eBay Port Scans Visitors' Computers For Remote Access Programs (bleepingcomputer.com) 100
AmiMoJo shares a report: When visiting the eBay.com site, a script will run that performs a local port scan of your computer to detect remote support and remote access applications. Many of these ports are related to remote access/remote support tools such as the Windows Remote Desktop, VNC, TeamViewer, Ammy Admin, and more. After learning about this, BleepingComputer conducted a test and can confirm that eBay.com is indeed performing a local port scan of 14 different ports when visiting the site.
WTF (Score:3, Insightful)
Why does it do that, though? Nefarious purpose aside.
Is there a legit reason for a website I visit to scan my PC ports?
Re: (Score:2, Informative)
Re: (Score:3, Informative)
Dude, this is Slashdot. Most people don't even read the summary.
Re: (Score:2)
Slashdot has been doing the same thing for years. My firewall complains about port scans each time I post on Slashdot...
Re: (Score:2)
From slashdot...
if (!window.is_euro_union) {
(function (s,o,n,a,r,i,z,e) {s['StackSonarObject']=r;s[r]=s[r]||function(){
(s[r].q=s[r].q||[]).push(arguments)},s[r].l=1*new Date();i=o.createElement(n),
z=o.getElementsByTagName(n)[0];i.async=1;i.src=a;z.parentNode.insertBefore(i,z)
})(window,document,'script','https://www.stack-sonar.com/ping.js','stackSonar');
stackSonar('stack-connect', '66');
}
"ping.js"... seems Slashdot's up to something...
Better question is why do browsers allow it? (Score:2)
Re: (Score:3)
Re:WTF (Score:5, Informative)
From TFA:
As the port scan is only looking for remote access programs, it is most likely being done to check for compromised computers used to make fraudulent eBay purchases.
In 2016, reports were flooding in that people's computers were being taken over through TeamViewer and used to make fraudulent purchases on eBay.
As many eBay users use cookies to automatically login to the site, the attackers were able to remote control the computer and access eBay to make purchases.
Re: (Score:3)
From TFA:
it is most likely being done to check for compromised computers used to make fraudulent eBay purchases.
Although that may be true it may also be done to try to detect bot activity. Bots are used to manipulate auctions instead of just making purchases.
Re: (Score:3)
Agree, can be many things. I suppose the larger question is what are they doing with those scans? Does the site take any action or is it just data collecting? I don't necessarily have an issue with them port scanning per say but some transparency on how they act on those scans would be nice.
Re: WTF (Score:3)
It's per se, that's all.
Re: (Score:2)
Suggest handy substitute: as such.
False positives? (Score:2)
What happens in the case of a false positive? I think it's a safe bet that the user is SOL if Ebay locks down the account.
Web companies don't even let users crawl on their bellies to the lord's throne to plead their case anymore.
Re: False positives? (Score:2)
Re: (Score:1)
Re: (Score:2)
Uhm, how do they make purchases go to the attacker? Does the cookie allow the attacker to change the mailing address, or get into the PayPal of the user?
Re: (Score:2)
"The attacker in this scenario is literally logged into the victim's computer and remotely controlling it."
So why the eBay part? Can't they just send themselves money from the user's PayPal account if he gets automatically logged-in?
Re: (Score:2)
the "ebay part" is the whole subject here.
Re: (Score:2)
I sure hope they don't send those cookies by mail, because that's how you get ants.
Re: (Score:3)
Who said anything about purchases, in a large portion of cases it's about money laundering, or the emptying of the victim's accounts.
Re: (Score:1)
Unless site foresees mandatory additional logon before critical actions, the flow would flow to any excess imaginary. Just if disrupt particular sales, if not more. Quite a trouble maker, therefore concern of the site supervisors is rather understandable.
Re: (Score:3, Interesting)
Uhm, how do they make purchases go to the attacker? Does the cookie allow the attacker to change the mailing address, or get into the PayPal of the user?
I would be remotely controlling your computer, thus your browser, to go to ebay and make a purchase on my listing with your paypal account.
That listing would be marked as a service or a digital good, so it won't require a mailing address. It also won't need any access to paypal other than to purchase with the linked account, which is the default
Since it is my listing your browser is purchasing, I get the money. Why would I send you anything in the mail? That wouldn't be helpful to me, that could only tip
Re:WTF (Score:4, Informative)
Since it is my listing your browser is purchasing, I get the money.
However, since it is your listing, ebay and police will have no trouble finding who did this once they start investigating...
Why would I send you anything in the mail?
