user’s data leaks


Romanian Detained Over eBay Cyber Fraud

Romanian detained over a $3 million cyber fraud against eBay Inc.

Very interesting article from abc news:

Romanian authorities have detained a man suspected of committing cyber fraud worth $3 million against the company eBay Inc.

Organized crime prosecutors say Liviu Mihail Concioiu is being investigated for “phishing” attacks against 3,000 of eBay Inc. employees.

They said Thursday that Concioiu allegedly stole the employees’ IDs and passwords in 2009 and accessed company files, including an application with the data base of eBay clients and their transactions. Concioiu then used “phishing” sites to access the accounts of about 1,200 eBay users.

It would appear the ebay database has been hacked, cracked, and zombied AGAIN.

(or is that still?)

Also notice how the term ‘phishing’ is constantly used.  ebaY doesn’t like the “H” word it seems. But “phishing” alone does not get you access to the files and data described. We call that “HACKING

rotflmao! Who could imagine?

It also tells us that ebay employees must not be too savvy if they are falling for whatever tricks are being used to gain the logins etc.

No mention of any response from ebay.

With IT’s long and repeated history of such events, you should ask yourself whether you trust this unsafe outfit with your personal and financial data?

Who could imagine?

The long uncorrected xss flaw rears it’s ugly head again!

Auctionbytes reporting that falle-internet.de has again discovered listings with the malicious coding, this time with a virus twist.

The most important and telling quote of the article:

“They used javascript and java to address a known vulnerability; user’s computers were affected by just viewing the respective listings,”

See that part about “…just viewing the respective listings…” ?

That is one of the main reasons I advocate avoiding ebaY at all costs. Another is that they BLAME the USER for their own failures! Furthermore, they refuse to correct the flaw! Make no mistake, ebaY is a dangerous, untrustworthy, and dishonest website. Of that there is proof beyond the slightest shadow of a doubt!

ebaY is HACKED! Yes! ebaY is still HACKED!!!

Here is the report, with screencapture images, in English at falle-internet

My research indicates this issue has been onging at ebaY for about 10 full years now. Perhaps not under the same name, but indeed cross-scripting has been exploited on ebaY since before it even had that name. Ebay has been aware of the issue for that long also.  Since looooong before the US-CERT warning was posted. Bear in mind there are many variants of this exploit possible to use. It’s been used also for the redirects, and for cookie-stealing etc. The possibilities are only limited by the hacker’s imagination and ebay’s steadfast refusal to secure it’s festered site

I’ll be posting another video demonstrating the +/- 10 year longevity of the xss flaw on ebaY before long at the Cappnonymous channel

We don't need no stinking badges! LOL!

This is scary stuff while simultaneously a bit amusing.

“That little lock on your browser window indicating you are communicating securely with your bank or e-mail account may not always mean what you think its means.

Normally when a user visits a secure website, such as Bank of America, Gmail, PayPal or eBay, the browser examines the website’s certificate to verify its authenticity.

At a recent wiretapping convention however, security researcher Chris Soghoian discovered that a small company was marketing internet spying boxes to the feds designed to intercept those communications, without breaking the encryption, by using forged security certificates, instead of the real ones that websites use to verify secure connections. To use the appliance, the government would need to acquire a forged certificate  from any one of more than 100 trusted Certificate Authorities.

The attack is a classic man-in-the-middle attack, where Alice thinks she is talking directly to Bob, but instead Mallory found a way to get in the middle and pass the messages back and forth without Alice or Bob knowing she was there.

The existence of a marketed product indicates the vulnerability is likely being exploited by more than just information-hungry governments, according to leading encryption expert Matt Blaze, a computer science professor at University of Pennsylvania.”

“If company is selling this to law enforcement and the intelligence community, it is not that large a leap to conclude that other, more malicious people have worked out the details of how to exploit this,” Blaze said.

The company in question is known as Packet Forensics, which advertised its new Man-In-The-Middle capabilities in a brochure handed out at the Intelligent Support Systems (ISS) conference, a Washington DC wiretapping convention that typically bans the press. Soghoian attended the convention, notoriously capturing a Sprint manager bragging about the huge volumes of surveillance requests it processes for the government.

According to the flyer: “Users have the ability to import a copy of any legitimate key they obtain (potentially by court order) or they can generate ‘look-alike’ keys designed to give the subject a false sense of confidence in its authenticity.” The product is recommended to government investigators, saying “IP communication dictates the need to examine encrypted traffic at will” and “Your investigative staff will collect its best evidence while users are lulled into a false sense of security afforded by web, e-mail or VOIP encryption.”

Here is a comedy highlight:
“VeriSign, the largest Certificate Authority, declined to comment.”

