Not surprisingly, the cross scripting, xss,  and/or flash manipulation scam is alive and well on ebay, this time documented by a casual observer.  This has also been documented time and again by myself and others on Youtube BTW.

For those not aware, these ID stealing flaws, through careful research, have been shown to exist uncorrected on ebaY for as long as 11+ years now.

What’s even more alarming: you don’t need to actually sign in to any phake login page to have your credentials stolen, thanks to the cookie stealing variant of this hack.

Top that off with the fact that ebay’s own policy is to blame the user/victim.

Numerous comments at my youtube videos also indicate that victims are treated poorly and unprofessionally by ebaY’s customer service reps.

Important facts to consider when choosing online shopping or even surfing destinations.

 

Ebay scam redirect camper van

Uploaded by on Jun 8, 2011

hi, im not even a ebay member, but was looking at camper vans, if its to good to be true it probably is, dont be foolish and loose your details or money, thanks for watching. can you trust this site, i think not. thanks for watching. please remember if you do buy something like this you part with your money you will have no comeback, yes thats right, do your checks aa rac whatever, dont part with your money on the descriptions(important) alone on this site you could end up with a pile of poop. hpi only shows recorded accidents, not accidents repaired by other means, so get it checked. dont believe these lying scum.

 

Update: for whatever reason that video has been removed. Anyone wishing to see it can leave comment below and we shall make it available from the Mighty Cappnonymous Archives

Romanian Detained Over eBay Cyber Fraud

Romanian detained over a $3 million cyber fraud against eBay Inc.

Very interesting article from abc news:

Romanian authorities have detained a man suspected of committing cyber fraud worth $3 million against the company eBay Inc.

Organized crime prosecutors say Liviu Mihail Concioiu is being investigated for “phishing” attacks against 3,000 of eBay Inc. employees.

They said Thursday that Concioiu allegedly stole the employees’ IDs and passwords in 2009 and accessed company files, including an application with the data base of eBay clients and their transactions. Concioiu then used “phishing” sites to access the accounts of about 1,200 eBay users.

It would appear the ebay database has been hacked, cracked, and zombied AGAIN.

(or is that still?)

Also notice how the term ‘phishing’ is constantly used.  ebaY doesn’t like the “H” word it seems. But “phishing” alone does not get you access to the files and data described. We call that “HACKING

rotflmao! Who could imagine?

It also tells us that ebay employees must not be too savvy if they are falling for whatever tricks are being used to gain the logins etc.

No mention of any response from ebay.

With IT’s long and repeated history of such events, you should ask yourself whether you trust this unsafe outfit with your personal and financial data?

PayPal fails to follow its own anti-phishing advice

Hilarious! This has been reported and demonstrated over and again. My only conclusion is that PayPal themselves must be behind a good deal of the phishing and attempts thereof.  It’s a Pavlovian thing. (BTW, ebay still does it too.)

What other possible explanation could there be?

If ebaY and PayPal were truly interested in combatting phishing they would send emails with no html, no links etc. No one should know that and be more aware than they.

Here are some highlights from the article posted on September 9 2010 on Helpnet Security

“According to The Register, PayPal UK has violated its own anti-phishing advice when it sent out an email containing a direct link to the updated user agreement to its users, because one of the tips on avoiding phishing scams contained in the quiz says that the users should “always log into PayPal by opening a new browser and typing in the following: https://www.paypal.com.”

PayPal confirmed that the email is legitimate, but points out that it also contains the information that the users can type paypal.co.uk into the browser if they aren’t completely sure that the offered link is safe to click on.

“PayPal does not advise people not to click on links in emails, rather to exercise caution. Users are advised to check the URL of any link to make sure it does not direct them to something unexpected, as you know they can do this by hovering their mouse over the link,” it says in their comment.

Do you trust this outfit with your personal and financial data?

Who could imagine?

The long uncorrected xss flaw rears it’s ugly head again!

Auctionbytes reporting that falle-internet.de has again discovered listings with the malicious coding, this time with a virus twist.

The most important and telling quote of the article:

“They used javascript and java to address a known vulnerability; user’s computers were affected by just viewing the respective listings,”

See that part about “…just viewing the respective listings…” ?

That is one of the main reasons I advocate avoiding ebaY at all costs. Another is that they BLAME the USER for their own failures! Furthermore, they refuse to correct the flaw! Make no mistake, ebaY is a dangerous, untrustworthy, and dishonest website. Of that there is proof beyond the slightest shadow of a doubt!

ebaY is HACKED! Yes! ebaY is still HACKED!!!