Not send something. Rather, getting sent something. One thing crooks do is order high-value physical goods, and have them sent to a mailbox that they control (not their own, obviously, but one where they have easy access to, but that can't be easily traced back to them... Some multi-tenant buildings have "extra" unused mailboxes, as those mailbox blocks come only in fixed sizes, and there may be less apartments than mailboxes. Knowing this, you just put up a label on the extra, pick the lock, and here you roll...).
Re: (Score:1)
From TFA:
As the port scan is only looking for remote access programs, it is most likely being done to check for compromised computers used to make fraudulent eBay purchases.
In 2016, reports were flooding in that people's computers were being taken over through TeamViewer and used to make fraudulent purchases on eBay.
As many eBay users use cookies to automatically login to the site, the attackers were able to remote control the computer and access eBay to make purchases.
Thank you - a paraphrase like this should have been in the OP share summary.
Re: (Score:2)
In 2016, reports were flooding in that people's computers were being taken over through TeamViewer and used to make fraudulent purchases on eBay.
It's not a 2016 issue. Remote access is still the greatest tool in the tech support scam, and those scammers just love being paid in online purchases for some reason.
Re: (Score:1)
It doesn't. It cannot.
At best, ebay MAY be able to say that a claimant did not have open ports, therefore not a fraudulent purchase.
Presuming that that user was NOT port forwarding!
I cannot concede this as a sensible practice.
Re: (Score:3)
It's suggested that eBay may have implemented the port scanning after a series of attacks a few years ago. People tend to leave cookies enabled in their browser, so if you have remote access to their computer via TeamViewer, Remote Desktop, VNC, etc., you can simply pull up their browser and purchase things for yourself on eBay, Amazon, or any other site that doesn't require a password before purchase. It seems like eBay may be port scanning to see if any of those tools are in use.
Mind you, I don't think th
Re: (Score:2)
Why not? All they are trying to do is open a TCP connection on certain port numbers.
Re:WTF (Score:5, Insightful)
Why not? All they are trying to do is open a TCP connection on certain port numbers.
So, assuming you actually invited a salesman into your home, you'd be fine with him sneaking off to check whether the doors and windows are locked, then reporting the state of each one back to his business? Of course not! That's none of their business.
It's good that eBay wants to ensure that their customers are not being defrauded, and it's good that they decided to take steps to protect their customers, but the method they selected relies on exfiltrating information that they have no business knowing from a user's machine, and they're doing so in a surreptitious manner without informed consent. That's why I find it unacceptable.
If the problem they are facing is that fraudsters are using cookies to pose as others, the correct way to address the issue isn't to "check whether all the doors and windows are locked", it's to simply have the user re-authenticate before purchase, just as numerous other stores already do. The app stores were rightly raked over the coals for not requiring passwords before purchases because it allowed someone posing as the user (e.g. their child) to make a purchase without their consent. This is fundamentally the same problem and can be solved the same way without invading anyone's privacy.
Re: WTF (Score:2)
It's more akin to giving a salesman your address and him checking the windows and doors from the outside. He can then use that information to report back and tell his company "it looks like the property has been broken into, so maybe we shouldn't trust the person who claims to be the owner".
You may not appreciate a vendor doing due diligence, but I'm struggling to find a country where port scanning is illegal.
Re: WTF (Score:4, Insightful)
Except that this port scanning is being done locally and then reported back. Port scanning from the outside is perfectly normal, and your analogy would be correct if that were happening, but in this case they’re running the script on your own machine, hence why I chose the analogy I did.
Re: (Score:2)
Re: (Score:2)
The motivation is certainly similar to that of your analogy, and it's an admirable thing to pursue, but the mechanics for how they're going about it are vastly dissimilar. The script is running on your own machine, without your awareness, and reporting information about other software on your computer back to them. While admittedly unusual, I still think that the analogy I put forward is the closest to what's actually going on and gets at why this is such a bizarre activity on their part. Again, it's fine t
Re: (Score:3)
Re: (Score:2)
A javascript may connect to any websocket service (not just same origin). However, once connection has been established, it is only able to speak websocket protocol, not plain raw TCP. Hacking a non-websocket service this way would thus (usually) not be possible. However, just testing for existence of a TCP service is possible, as at that point, no data has yet been exchanged.
(nft)
Not understanding? (Score:3, Interesting)
Re:Not understanding? (Score:4, Funny)
He's saying that he keeps his underwear in a drawer. Try to keep up!