Looks like SSL is shot to hell.

Read the entire article. Follow the links there. lol

Law Enforcement Appliance Subverts SSL

ebaY Crafty Hackers and iPhone Scams

by Cappnonymous

Update: 09-2-2007 =/- 16:30 PDT.

More Hacking kits found on ebay…

Online auction site, eBay, is unwittingly selling software that is used to hack eBay user accounts and steal personal information, according to research from online security experts PC Tools.

A number of software items for sale on the worlds leading online auction site contain a variety of programs including keyloggers, trojans and other malware making devices that are aimed at helping users hack computers, websites and even individual user accounts.

Despite eBays excellent reputation for ensuring that it protects both consumer safety and privacy, its almost impossible to police every item, said Mike Greene, VP Product Strategy at online security experts PC Tools.

I am certain that the sale of this sort of software on eBay comes as a surprise to most, but the success eBay has also meant that the worlds leading online auction site can also attract the wrong kind of attention, said Greene.

It is ironic that something intended ultimately to steal a consumers identification and financial information is being sold via what is one of the worlds number one targets for the ID theft, said Greene.

continues, with url of now invalid listing.

screen capture of the invalid item page, 640 pixels wide.

Click here for a full sized view

Following a search for the exact terms found in the article,

Hacking-cracking-programs-best-on-ebay

I quickly located a listing with that exact title.

Here I have a screen capture of what appears most likely to be an identical item for sale

For a full-sized view, click here.

Here is the screencap of that search, in 640 width

For a full sized view, click here

Note a couple of the hilarities such as payment via Paypal and the Square Trade seal.

The seller’s feedback is 100%, so he/she must have some very happy buyers.

Further, whoever wrote that article seems to be a bit out of touch with the sad facts.

Edit

09-19-2007 +/- 19:30 PDT

I have located what appears to be the original listing mentioned in the article in Google cache. Here 360 pixels wide. remove _360 to see it full size.

Hacking&Cracking programs best on ebay!

read more | digg story

ebay Hacked! Attack of the 1335 Apple iPhones wareagie

Anyone out there still believe ebay is NOT hacked?

Anyone out there still believe ebay is safe, honest, or trustworthy?

Here is yet another hack attack of immense proportions. 1335 iPhones, all listed with in a matter of a couple minutes or so.
Meet the seller/victim
Seller: wareagie (34)
Feedback: 97.2% Positive
Member: since Aug-28-00 in United States

Meet the hacker’s email address:
vanila3456@gmail.com

Here is just one listing details:
20 – 8GB Apple iPhone- Brand New- Never Used
Item number: 300147916089
Starting time: Sep-03-07 16:34:50 PDT
Starting bid: US $1.00
Duration: 1-day listing

Further documentation of the ongoing massive hack attack upon ebay.
I have screencaps to further document this sad event.

http://tinyurl.com/ytatds

http://tinyurl.com/ytpr4o

http://tinyurl.com/ys7p3e

related story/issue:

Apple iPhone ebay Scam Article from digg dot com Resurrected

Also be sure to see the Cappnonymous youtube channel for more shocking documentation of hacker pwnage of ebay. Be sure to expand the descriptions and follow suggested links.

The videos document a clear and consise pattern of troubles, pointing all the way back to the first Vladuz incidents.

Ebay HACKED! Massive Hack Attack 4js2 60K items listed

Hacked! jimmy.cry Attacks ebay & cmptgal1 with Big Balls

Ronny.Scott90 Butchers ebay AGAIN Run Zombies Run

ebay is Hacked! Fake Alienware Auction Babies Not Included

And then, folks…

Boycott ebaY and PayPal

Lastly, I am looking for some input with a new Boycott ebay and Paypal vid.

Please have a look and consider leaving your thoughts and suggestions.

It should be readily apparent to the most casual observers that ebay is not safe, not trustworthy, nor honest, nor will they ever be.

Better is time and money spent “Elsewhere”

Here is a really good example of what I mean. Follow the links back to the yahoo finance ebay message board and see how what appears to be a group of paid shills constantly harass, use “copycat” or look-alike” IDs to deride, belittle, indeed even threaten anyone who dares speak ill of the almighty ebay.

Looks like that may be against the law, it most certainly is sleazy.

We just saw a prime example of such similar activity.

read more | digg story

sleazebay censorship

In the course of conducting a bit of research for something, I referred to my digg.com account. I had posted a link to it here in a post entitled “Looks like the ebay hackers are using PayPal to collect” , at a new consumer rights oriented website forum, Screw-PayPal.com. The article I sought was:

http://digg.com/apple/Apple_iPhone_SCAMS_alert_eBay_unlocked_iPhone_scam_iPhone_store_scam

Which pointed here to this.