Here is the report, with screencapture images, in English at falle-internet

My research indicates this issue has been onging at ebaY for about 10 full years now. Perhaps not under the same name, but indeed cross-scripting has been exploited on ebaY since before it even had that name. Ebay has been aware of the issue for that long also.  Since looooong before the US-CERT warning was posted. Bear in mind there are many variants of this exploit possible to use. It’s been used also for the redirects, and for cookie-stealing etc. The possibilities are only limited by the hacker’s imagination and ebay’s steadfast refusal to secure it’s festered site

I’ll be posting another video demonstrating the +/- 10 year longevity of the xss flaw on ebaY before long at the Cappnonymous channel

On March 25th, 2010, a hacker was able to place over 52 thousand fake item listings in rapid succession (bot-driven hack attack) on the ebay site.

What’s unusual this time is that industry leader auctionbytes.com covered it, and it also got a blurb on USA today.

And a humble youtube contribution by yours truly. You’ll notice I captured/documented an additional victim and some other curiosities regarding suspicious links in the listings which led to phake sign-in pages etc

Of course I was compelled to criticise, as this is far from the first such episode.

You will notice by the date that one was created/posted,  ebaY has truly been under a (uncorrected/unresolved) hack attack for literally years!

I have an entire channel documenting these events.

This is all valid criticism of the leadership and of issues which have become perrenial at ebaY, and which have placed untold numbers of consumers at risk of fraud, ID theft etc .

We don't need no stinking badges! LOL!

This is scary stuff while simultaneously a bit amusing.

“That little lock on your browser window indicating you are communicating securely with your bank or e-mail account may not always mean what you think its means.

Normally when a user visits a secure website, such as Bank of America, Gmail, PayPal or eBay, the browser examines the website’s certificate to verify its authenticity.

At a recent wiretapping convention however, security researcher Chris Soghoian discovered that a small company was marketing internet spying boxes to the feds designed to intercept those communications, without breaking the encryption, by using forged security certificates, instead of the real ones that websites use to verify secure connections. To use the appliance, the government would need to acquire a forged certificate  from any one of more than 100 trusted Certificate Authorities.

The attack is a classic man-in-the-middle attack, where Alice thinks she is talking directly to Bob, but instead Mallory found a way to get in the middle and pass the messages back and forth without Alice or Bob knowing she was there.

The existence of a marketed product indicates the vulnerability is likely being exploited by more than just information-hungry governments, according to leading encryption expert Matt Blaze, a computer science professor at University of Pennsylvania.”

“If company is selling this to law enforcement and the intelligence community, it is not that large a leap to conclude that other, more malicious people have worked out the details of how to exploit this,” Blaze said.

The company in question is known as Packet Forensics, which advertised its new Man-In-The-Middle capabilities in a brochure handed out at the Intelligent Support Systems (ISS) conference, a Washington DC wiretapping convention that typically bans the press. Soghoian attended the convention, notoriously capturing a Sprint manager bragging about the huge volumes of surveillance requests it processes for the government.

According to the flyer: “Users have the ability to import a copy of any legitimate key they obtain (potentially by court order) or they can generate ‘look-alike’ keys designed to give the subject a false sense of confidence in its authenticity.” The product is recommended to government investigators, saying “IP communication dictates the need to examine encrypted traffic at will” and “Your investigative staff will collect its best evidence while users are lulled into a false sense of security afforded by web, e-mail or VOIP encryption.”

Here is a comedy highlight:
“VeriSign, the largest Certificate Authority, declined to comment.”

Looks like SSL is shot to hell.

Read the entire article. Follow the links there. lol

Law Enforcement Appliance Subverts SSL

New study released by Symantec has some not too surprising results.

Employees who lost or left a job in 2008, which revealed 59 percent of ex-employees admit to stealing confidential company information, such as customer contact lists.
Further findings;

— 53 percent of respondents downloaded information onto a CD or DVD, 42 percent onto a USB drive and 38 percent sent attachments to a personal e-mail account.
— 79 percent of respondents took data without an employer’s permission.
— 82 percent of respondents said their employers did not perform an audit or review of paper or electronic documents before the respondent left his/her job.
— 24 percent of respondents had access to their employer’s computer system or network after their departure from the company.

As this relates to ebay and PayPal, well there was that ugly little incident around March last year. It appeared to me that folks at Youtube and ebay forums were trying very hard to keep that info from becoming known, as any comments about it at youtube were instantly marked as spam,  and/or comments at ebay forums were met with the usual denials by the very same hardcore,  tired old group of suspected “paid word of mouth advertisers”, AKA shills on the Paypal forum.

If you visit this video and expand the (more info) area, you will see more screencaptures and links with some pretty strong evidence that hackers, phishers, scammers etc are only some of the things you need to be concerned about when using the Paypal service. Not to mention the fact that there very likely is a network to help cover-up all the misdeeds and misbehavior. Weasels in, and/or in charge of the henhouse?