Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Privacy Security IT Technology

eBay Port Scans Visitors' Computers For Remote Access Programs (bleepingcomputer.com) 100

AmiMoJo shares a report: When visiting the eBay.com site, a script will run that performs a local port scan of your computer to detect remote support and remote access applications. Many of these ports are related to remote access/remote support tools such as the Windows Remote Desktop, VNC, TeamViewer, Ammy Admin, and more. After learning about this, BleepingComputer conducted a test and can confirm that eBay.com is indeed performing a local port scan of 14 different ports when visiting the site.
This discussion has been archived. No new comments can be posted.

eBay Port Scans Visitors' Computers For Remote Access Programs

Comments Filter:
  • WTF (Score:3, Insightful)

    by war4peace ( 1628283 ) on Monday May 25, 2020 @11:14AM (#60102228)

    Why does it do that, though? Nefarious purpose aside.
    Is there a legit reason for a website I visit to scan my PC ports?

    • Re: (Score:2, Informative)

      by Anonymous Coward
      Dude, RTFA.
      • Re: (Score:3, Informative)

        Dude, this is Slashdot. Most people don't even read the summary.

        • by markus ( 2264 )

          Slashdot has been doing the same thing for years. My firewall complains about port scans each time I post on Slashdot...

          • From slashdot...


            if (!window.is_euro_union) {
            (function (s,o,n,a,r,i,z,e) {s['StackSonarObject']=r;s[r]=s[r]||function(){
            (s[r].q=s[r].q||[]).push(arguments)},s[r].l=1*new Date();i=o.createElement(n),
            z=o.getElementsByTagName(n)[0];i.async=1;i.src=a;z.parentNode.insertBefore(i,z)
            })(window,document,'script','https://www.stack-sonar.com/ping.js','stackSonar');
            stackSonar('stack-connect', '66');
            }

            "ping.js"... seems Slashdot's up to something...

        • I didn't read your post but I assume it enrages me, so now I'm mad and you're a jerk.
    • Re:WTF (Score:5, Informative)

      by jacks smirking reven ( 909048 ) on Monday May 25, 2020 @11:18AM (#60102242)

      From TFA:

      As the port scan is only looking for remote access programs, it is most likely being done to check for compromised computers used to make fraudulent eBay purchases.

      In 2016, reports were flooding in that people's computers were being taken over through TeamViewer and used to make fraudulent purchases on eBay.

      As many eBay users use cookies to automatically login to the site, the attackers were able to remote control the computer and access eBay to make purchases.

      • From TFA:

        it is most likely being done to check for compromised computers used to make fraudulent eBay purchases.

        Although that may be true it may also be done to try to detect bot activity. Bots are used to manipulate auctions instead of just making purchases.

        • Agree, can be many things. I suppose the larger question is what are they doing with those scans? Does the site take any action or is it just data collecting? I don't necessarily have an issue with them port scanning per say but some transparency on how they act on those scans would be nice.

      • Uhm, how do they make purchases go to the attacker? Does the cookie allow the attacker to change the mailing address, or get into the PayPal of the user?

        • I sure hope they don't send those cookies by mail, because that's how you get ants.

        • Who said anything about purchases, in a large portion of cases it's about money laundering, or the emptying of the victim's accounts.

        • by edis ( 266347 )

          Unless site foresees mandatory additional logon before critical actions, the flow would flow to any excess imaginary. Just if disrupt particular sales, if not more. Quite a trouble maker, therefore concern of the site supervisors is rather understandable.

        • Re: (Score:3, Interesting)

          by Anonymous Coward

          Uhm, how do they make purchases go to the attacker? Does the cookie allow the attacker to change the mailing address, or get into the PayPal of the user?

          I would be remotely controlling your computer, thus your browser, to go to ebay and make a purchase on my listing with your paypal account.

