Feeds

Once again, 'Vladuz' impales eBay defenses

Getting ridiculous

Top three mobile application threats

For at least the third time in as many months, a malicious hacker has gained unauthorized access to parts of eBay's network despite the best efforts of the company's security team to fortify its system against the embarrassing breaches.

A miscreant who went by a variation of the name Vladuz was able to secure credentials reserved for employees of eBay and post on at least two of the company's forums, including (ironically) one dedicated to trust and safety. The intrusion, like the others preceding it, is fueling suspicions that eBay suffers from systemic security problems, contrary to the online auctioneer's assurances that the hacker hasn't breached servers that store customer records and other sensitive data.

Over the past two months, the volatility in the number of auctions being posted and then pulled has skyrocketed. Critics say the spike is a result of a security hole in eBay's system that allows cyber-crooks to take over established accounts at will and post a flurry of fraudulent auctions. Once eBay's security team catches wind of the scams, the postings are removed, creating the sudden declines in listings.

eBay spokeswoman Nichola Sharpe said company security employees are taking measures to put a stop to Vladuz's intrusions. "We are in the process of putting lots of behind-the-scenes things in place to stop him," she said. "We're as confident as we can be" that the measures will work. Sharpe said members of the security team know exactly how the perpetrator is breaching the network. She declined to describe that method or to elaborate of the fixes being implemented.

There is no evidence today's breach was any different from previous times, when the hacker was able to penetrate servers that administer employee email and possibly other functions such as an intranet, Sharpe said. She was emphatic that the intruder has never accessed more sensitive parts of the network.

Those assurances have done little to assuage a small but vocal group of users who say fraud is running rampant on eBay. Indeed, just prior to the most recent breach, some forum participants were bemoaning the exploits of Vladuz and what they claimed was eBay's inability to fix the problem and its refusal to acknowledge it publicly.

"We have to be very patient until these problems rise high enough to get some attention by the wide public," a user with the handle thorbenhauer wrote at 10:24 AM German time. "And even then eBay will still stick to their good old tactics: plausible deniability, disposing every bit of proof they can lay their hands on and accuse others of misinformation." At noon, a posting appeared with the pink banner that is supposed to be reserved for official eBay representatives. Quoting part of thorbenhauer's message, the impostor, who used the nick vladuzpower, responded: "Turn on CNN on march 15, you might have a surprise, however I'm not promising anything." He didn't elaborate. The intruder also made pink postings on a US-based forum, Sharpe said.

Today's exploit is only the latest headache for eBay security personnel. Last week, an eBay user posted the personal information of at least 15 people, including first and last names, social security numbers, mother's maiden names, addresses, phone numbers, bank account numbers and credit card numbers. A call to one of the names listed confirmed that the information was accurate.

It was unclear how last week's poster, who did not log in as an eBay employee, acquired the information. eBay does not collect much of the data posted, so it's safe to assume at least some of it originated from a source other than the online auctioneer. ®

High performance access to file storage

More from The Register

next story
This time it's 'Personal': new Office 365 sub covers just two devices
Redmond also brings Office into Google's back yard
Kingston DataTraveler MicroDuo: Turn your phone into a 72GB beast
USB-usiness in the front, micro-USB party in the back
Dropbox defends fantastically badly timed Condoleezza Rice appointment
'Nothing is going to change with Dr. Rice's appointment,' file sharer promises
Inside the Hekaton: SQL Server 2014's database engine deconstructed
Nadella's database sqares the circle of cheap memory vs speed
BOFH: Oh DO tell us what you think. *CLICK*
$%%&amp Oh dear, we've been cut *CLICK* Well hello *CLICK* You're breaking up...
Just what could be inside Dropbox's new 'Home For Life'?
Biz apps, messaging, photos, email, more storage – sorry, did you think there would be cake?
IT bods: How long does it take YOU to train up on new tech?
I'll leave my arrays to do the hard work, if you don't mind
Amazon reveals its Google-killing 'R3' server instances
A mega-memory instance that never forgets
prev story

Whitepapers

Top three mobile application threats
Learn about three of the top mobile application security threats facing businesses today and recommendations on how to mitigate the risk.
Combat fraud and increase customer satisfaction
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
SANS - Survey on application security programs
In this whitepaper learn about the state of application security programs and practices of 488 surveyed respondents, and discover how mature and effective these programs are.