Feeds

Once again, 'Vladuz' impales eBay defenses

Getting ridiculous

HP ProLiant Gen8: Integrated lifecycle automation

For at least the third time in as many months, a malicious hacker has gained unauthorized access to parts of eBay's network despite the best efforts of the company's security team to fortify its system against the embarrassing breaches.

A miscreant who went by a variation of the name Vladuz was able to secure credentials reserved for employees of eBay and post on at least two of the company's forums, including (ironically) one dedicated to trust and safety. The intrusion, like the others preceding it, is fueling suspicions that eBay suffers from systemic security problems, contrary to the online auctioneer's assurances that the hacker hasn't breached servers that store customer records and other sensitive data.

Over the past two months, the volatility in the number of auctions being posted and then pulled has skyrocketed. Critics say the spike is a result of a security hole in eBay's system that allows cyber-crooks to take over established accounts at will and post a flurry of fraudulent auctions. Once eBay's security team catches wind of the scams, the postings are removed, creating the sudden declines in listings.

eBay spokeswoman Nichola Sharpe said company security employees are taking measures to put a stop to Vladuz's intrusions. "We are in the process of putting lots of behind-the-scenes things in place to stop him," she said. "We're as confident as we can be" that the measures will work. Sharpe said members of the security team know exactly how the perpetrator is breaching the network. She declined to describe that method or to elaborate of the fixes being implemented.

There is no evidence today's breach was any different from previous times, when the hacker was able to penetrate servers that administer employee email and possibly other functions such as an intranet, Sharpe said. She was emphatic that the intruder has never accessed more sensitive parts of the network.

Those assurances have done little to assuage a small but vocal group of users who say fraud is running rampant on eBay. Indeed, just prior to the most recent breach, some forum participants were bemoaning the exploits of Vladuz and what they claimed was eBay's inability to fix the problem and its refusal to acknowledge it publicly.

"We have to be very patient until these problems rise high enough to get some attention by the wide public," a user with the handle thorbenhauer wrote at 10:24 AM German time. "And even then eBay will still stick to their good old tactics: plausible deniability, disposing every bit of proof they can lay their hands on and accuse others of misinformation." At noon, a posting appeared with the pink banner that is supposed to be reserved for official eBay representatives. Quoting part of thorbenhauer's message, the impostor, who used the nick vladuzpower, responded: "Turn on CNN on march 15, you might have a surprise, however I'm not promising anything." He didn't elaborate. The intruder also made pink postings on a US-based forum, Sharpe said.

Today's exploit is only the latest headache for eBay security personnel. Last week, an eBay user posted the personal information of at least 15 people, including first and last names, social security numbers, mother's maiden names, addresses, phone numbers, bank account numbers and credit card numbers. A call to one of the names listed confirmed that the information was accurate.

It was unclear how last week's poster, who did not log in as an eBay employee, acquired the information. eBay does not collect much of the data posted, so it's safe to assume at least some of it originated from a source other than the online auctioneer. ®

Eight steps to building an HP BladeSystem

More from The Register

next story
THUD! WD plonks down SIX TERABYTE 'consumer NAS' fatboy
Now that's a LOT of porn or pirated movies. Or, you know, other consumer stuff
EU's top data cops to meet Google, Microsoft et al over 'right to be forgotten'
Plan to hammer out 'coherent' guidelines. Good luck chaps!
US judge: YES, cops or feds so can slurp an ENTIRE Gmail account
Crooks don't have folders labelled 'drug records', opines NY beak
Manic malware Mayhem spreads through Linux, FreeBSD web servers
And how Google could cripple infection rate in a second
FLAPE – the next BIG THING in storage
Find cold data with flash, transmit it from tape
Seagate chances ARM with NAS boxes for the SOHO crowd
There's an Atom-powered offering, too
prev story

Whitepapers

Seven Steps to Software Security
Seven practical steps you can begin to take today to secure your applications and prevent the damages a successful cyber-attack can cause.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
Designing a Defense for Mobile Applications
Learn about the various considerations for defending mobile applications - from the application architecture itself to the myriad testing technologies.
Build a business case: developing custom apps
Learn how to maximize the value of custom applications by accelerating and simplifying their development.
Consolidation: the foundation for IT and business transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.