Feeds

Once again, 'Vladuz' impales eBay defenses

Getting ridiculous

Application security programs and practises

For at least the third time in as many months, a malicious hacker has gained unauthorized access to parts of eBay's network despite the best efforts of the company's security team to fortify its system against the embarrassing breaches.

A miscreant who went by a variation of the name Vladuz was able to secure credentials reserved for employees of eBay and post on at least two of the company's forums, including (ironically) one dedicated to trust and safety. The intrusion, like the others preceding it, is fueling suspicions that eBay suffers from systemic security problems, contrary to the online auctioneer's assurances that the hacker hasn't breached servers that store customer records and other sensitive data.

Over the past two months, the volatility in the number of auctions being posted and then pulled has skyrocketed. Critics say the spike is a result of a security hole in eBay's system that allows cyber-crooks to take over established accounts at will and post a flurry of fraudulent auctions. Once eBay's security team catches wind of the scams, the postings are removed, creating the sudden declines in listings.

eBay spokeswoman Nichola Sharpe said company security employees are taking measures to put a stop to Vladuz's intrusions. "We are in the process of putting lots of behind-the-scenes things in place to stop him," she said. "We're as confident as we can be" that the measures will work. Sharpe said members of the security team know exactly how the perpetrator is breaching the network. She declined to describe that method or to elaborate of the fixes being implemented.

There is no evidence today's breach was any different from previous times, when the hacker was able to penetrate servers that administer employee email and possibly other functions such as an intranet, Sharpe said. She was emphatic that the intruder has never accessed more sensitive parts of the network.

Those assurances have done little to assuage a small but vocal group of users who say fraud is running rampant on eBay. Indeed, just prior to the most recent breach, some forum participants were bemoaning the exploits of Vladuz and what they claimed was eBay's inability to fix the problem and its refusal to acknowledge it publicly.

"We have to be very patient until these problems rise high enough to get some attention by the wide public," a user with the handle thorbenhauer wrote at 10:24 AM German time. "And even then eBay will still stick to their good old tactics: plausible deniability, disposing every bit of proof they can lay their hands on and accuse others of misinformation." At noon, a posting appeared with the pink banner that is supposed to be reserved for official eBay representatives. Quoting part of thorbenhauer's message, the impostor, who used the nick vladuzpower, responded: "Turn on CNN on march 15, you might have a surprise, however I'm not promising anything." He didn't elaborate. The intruder also made pink postings on a US-based forum, Sharpe said.

Today's exploit is only the latest headache for eBay security personnel. Last week, an eBay user posted the personal information of at least 15 people, including first and last names, social security numbers, mother's maiden names, addresses, phone numbers, bank account numbers and credit card numbers. A call to one of the names listed confirmed that the information was accurate.

It was unclear how last week's poster, who did not log in as an eBay employee, acquired the information. eBay does not collect much of the data posted, so it's safe to assume at least some of it originated from a source other than the online auctioneer. ®

Eight steps to building an HP BladeSystem

More from The Register

next story
Sysadmin Day 2014: Quick, there's still time to get the beers in
He walked over the broken glass, killed the thugs... and er... reconnected the cables*
Apple fanbois SCREAM as update BRICKS their Macbook Airs
Ragegasm spills over as firmware upgrade kills machines
SHOCK and AWS: The fall of Amazon's deflationary cloud
Just as Jeff Bezos did to books and CDs, Amazon's rivals are now doing to it
Amazon Reveals One Weird Trick: A Loss On Almost $20bn In Sales
Investors really hate it: Share price plunge as growth SLOWS in key AWS division
EU's top data cops to meet Google, Microsoft et al over 'right to be forgotten'
Plan to hammer out 'coherent' guidelines. Good luck chaps!
US judge: YES, cops or feds so can slurp an ENTIRE Gmail account
Crooks don't have folders labelled 'drug records', opines NY beak
Auntie remains MYSTIFIED by that weekend BBC iPlayer and website outage
Still doing 'forensics' on the caching layer – Beeb digi wonk
Manic malware Mayhem spreads through Linux, FreeBSD web servers
And how Google could cripple infection rate in a second
prev story

Whitepapers

Top three mobile application threats
Prevent sensitive data leakage over insecure channels or stolen mobile devices.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Designing a Defense for Mobile Applications
Learn about the various considerations for defending mobile applications - from the application architecture itself to the myriad testing technologies.
Build a business case: developing custom apps
Learn how to maximize the value of custom applications by accelerating and simplifying their development.