'Fiendish' Trojan pickpockets eBay users

It's new and improved. And it just nabbed $8,600

By Dan Goodin, 19th October 2007

Regcast training : Hyper-V 3.0, VM high availability and disaster recovery

Miscreants have unleashed a new strain of a sophisticated Trojan that targets eBay users by feeding them spoofed web pages containing fraudulent information about high-ticket purchases, The Register has learned. It has already contributed to an $8,600 loss by one eBay member.

The Trojan installs a scaled-down webserver on an infected machine that masquerades as eBay and several third-party destinations frequently used to sniff out fraudulent offerings, including Carfax.com, Autocheck.com and Escrow.com.

When a victim browses to one of these sites, the webserver creates a parallel universe of sorts, in which the victim sees counterfeit pages designed to counter fraud protection mechanisms offered by eBay and third-party sites.

"To think that somehow they got software on their system that managed to spoof all the validation sites - that's a shit-scary story," said Roger Thompson, a researcher at Exploit Prevention Labs who specializes in web-based attacks. "It's fiendishly clever."

The malware was found on the machine of one eBay Motors user who recently lost $8,650 after trying to buy a 2005 Jeep Liberty advertised for 10 days on the site. Customer representatives have refused to cover the theft because, they said, the transaction was made outside of eBay.

Shortly after making the offer, the victim received a notification in the My Messages section of her eBay account telling her she had won the auction. eBay has long cautioned users not to rely on notifications unless they appear in this official section.

The malware installed on the victim's machine caused her browser to display a counterfeit version of just such a message. Had she used a non-infected computer to access her account, no such message would have appeared.

"There's no reason to suspect it's fraud until it's too late," said the Ohio-based user, who agreed to tell her story on the condition her identity was not revealed. The Register was able to verify the scam by confirming details with eBay and by reviewing screenshots, emails and files pulled from her machine.

Agentless Backup is Not a Myth

COMMENTS

House Rules Send Corrections

All Reader Comments (52)

Latest Comments

Posted Friday 26th October 2007 06:04 GMT

Steve Roper

Treat these scum as terrorists

While it's easy end tempting to say "don't use eBay", how long will it be before these bastards can start spoofing bank and investor websites? This has the potential to kill ecommerce stone cold dead.

While I was impressed to see some spammers cop 25 and 30 year jail sentences, and about time, it isn't helping where the scum reside in places like Russia, China or tinpot African dictatorships. How about using "extraordinary rendition" and covert extraction ops to nail some of these bastards as well as terrorists and send them on a Gitmo holiday? If these countries don't give a shit about their citizens scamming the rest of the world, I don't give a shit about their citizens getting rendered to the gulag without trial. Better them than our own citizens living in fear of unjust rendition! Destroy our internet, lose your freedom. Maybe that will make the buggers take notice that we are deadly serious about stopping this shit.

Posted Friday 26th October 2007 03:36 GMT

Gennifer Jack

From one who almost fell for the scam

It's almost ridiculous the conversations and judgment of the user that was scammed. I am writing this from my other computer while i try to clean my now completely infected system due to this scam.

These people that are perpetrating this scam are very slick. They list a car - legitimately, get plenty of bids and interest, requesting interested parties email them if you are serious about a purchase then remove the listing.

A week later, the seller notifies you saying she'd been traveling on business, she's selling the car that she received in a divorce settlement and wanted to conduct the transaction securely through eBay under the guise that eBay offers Vehicle Protection Plan. The user also provides the pictures of the vehicle that was originally listed.

BAM! That's where the hack begins. (It could have been earlier in the process but i doubt it.) The pictures are provided in a file name ThePictures.zip. I should have known better but I too have zipped files for family members who's email boxes has limits on file sizes.

I personally responded to the sellers email with questions expressing interest and the user responded that she'd listed the vehicle and provided both the ebay auction ID and a link to the auction.

This was a perfect scam in that the website was eBay in every sense of the word in appearance. The url was the same, layouts, etc.

I had made arrangements with my bank but was trying to get some sort of confirmation that the vehicle existed. I felt somewhat secure in the fact that eBay offered this Vehicle Protection Plan which it stated covered my purchase. Additionally, the page stated the buyers bank account had been registered with eBay and the funds would be held and not released until the buyer had inspected the vehicle - within 3 business days after delivery.

I was thinking the 3 days would allow me time to inspect and if it wasn't what I wanted, I'd return it.

I had requested information from the seller on the transportation company and was awaiting a reply when I search eBay extensively for any information on this bank account lock. I sent an email to eBay technical support and posted a message on the discussion boards to see if anyone else knew of the 'account lock'.

I am very grateful to the eBay Motors discussion group users for responding IMMEDIATELY to my post and providing me information on this scam. I am going to help bring this issue to light and help make those non-techie users a bit more savvy on these ploys.

I have been notified by a couple of users who had the exact scam pulled on them within the past month-losing their money. I hate to know how many people are waiting on a car they will never receive.

I will NEVER user ebay for any future transactions. While I believe the biggest part of the scam came with the email, it started with the original vehicle that was listed and removed. This was a vehicle that I had placed in my watched items but it never showed up... Hmmmm. Php code right from the start?

Oh well... i will continue to scrub my infested hard drive.

Posted Wednesday 24th October 2007 21:35 GMT

Daniel B.