Original URL: http://www.theregister.co.uk/2007/03/08/who_is_vladuz/

eBay goes hacker hunting in Romania

Fraud rising at internet speed

By Dan Goodin

Posted in Security, 8th March 2007 01:11 GMT

Exclusive More than two months after breaching eBay's employee servers, a hacker who calls himself Vladuz remains at large, despite the best efforts of the online auctioneer's security team and officials with law enforcement agencies in the US and eastern Europe.

So far, little public information is known for sure about Vladuz, who on at least two occasions has logged into eBay forums as an official customer service representative and then mocked the company's security. But the net is covered with bread crumbs left by a hacker who goes by that name, brazenly advertises cracking software and talks up his programming prowess. "This scam is perfect in many ways," he wrote on one site about a file he said steals eBay passwords.

eBay officials say they are aggressively pursuing Vladuz with the help of the FBI and law enforcement authorities. And the online auctioneer insists his unauthorized access has been limited to servers used for employee email accounts, which are completely separate from the network where crucial customer data is kept.

The last time Vladuz is known to have breached eBay's servers, the person, who posted under a pink banner reserved for official eBay representatives, said he was Romanian but not currently living in that country. An eBay spokesman said the company believes the hacker is Romanian.

Vladuz's break-ins may be limited, but his work has been accompanied by what critics say is a sudden spike in the number of fraudulent auctions on the site. As evidence, they point to the sharply increased volatility in the number of auctions being offered, and then removed, from hour to hour since the end of January.

On Jan. 31, for example, the number of listings swung from about 13.95m at 3 AM New York time to about 12.2m an hour and a half later, according to this chart from MedVed, which continuously tracks these figures. Over the next 13 hours, listings fluctuated between those extremes three times, making the graph (immediately below this paragraph) appear like a roller coaster, with each slope representing about 1.75m auctions. Many daily charts since then show a similar pattern.

eBay listings on Jan. 31, shortly after Vladuz emerged

It wasn't always this way. On Jan. 29, 2006 (MedVed didn't supply figures for Jan. 31 of that year), the graph maps a single downward slope that moves from about 14.5 auctions to 14.05, a difference of about 450,000, or about one-fourth of the heaviest recent activity. (The latter chart, below, is typical of account volume prior to Jan. 31.) To critics, the recent volatility is proof of an increase in the cat-and-mouse game playing out between fraudsters and eBay's security team. Many suspect Vladuz and his clients are responsible for the supposed increase in fraudulent postings.

eBay listings on Jan. 29, 2006

What goes down must come up

"As quick as eBay is removing them, they're putting them right back up," says Ed Koon, whose outspoken criticism of eBay extends to his creation of a site titled eBayMotorsSucks.com. Also on the rise, according to Koon and others, are the number of fraudulent sales being posted by users with highly favorable feedback ratings from previous buyers. (The positive approval scores are valuable in gaining the trust of potential victims.)

Typical of this latter trend, Koon says, is a sale on Monday for a rare Scotty Cameron Del Mar 3 golf putter by a user with the handle kennecl. The seller had a 100 per cent favorable score from 77 users, and yet the person asked prospective buyers to send bids to a CompuServe email address, a violation of eBay terms that require sales to go through official eBay channels. Circumventing eBay is a common technique employed by fraudsters, who then try to convince the buyer to send a money transfer or volunteer bank account information. (We sent inquiries to kennecl's address and received a response instructing us to send a payment through Western Union to a person in Italy named Stanley Jones.)

An eBay spokeswoman says the MedVed numbers "far exceed our real activity in this area." She also said the swings are caused by many variables, including batch processes and the timing of new code roll-outs.

"My team looked at the data and there just isn't enough information there to tie the swings in listings that they show to any one cause," she writes in an email. She declines to disclose how many accounts are removed due to fraud.

Vladuz by any other name

In the past, eBay representatives have also said the hijacking of trusted accounts are the result of users falling for plain-vanilla phishing scams, and not the result of Vladuz or security vulnerabilities in eBay's system.

Indeed, we were unable to find evidence to suggest Vladuz is responsible for such take-overs or the increased volatility in listings. What is known is that a person by that name has taken a keen interest in eBay and has defrauded at least one eBay user.

Vladuz claims to be the author of a Firefox extension that he says automatically enters captcha image verification codes when making certain eBay transactions. The browser add-on appears to be harmless, according to Joe Stewart, a senior researcher and cyber gumshoe at SecureWorks, who tracks the comings and goings of online crooks. But it did require users to submit an email address and username to the Romanian site tokens.b0x.ro. (Stewart was responsible for some of the research for this article.)

That domain has been disabled, but the IP address of the server that hosted it later pointed to the domain name, denisforall.com, which was registered to, and unknowingly paid for by, Washington-state resident Eliza Alby using her debit card. Alby says she found two other unauthorized charges, one for the domain lorealparis333.com and the other for an audio plugin download from SRS Labs.

"I should look at my other transactions," Alby said after learning of the fraud.

Denisforall.com once advertised the Firefox plugin as well and included the business name SGI, according to this Google cache. On a separate page, miketysonthebest.com, another site connected to Vladuz, SGI is said to stand for Solutions for Generating Income, according to this cache image.

Vladuz has left other random tracks online. On banitarfearme.com and colourfish.com, for instance, the hacker published what appear to be password extractors that test whether phished account credentials are valid. In early November, a user named Vladuz even posted a comment in an eBay developer forum decrying a change designed to crack down on fraud.

Vladuz may have no compunction about trespassing on and stealing the property of others, but he's very protective of his own. On many of the sites where he publishes, he even goes through the trouble of copyrighting his code. ®