          That listing would be marked as a service or a digital good, so it won't require a mailing address. It also won't need any access to paypal other than to purchase with the linked account, which is the default

          Since it is my listing your browser is purchasing, I get the money. Why would I send you anything in the mail? That wouldn't be helpful to me, that could only tip

          • Re:WTF (Score:4, Informative)

            by ArsenneLupin ( 766289 ) on Tuesday May 26, 2020 @02:51AM (#60104716)

            Since it is my listing your browser is purchasing, I get the money.

            However, since it is your listing, ebay and police will have no trouble finding who did this once they start investigating...

            Why would I send you anything in the mail?

            Not send something. Rather, getting sent something. One thing crooks do is order high-value physical goods, and have them sent to a mailbox that they control (not their own, obviously, but one where they have easy access to, but that can't be easily traced back to them... Some multi-tenant buildings have "extra" unused mailboxes, as those mailbox blocks come only in fixed sizes, and there may be less apartments than mailboxes. Knowing this, you just put up a label on the extra, pick the lock, and here you roll...).

      • From TFA:

        As the port scan is only looking for remote access programs, it is most likely being done to check for compromised computers used to make fraudulent eBay purchases.

        In 2016, reports were flooding in that people's computers were being taken over through TeamViewer and used to make fraudulent purchases on eBay.

        As many eBay users use cookies to automatically login to the site, the attackers were able to remote control the computer and access eBay to make purchases.

        Thank you - a paraphrase like this should have been in the OP share summary.

      • In 2016, reports were flooding in that people's computers were being taken over through TeamViewer and used to make fraudulent purchases on eBay.

        It's not a 2016 issue. Remote access is still the greatest tool in the tech support scam, and those scammers just love being paid in online purchases for some reason.

      • ...and how does knowing open ports determine that a purchase is indeed fraudulent?

        It doesn't. It cannot.
        At best, ebay MAY be able to say that a claimant did not have open ports, therefore not a fraudulent purchase.
        Presuming that that user was NOT port forwarding!

        I cannot concede this as a sensible practice.
    • It's suggested that eBay may have implemented the port scanning after a series of attacks a few years ago. People tend to leave cookies enabled in their browser, so if you have remote access to their computer via TeamViewer, Remote Desktop, VNC, etc., you can simply pull up their browser and purchase things for yourself on eBay, Amazon, or any other site that doesn't require a password before purchase. It seems like eBay may be port scanning to see if any of those tools are in use.

      Mind you, I don't think th

      • by jeremyp ( 130771 )

        Why not? All they are trying to do is open a TCP connection on certain port numbers.

        • Re:WTF (Score:5, Insightful)

          by Anubis IV ( 1279820 ) on Monday May 25, 2020 @02:12PM (#60103004)

          Why not? All they are trying to do is open a TCP connection on certain port numbers.

          So, assuming you actually invited a salesman into your home, you'd be fine with him sneaking off to check whether the doors and windows are locked, then reporting the state of each one back to his business? Of course not! That's none of their business.

          It's good that eBay wants to ensure that their customers are not being defrauded, and it's good that they decided to take steps to protect their customers, but the method they selected relies on exfiltrating information that they have no business knowing from a user's machine, and they're doing so in a surreptitious manner without informed consent. That's why I find it unacceptable.

          If the problem they are facing is that fraudsters are using cookies to pose as others, the correct way to address the issue isn't to "check whether all the doors and windows are locked", it's to simply have the user re-authenticate before purchase, just as numerous other stores already do. The app stores were rightly raked over the coals for not requiring passwords before purchases because it allowed someone posing as the user (e.g. their child) to make a purchase without their consent. This is fundamentally the same problem and can be solved the same way without invading anyone's privacy.

          • It's more akin to giving a salesman your address and him checking the windows and doors from the outside. He can then use that information to report back and tell his company "it looks like the property has been broken into, so maybe we shouldn't trust the person who claims to be the owner".

            You may not appreciate a vendor doing due diligence, but I'm struggling to find a country where port scanning is illegal.