Re: (Score:2)
Re: (Score:3)
Honestly not even mad at eBay for this. They are using a tool available in the browsers to help stop fraud. What does concern me is that this is even possible to do in the first place. That's fucked up. eBay may not be abusing this but there are many ways someone else could.
Re: (Score:2)
Seems like it's a case where "raw ports" are exposed. Seem like if Slashdot wanted to down a site, they could attach packet-senders to a specific IP...
Re: (Score:3)
Re: Not understanding? (Score:3)
Re: (Score:3, Informative)
Local software can have ports open which can be accessed from anywhere in the world, not just from localhost. UPnP allows it to tell your router that it should allow anyone in the world to connect to that port.
If PayPal's servers were port scanning users' computers when they logged in, that would be even worse really, and it would likely be detected and flagged as malicious activity by a bunch of firewalls, possibly resulting in PayPal's servers getting blacklisted.
It definitely falls into a moral gray area
Re: (Score:3)
One odd thing doesn't neccessarily set off the fraud alert. Having teamviewer on and shipping to an address you've never shipped to before - may be enough to trigger the alert.
Re: (Score:2)
eBay seems to think they can do things to protect themselves, even when it doesn't protect you...
What BS! (Score:2)
Two things here after reading the article:
First, Ebay what are you thinking? You don't "attack back" when you experience or suspect an attack. Admittedly your port scan is only a "little snoopy". But what gives you the right to probe customers systems? Those ports can all be legitimate- though port 63333 seems a little hinky because it's used for Apple's Xsan and Triplight equipment.
However: All of those ports are really stupid ports to have open to the Internet...
Second, this also illustrates why UPNP and
Re: (Score:2)
IPv6 didn't change much...
1. It introduced the NAK packet. That is supposed to tell the other end of the connection not to relay traffic from an undesired source. Basically it's a yell of "Police, I said 'No soup for you' to them!"
2. The IP address when long... from 32 bits in v4 to 128 bits. Now we'll never run out, right?
3. Nothing else.
Re: (Score:3, Informative)
Says someone who doesn't get it....
1. IP6 does not use network address translation. Therefor all edge-scenario firewall rules must be actual rules and explicitly applied.
2. IP6 incorporates, in some cases, the MAC address into the IP address... thus providing an information leak as to who made the NIC or mother board. In IP4 the MAC address is not discernible past the first router hop.
3. ICMP is NEEDED for IP6. You can't turn off ICMP echo and maintain full functionality.
4. Neighbor discovery protocols can
Re:What BS! (Score:4, Informative)
1. IP6 does not use network address translation. Therefor all edge-scenario firewall rules must be actual rules and explicitly applied.
IPv6 can use NAT, but it's not common due to the 128-bit addresses. Firewall rules can contain wildcards, what backwards firewall are you quoting?
2. IP6 incorporates, in some cases, the MAC address into the IP address... thus providing an information leak as to who made the NIC or mother board. In IP4 the MAC address is not discernible past the first router hop.
5. While randomized IP6 addresses are available on many operating systems (used to hide the MAC address of a machine the network), this can be problematic. Also, In IP4 most DHCP servers vend the same IP/MAC binding even if the lease has expired. With randomized IP6 addresses client machines re-assign an address to themselves at boot or on a timed basis. This means that machines that need to talk to each other can't because local DNS records will reflect the old address for a period of time.
Shows the MAC address / Can be randomized. How contradictory.
DHCP can still see the MAC address in all cases, TCP hasn't changed.
3. ICMP is NEEDED for IP6. You can't turn off ICMP echo and maintain full functionality.
Solved by NAK, and also true under IPv4.
4. Neighbor discovery protocols can be exploited into DOS attacks if not explicitly configured against.
If IPv6 sees a DOS attack, it sends a NAK. All DOSes are completely solved by NAK.
6. Point 5 forces you to use DHCP for IP6 configuration. Or you can disable random addresses and run static. But then you provide an information leak.
Forced or disabled... again, contradiction. What's your information leak? And, this problem exists under IPv4
7. Before you open your mouth on slashdot... know what the heck you are talking about.
Flamebait, and zero valid points. Mods, I've quoted him so he can lose Karma.
Re:What BS! (Score:4, Informative)
1, is optional you can use nat if you want, but its generally a bad kludge which impairs performance, breaks software and increases complexity of things like firewall rules (eg you allow host X, but your actually allowing every host translated behind X too), and other mess like nat reflection rules..
