to look as though the e-mail was coming from eBay's e-mail system. Actually, the tool creates fake offers, a way to coax a buyer into making a payment and receiving nothing in return.

Baldwin searched for any reference of the Second Chance Offer tool and came up with a company called SGI Enterprises—a name to which the handle vladuz was connected. She started tracking postings of vladuz back to 2002, finding postings on Chinese hacker sites.

Then Vladuz e-mailed her, offering a look at his or her new tool. It was posted as a Firefox plug-in, Baldwin said, that would automatically decipher and type in the text encoded in a garbled image file.

eBay denies that Vladuz has anything but old screenshots of the back ends of tools eBay created and used. "He didn't have access—he pulled screenshots," England said.

At this point, Vladuz is shrouded in an aura of invincibility. eBay watchers, almost superstitiously, point to his ability to "cherrypick accounts" according to a certain pattern—usually those with a medium amount of feedback that are fairly inactive. News accounts have referenced his ability to offer up hijacked accounts in sequential order as proof that he has access to eBay's internal databases.

That's taking it a bit far, said Dave Jevans, chairman of the Anti Phishing Working Group.

"There are of course automated phishing kits, and they are becoming both more sophisticated and widely available," he said. "However, they typically mine eBay auctions and find user names, and then send e-mails or Second Chance rebid opportunities to those people. That's the only way I can see that automated harvesting would work."

The sequential order of hijacked accounts is typical, he said, when phishers batch-process information and offer it for sale.

Still, given the range of brazen hacks to which the name is attached, Vladuz is scary, and eBay is hot on the Romanian spammer/phisher/hacker's trail.

England said that eBay has spent the past few months tracking the crook, working with Romanian law enforcement. But although Vladuz is known as a "career criminal" in Romania, she said, there's no guarantee he or she will be found and prosecuted soon. That's due to differences in laws surrounding IP tracking, for example, but also due to a lack of resources in a country such as Romania.

In an impoverished country such as Romania, money talks, Livingstone said. On that point, England agrees. Back in 2002 when eBay was dealing with a separate hacker issue in Romania, the police knew where the criminal was, she said. Unfortunately, he was some 30 to 40 miles away from the station, and they couldn't afford the gas to go get him.

eBay was more than happy to lend a helping hand.

Editor's Note: This story was updated to include more information on Vladuz's reported activities.

Check out eWEEK.com's Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK's Security Watch blog.