            • Re: WTF (Score:4, Insightful)

              by Anubis IV ( 1279820 ) on Monday May 25, 2020 @10:10PM (#60104254)

              Except that this port scanning is being done locally and then reported back. Port scanning from the outside is perfectly normal, and your analogy would be correct if that were happening, but in this case they’re running the script on your own machine, hence why I chose the analogy I did.

          • Might be more akin to an observant bank-guard keeping an eye out for someone being forced to empty their accounts at gunpoint.
            • The motivation is certainly similar to that of your analogy, and it's an admirable thing to pursue, but the mechanics for how they're going about it are vastly dissimilar. The script is running on your own machine, without your awareness, and reporting information about other software on your computer back to them. While admittedly unusual, I still think that the analogy I put forward is the closest to what's actually going on and gets at why this is such a bizarre activity on their part. Again, it's fine t

    • Why is this even allowed by the browser? Shouldn't the browser only allow to connect back to the originating site (i.e. ebay) rather than any computer, including localhost? One more reason not to trust javascript served by untrusted sites :-(
      • Ok, got it.

        A javascript may connect to any websocket service (not just same origin). However, once connection has been established, it is only able to speak websocket protocol, not plain raw TCP. Hacking a non-websocket service this way would thus (usually) not be possible. However, just testing for existence of a TCP service is possible, as at that point, no data has yet been exchanged.

        (nft)

  • Not understanding? (Score:3, Interesting)

    by RitchCraft ( 6454710 ) on Monday May 25, 2020 @11:30AM (#60102304)
    I don't understand how a local (127.0.0.1) port scan helps eBay detect fraud. That port scan is being done inside the network. Users may be running protocols within their network that would trigger some of flag at eBay. These scans need to be done outside the network, past the router, NAT, etc.. And speaking of eBay port scanning user computers ... creepy! Stay out of my underwear drawer!
    • by EvilSS ( 557649 )
      Maybe they are doing both. Plus some can be exploited without firewall rules (Team Viewer for example), or the outside port could be translated to a different port.

      Honestly not even mad at eBay for this. They are using a tool available in the browsers to help stop fraud. What does concern me is that this is even possible to do in the first place. That's fucked up. eBay may not be abusing this but there are many ways someone else could.
    • Re: (Score:3, Informative)

      by Anonymous Coward

      Local software can have ports open which can be accessed from anywhere in the world, not just from localhost. UPnP allows it to tell your router that it should allow anyone in the world to connect to that port.

      If PayPal's servers were port scanning users' computers when they logged in, that would be even worse really, and it would likely be detected and flagged as malicious activity by a bunch of firewalls, possibly resulting in PayPal's servers getting blacklisted.

      It definitely falls into a moral gray area

    • One odd thing doesn't neccessarily set off the fraud alert. Having teamviewer on and shipping to an address you've never shipped to before - may be enough to trigger the alert.

  • Two things here after reading the article:

    First, Ebay what are you thinking? You don't "attack back" when you experience or suspect an attack. Admittedly your port scan is only a "little snoopy". But what gives you the right to probe customers systems? Those ports can all be legitimate- though port 63333 seems a little hinky because it's used for Apple's Xsan and Triplight equipment.

    However: All of those ports are really stupid ports to have open to the Internet...

    Second, this also illustrates why UPNP and

    • IPv6 didn't change much...

      1. It introduced the NAK packet. That is supposed to tell the other end of the connection not to relay traffic from an undesired source. Basically it's a yell of "Police, I said 'No soup for you' to them!"
      2. The IP address when long... from 32 bits in v4 to 128 bits. Now we'll never run out, right?
      3. Nothing else.

      • Re: (Score:3, Informative)

        Says someone who doesn't get it....

        1. IP6 does not use network address translation. Therefor all edge-scenario firewall rules must be actual rules and explicitly applied.

        2. IP6 incorporates, in some cases, the MAC address into the IP address... thus providing an information leak as to who made the NIC or mother board. In IP4 the MAC address is not discernible past the first router hop.