2, this also is optional, windows even has this turned off by default, besides the mac address can be changed arbitrarily too so the information becomes meaningless... i assign mac addresses in the 00:80:10: range to my machines - this range was allocated to commodore
3, icmp is needed on the local network for host discovery, icmp echo is not, there are multiple types of icmp packet which you can allow or disallow selectively and blocking all icmp will cause problems for ipv4 too
4, local network protocols can cause dos, arp spoofing attacks can be performed against ipv4 just as easily as ndp attacks against ipv6
5, i assume you mean privacy extensions... your host will use its static or dhcpv6 address for inbound connections, while creating random temporary addresses for making outbound connections, so your local dns records will reflect the static address but external hosts will never see this address
6, you can optionally use dhcpv6... you can optionally use dhcpv4, ipv6 gives you the same options and one extra choice - whats the problem here?
Re: (Score:2)
If you think a port scan is only a little snoopy, I don't want to know what you think about this [amazon.com].
Re: (Score:2)
Actually, a little snoopy is this... But Charlie Brown's memory keeps getting reset [amazon.com]
Re: (Score:2)
However: All of those ports are really stupid ports to have open to the Internet...
I imagine -- or, at least, hope -- most people's systems are behind a NAT / router / firewall of some sort, and having these ports open on a protected LAN is less of a problem.
Reminder: Friends don't let friends connect systems directly to the Internet.
Re: (Score:3)
However: All of those ports are really stupid ports to have open to the Internet...
These ports aren't open to the internet. They are scanned locally.
Second, this also illustrates why UPNP and port forwarding can be dangerous. Never use UPNP. You'll never be able to keep track of all the crap that software opens up.
Sure. Don't forget to leave your tech support number to every person you make this suggestion to. I'll be ringing off the hook because you just "broke the internet" for them. Your assertion is stupid anyway. If you don't trust your software to open a UPNP port then you can't trust it to have an internet connection in any case. Lack of UPnP doesn't stop any but the most insanely dumb of hackers and the overwhelming majority of malware either e
Re: (Score:2)
Oh there's no criminal law.
But ebay is about to get sued. Yea... they will win. But it's a lot of bad press...
Re: (Score:1)
> But ebay is about to get sued.
You can sue anyone. To do so you need to have a case. That involves a violation of a law. There are no laws about who [oh why bother].
See FRCP 12(b)(6) for more clarification.
Ehud
Re: (Score:2)
Uh, if eBay doesn't get its port scan, does it deny service?
Re: (Score:2)
That was my first thought too, but having read the article, I found out that the port scan is performed by a piece of Javascript running in the browser. Presumably it finds out the IP address of the machines network interface and tries to open a TCP connection to it on the named ports.
Re: (Score:1)
> I found out that the port scan is performed by a piece of Javascript running in the browser.
Javascript? In the browser?? In 2020???
NoScript. /s
E
Re: (Score:2)
No javascript means 99% of the websites will not work.
Welcome to 2020.
Re: (Score:2)
NoScript. /s
Good luck getting your ebay purchase through.
Re: (Score:1)
NoScript. /s
Good luck getting your ebay purchase through.
There's a cost when you're willing to block certain elements of a website. Sometimes it means you don't get to see those wonderful auto-playing videos. Sometimes it means you miss those awesome advertisements. Sometimes it means the "Buy It Now" button won't work. Agreed.
Everybody has a choice. If you REALLY REALLY REALLY want to make that purchase, you can disable NoScript.
E
Re: (Score:1)
It's running on your computer, so the IP address is localhost... 127.0.0.1.
Re: (Score:3)
Gentlemen, you know the expression. "There's no place like 127.0.0.1"
Re: (Score:2)
It uses 127.0.0.1.
I wonder what it does when it detects an open port. I have machines running secure RDP, VPN access only but this thing will find them.
Re: (Score:3)
I found out that the port scan is performed by a piece of Javascript running in the browser.
But how do they get around same-origin policy? That Javascript script was loaded from ebay, not from localhost, so the browser shouldn't allow it to connect to localhost. Yes, there are things like CORS, but these involve putting up special headers on a web server of the target host (i.e. localhost) to express consent, and for good reason.
Or has same-origin policy been silently dropped? Scary! This means that any browser is now a trivial backdoor into your corporate network!
Re: (Score:2)
A javascript may connect to any websocket service (not just same origin). However, once connection has been established, it is only able to speak websocket protocol, not plain raw TCP. Hacking a non-websocket service this way would thus (usually) not be possible. However, just testing for existence of a TCP service is possible, as at that point, no data has yet been exchanged.
