'Fiendish' Trojan pickpockets eBay users

The malware appears to be a reworking of Trojan.Bayrob, which first came to light in early March when researchers from Symantec wrote reports here and here.

It arrives in an attachment to an email responding to a bid and installs a local proxy server that redirects traffic bound for eBay. The proxy, according to Symantec, spoofs sensitive pages on eBay, including the "ask a question" messaging feature for online auctions. The Trojan also inflates the user feedback score of the purported buyer, according to Symantec.

In the intervening seven months, the Trojan has been updated so that, among other things, traffic bound for sites such as Carfax and nine other addresses maintained by third-party companies will also be redirected. This helps thwart victims who try to independently confirm details fed on the falsified eBay pages.

eBay spokeswoman Nichola Sharpe says the company's security team has forwarded samples of the new strain to anti-virus companies so they can add it to the updates they send to customers.

Bogus location

When the Ohio victim used her infected PC to get a history of the Jeep from Carfax, she was told the vehicle was in California, a detail that was consistent with what scammers were telling her. Using a clean computer to access the same information shows the Jeep is located in Pennsylvania.

Seeing no reason to doubt the authenticity of the auction, the victim paid $8,650 on October 4 using a bank-to-bank transfer, a payment method that is approved by eBay. She has yet to receive delivery of the Jeep, and the purported seller has since become unreachable.

Although eBay Motors promises to protect purchases up to $20,000 against fraud, the company is refusing to cover the costs of the Ohio victim. "Items purchased outside of eBay are not covered, including those bought directly from a seller," a customer representative wrote in an email to the victim.

The victim, a college-educated stay-at-home mother, said she kept on top of her Windows updates, ran security software from Symantec and was careful not to fall for the ploy of phishers. eBay's security team says she got infected after clicking on the email attachment sent in response to her bid. She said it never occurred to her that a bid she made on eBay would leave her open to an attack that would completely compromise her system.

So she has opted to close down her eBay and PayPal accounts and vowed never again to do business with the company.

I don't have a right to be on there because I'm not knowledgeable about everything [criminals] are pulling there these days, she said. "I assumed I was purchasing this through eBay so my guard was down. As high-tech as this was, I don't know what I would have done differently." ®

If you have intelligence about Trojan.Bayrob or other scams targeting eBay, please contact Dan Goodin using this link.