        3. ICMP is NEEDED for IP6. You can't turn off ICMP echo and maintain full functionality.

        4. Neighbor discovery protocols can

        • Re:What BS! (Score:4, Informative)

          by The New Guy 2.0 ( 3497907 ) on Monday May 25, 2020 @04:24PM (#60103552)

          1. IP6 does not use network address translation. Therefor all edge-scenario firewall rules must be actual rules and explicitly applied.

          IPv6 can use NAT, but it's not common due to the 128-bit addresses. Firewall rules can contain wildcards, what backwards firewall are you quoting?

          2. IP6 incorporates, in some cases, the MAC address into the IP address... thus providing an information leak as to who made the NIC or mother board. In IP4 the MAC address is not discernible past the first router hop.

          5. While randomized IP6 addresses are available on many operating systems (used to hide the MAC address of a machine the network), this can be problematic. Also, In IP4 most DHCP servers vend the same IP/MAC binding even if the lease has expired. With randomized IP6 addresses client machines re-assign an address to themselves at boot or on a timed basis. This means that machines that need to talk to each other can't because local DNS records will reflect the old address for a period of time.

          Shows the MAC address / Can be randomized. How contradictory.

          DHCP can still see the MAC address in all cases, TCP hasn't changed.

          3. ICMP is NEEDED for IP6. You can't turn off ICMP echo and maintain full functionality.

          Solved by NAK, and also true under IPv4.

          4. Neighbor discovery protocols can be exploited into DOS attacks if not explicitly configured against.

          If IPv6 sees a DOS attack, it sends a NAK. All DOSes are completely solved by NAK.

          6. Point 5 forces you to use DHCP for IP6 configuration. Or you can disable random addresses and run static. But then you provide an information leak.

          Forced or disabled... again, contradiction. What's your information leak? And, this problem exists under IPv4

          7. Before you open your mouth on slashdot... know what the heck you are talking about.

          Flamebait, and zero valid points. Mods, I've quoted him so he can lose Karma.

        • Re:What BS! (Score:4, Informative)

          by Bert64 ( 520050 ) <.moc.eeznerif.todhsals. .ta. .treb.> on Monday May 25, 2020 @08:36PM (#60104124) Homepage

          1, is optional you can use nat if you want, but its generally a bad kludge which impairs performance, breaks software and increases complexity of things like firewall rules (eg you allow host X, but your actually allowing every host translated behind X too), and other mess like nat reflection rules..

          2, this also is optional, windows even has this turned off by default, besides the mac address can be changed arbitrarily too so the information becomes meaningless... i assign mac addresses in the 00:80:10: range to my machines - this range was allocated to commodore

          3, icmp is needed on the local network for host discovery, icmp echo is not, there are multiple types of icmp packet which you can allow or disallow selectively and blocking all icmp will cause problems for ipv4 too

          4, local network protocols can cause dos, arp spoofing attacks can be performed against ipv4 just as easily as ndp attacks against ipv6

          5, i assume you mean privacy extensions... your host will use its static or dhcpv6 address for inbound connections, while creating random temporary addresses for making outbound connections, so your local dns records will reflect the static address but external hosts will never see this address

          6, you can optionally use dhcpv6... you can optionally use dhcpv4, ipv6 gives you the same options and one extra choice - whats the problem here?

    • Admittedly your port scan is only a "little snoopy".

      If you think a port scan is only a little snoopy, I don't want to know what you think about this [amazon.com].

    • However: All of those ports are really stupid ports to have open to the Internet...

      I imagine -- or, at least, hope -- most people's systems are behind a NAT / router / firewall of some sort, and having these ports open on a protected LAN is less of a problem.

      Reminder: Friends don't let friends connect systems directly to the Internet.

    • However: All of those ports are really stupid ports to have open to the Internet...

      These ports aren't open to the internet. They are scanned locally.

      Second, this also illustrates why UPNP and port forwarding can be dangerous. Never use UPNP. You'll never be able to keep track of all the crap that software opens up.

