The Goods on an eBay Fraud

My friend called me last night and explained he recently had two security problems — some malware on his computer and a stolen eBay account. I figured the two were connected, but it’s interesting to understand how.

His eBay account had been compromised and someone loaded some fraudulent auctions under his account — just in time for the holidays. Obviously the malware found on the machine had compromised his password. The question was, how did the malware get there?

The attacker had used an interesting way to deliver the malware onto the target machine and thereby compromise that specific eBay account:

1. Find an eBay account to target, preferably an eBay account with good standing.
2. Send the "mark" account a question using the built-in eBay messaging system.

Hello ,
Please confirm if your item is the same like this:
http: //www.evilwebsite.com/item.html
 i want to BUY your item ! i am very interested !
Tell me the Final Price with all the taxes.
Let me know asap ,
thank you

1. The message includes a URL to a hostile website. The website contains a 0-day attack for IE. The payload is a keylogger.
2. The attacker obtains the eBay password from the mark account and uses that account (and it’s good eBay standing) to create fraudulent auction items.

My friend found the fraudulent items quickly, removed them, and changed his eBay password (from a known clean system). At this point, he thinks he has resolved the problem and will be wary of any new messages coming into his account — especially if they contain URLs.