It's 2020. A firewall or NAT is not enough. (Score:2)
Disconnect your devices from the Internet. Problem solved, once and for all.
Re: (Score:1)
> Disconnect your devices from the Internet. Problem solved, once and for all.
Agreed. That's why my TV, refrigerator, thermostat, car, doorbell, and video systems are all not on the Internet.
The alarm system uses the net outbound only to indicate an event, but there are two other backup layer-one systems in place in case that fails.
It used to be it was good to be "on" the Internet. Now it's good to be "on step away from" the Internet.
Firewalls rock.
E
Re: (Score:2)
And rock walls are pretty good at stopping fire.
Re:It's 2020. Have a firewall or NAT in place. (Score:5, Informative)
eBay can't scan your computer if your computer is behind a firewall or has NAT in place.
Errr they aren't scanning your computer from *outside* the network. They are running a *local* scan using javascript and looking for ports on the "remote" machine with the IP address of "127.0.0.1" and then returning the results to ebay via the aforementioned port 443.
Don't be afraid to dream bigger.
Re: (Score:3)
and then they use that TCP connection to send javascript to tell your browser to connect to various ports on 127.0.0.1 and then report back to eBay about it. this shouldn't work and it kinda doesn't, but there's apparently enough "side-channel" information to be worth something.
javascript is a big rusty shit-encrusted spike right through all seven layers of the OSI model lol.
Yet ANOTHER reason to run Linux (Score:2)
According to Nullsweep, who first reported on the port scans, they do not occur when browsing the site with Linux.
I buy stuff on eBay and after reading most of the article, this kind of bullshit really pisses me off, but then I read the above quote.. Yet ANOTHER great reason to use Linux vs Windows.. 100% Linux since 2010...
Re: (Score:2)
Re: (Score:2)
Well given tech support scammers don't typically target Linux machines it makes no sense to do this basic fraud check.
But HOW? (Score:5, Insightful)
Re: (Score:2)
eBay is based on threats. They can require you not block them in their TOS...
Re: (Score:2)
Re: (Score:2)
They can lock accounts for just about any TOS violation... after the fact of a sale.
Re: (Score:2)
Re: (Score:2)
Since when is 127.0.0.1 not a routeable address, and furthermore since when has it ever been blocked by any policy?
If Ebay wants to look like those asshats...
If ebay want to look like asshats, they could stop performing this very basic anti-fraud scan attempting to identify users who are currently the victim of the classic tech support scam.
Re: (Score:2)
127.0.0.1 (and the whole 127/8 network) aren't in fact publicly routable, or at least shouldn't be in any sane OS. No system or router should be allowing packets with that as a source or destination address through anything other than the local interface, they should be considered Martians. And port-scanning 127.0.0.1 would be pointless, lots of software binds server ports there specifically because they can't be reached from anywhere except the local machine and often it's useful to have local access to se
Don't use the internet in that case (Score:2)
Re: Don't use the internet in that case (Score:1)
Re: (Score:2)
JavaScript appears to have been extended too far... ActiveX in the browser was not liked because it gave all the authority of a VB6 .exe for agreeing to one request with just the filename. Now, we find out JavaScript can do a port scan, and eBay likes this.
Re: (Score:2)
I don't know where you guys have been for the last decade or so, but Javascript is used for more than stupid mouse-hover visual effects tricks these days. In fact it's not even used for that anymore, that's the job of CSS.
Asking for a browser without javascript is like asking for a terminal/console that can't work with files.
Re: (Score:2)
A blonde girl sits alone at the bar.
Me: Hello beautiful, you're probably getting port scans all the time.
The blonde girl gets up and walks away.
Me: What did I do?!
Local port scan of my computer? (Score:2)
How does it do a local port scan of my computer with a firewall in place?
Re:Local port scan of my computer? (Score:5, Informative)
1. They send javascript.
2. The JS file runs, and it looks for services/open ports on localhost.
3. The JS file then calls a URL with variables indicating the result.
Perhaps not such a great idea... (Score:2)
If my computer shares its Internet access with other computers via NAT, then it might happen that eBay port scans other people's computers when I try to log in. What could go wrong?
Old news (Score:2)
https://forum.ultravnc.net/vie... [ultravnc.net]
Which refers to a reddit (shudder) post about Facebook doing it as far back as 2016.
How odd this has come up now, of all times. Need something to fill article quotas, I suppose.
only on windows (Score:2)
you sure have to deal with a lot of nonsense if you decide to use windows.