      Sure. Don't forget to leave your tech support number to every person you make this suggestion to. I'll be ringing off the hook because you just "broke the internet" for them. Your assertion is stupid anyway. If you don't trust your software to open a UPNP port then you can't trust it to have an internet connection in any case. Lack of UPnP doesn't stop any but the most insanely dumb of hackers and the overwhelming majority of malware either e

  • According to Nullsweep, who first reported on the port scans, they do not occur when browsing the site with Linux.

    I buy stuff on eBay and after reading most of the article, this kind of bullshit really pisses me off, but then I read the above quote.. Yet ANOTHER great reason to use Linux vs Windows.. 100% Linux since 2010...

    • by leptons ( 891340 )
      Wow. Linux isn't going to prevent eBay from scanning your ports if you visit their website. Windows is no less secure than Linux in this case. Any website could be doing a portscan inside your network on any operating system. But sure, never let a chance to bash Windows go to waste, amirite?!
    • Well given tech support scammers don't typically target Linux machines it makes no sense to do this basic fraud check.

  • But HOW? (Score:5, Insightful)

    by Generic User Account ( 6782004 ) on Monday May 25, 2020 @11:49AM (#60102368)
    Shouldn't the browser prevent this? The "same origin policy" still exists, even for web sockets, doesn't it? Does Ebay perform what my router calls a "DNS rebinding attack"? Shouldn't the browser refuse to connect to addresses that are not globally routable, unless the origin address is also not globally routable? Ebay should simply not be able to do this. They can scan from the outside. Anyone who has looked at router logs knows that every Russian and Chinese hacker is constantly doing it. If Ebay wants to look like those asshats...
    • eBay is based on threats. They can require you not block them in their TOS...

    • Since when is 127.0.0.1 not a routeable address, and furthermore since when has it ever been blocked by any policy?

      If Ebay wants to look like those asshats...

      If ebay want to look like asshats, they could stop performing this very basic anti-fraud scan attempting to identify users who are currently the victim of the classic tech support scam.

      • 127.0.0.1 (and the whole 127/8 network) aren't in fact publicly routable, or at least shouldn't be in any sane OS. No system or router should be allowing packets with that as a source or destination address through anything other than the local interface, they should be considered Martians. And port-scanning 127.0.0.1 would be pointless, lots of software binds server ports there specifically because they can't be reached from anywhere except the local machine and often it's useful to have local access to se

  • If your computer can't withstand a simple port scan, you shouldn't be connected to the internet. You're probably getting port scans all the time.
    • This is about different from a regular port scan though, since in this case the port scanning software is run in the browser (JavaScript) on your machine.
      • JavaScript appears to have been extended too far... ActiveX in the browser was not liked because it gave all the authority of a VB6 .exe for agreeing to one request with just the filename. Now, we find out JavaScript can do a port scan, and eBay likes this.

        • I don't know where you guys have been for the last decade or so, but Javascript is used for more than stupid mouse-hover visual effects tricks these days. In fact it's not even used for that anymore, that's the job of CSS.

          Asking for a browser without javascript is like asking for a terminal/console that can't work with files.

    • A blonde girl sits alone at the bar.
      Me: Hello beautiful, you're probably getting port scans all the time.
      The blonde girl gets up and walks away.
      Me: What did I do?!

  • How does it do a local port scan of my computer with a firewall in place?

  • If my computer shares its Internet access with other computers via NAT, then it might happen that eBay port scans other people's computers when I try to log in. What could go wrong?

  • This seems to have been known about and in place for years. There's a post on UltraVNC's forums from 2017 about it, for example
    https://forum.ultravnc.net/vie... [ultravnc.net]
    Which refers to a reddit (shudder) post about Facebook doing it as far back as 2016.
    How odd this has come up now, of all times. Need something to fill article quotas, I suppose.
  • you sure have to deal with a lot of nonsense if you decide to use windows.

"The great question... which I have not been able to answer... is, `What does woman want?'" -- Sigmund Freud

Working...