Lo & behold, it took me to a page which said:

Oops! What youre looking for isn’t here!

Good thing I was able to find that article still on google.

At the moment, it can still be found in the cache.

Here is a screencap of the google search for the article.

Update 09-04-2007

I see that reference , for the exact terms has now completely vanished from google too.

Again, here is the search.

http://tinyurl.com/2zfggb

The original article was gone.

But for anyone wishing to see the content, I have here the text and screencaps.

If you want to cut to the quick, here is the page, as full sized screencap png format

http://tinyurl.com/2ahlxs

Apple iPhone SCAMS alert: eBay “unlocked” iPhone scam, iPhone store scam

Due to the fact that Apple ’s iPhone became a hot selling item, a variety of scams based around it popped up online. Here are two of the most popular ones at the time of writing. eBay “unlocked iPhone” scam – iPhone “online store” scam. While the “iPhone online store” scam is more malicious than the “unlocked iPhone” scam, both of them will hit..

Submitted:
19 days ago
Submitter:
iDionysus (news: submissions, diggs, comments)
Topic:
News » Technology » Apple
Source:
www.iphoneworld.ca
by willynilly on 07/30/2007

Yeah, I called an eBay guy on this bullshit just the other day.

Reply to this comment

by giovanni666 on 07/30/2007

You need to be very careful with the iphone listings (or anything) on ebay. The site is hacked and the scammers are listing fake auctions. It is very well documented. In particular, watch for the misspelling “unloked”
http://www.youtube.com/results?search_query=ebay+hacked+iphone&search=
http://budmalcolm.bravejournal.com/entry/23679

Reply to this comment

by drethedog on 07/31/2007

I got scammed from a guy on Ebay last week, he had 180 100% positive feedback, apparently somebody hacked in his account and listed the phone, i used pay pal and the money was sent to someone else, now I’m waiting for pay pal to review my case and I’m down 5 hundos…

—————————————————————–

Note that the last comment indicates that a consumer sent payment for his/her iPhone via Paypal, and found that the account had been hacked.

The innocent consumer lost 500 dollars.

Clear evidence that the hackers are into Paypal the same way they are into ebaY.

Now, full page screencap of the cached article

(full page screencaps created with FireFox extension “save as image“)

Another screencap, the rest of the over-wide page, taken with MWSnap.

Note the url. Note the time & Date it was cached.

I do not know why, but I notice a lot of things dealing with ebaY / Paypal security and related issues are “evaporating”.

I also get the feeling people reading this may wish to see this hacked iphone video which was removed from Youtube for alleged copyright infringement, by a mysterious, unidentified “3rd party” no less:
ebaY Hacked Live! kcrunchymunch APPLE iPHONE bogus auction

Well I hope everyone has a good chance to see these screencaptures of the compromised account pages:

http://img238.imageshack.us/img238/7153/paypalsrupfq0.png

(if image fails to load, look here: paypalsrupfq0 )

http://img355.imageshack.us/img355/3781/paypalkawakamirc2.png

http://img117.imageshack.us/img117/4752/paypalwelkje4.png

http://img523.imageshack.us/img523/6960/paypalballardtv2.png

http://i12.tinypic.com/4056v5z.png

http://i11.tinypic.com/2yv8f9i.png

http://i7.tinypic.com/2mdmas9.png

http://i12.tinypic.com/42ksef6.png

Along with the preserved threads which dealt with the subject:

The infamous “Gephishte Accounts die eBay nicht interessieren” thread, archived as png images: 

Seite 1

(original file loocation was

http://img366.imageshack.us/img366/2875/seite01lz1.png )

Seite_2
original file location was:

Seite 3

Also, the follow-up thread “Gephishte Accounts die eBay nicht interessieren *zensiert*” has been likewise archived:

German language

English translation

(the embedded youtube video you see in the German language screencap is from FireFox browser Greasemonkey extension VideoEmbed Script)

*Thanks to imageshack.us for free photo hosting

**Thanks to tinypic.com for free image hostimg

If they should happen to disappear, I will repost them from here to BFE and back again.

Also, see the related videos at youtube regarding the iPhone scams on ebay, and 3 videos where the massive compromised account problem at Paypal are, along with approximately 80 video documentaries of the hack attack upon ebay.

I just happen to have many more examples of hacked accounts with bogus iPhone listings which I have not uploaded or posted anywhere (yet.) I suppose I will be doing so now though, along with every last bit of information which points to the facts about just how dangerous, unsafe, and untrustworthy ebay/ PayPal is/are.

For more documented horror stories, see the Cappnonymous 2010 Blog

Next Page »