backtop


Print 30 comment(s) - last by Spacecomber.. on Sep 12 at 4:01 PM

A massive brute force attack, lasting for more than a week, threatens to compromise eBay's userbase

If the Monster.com compromise last week got you down, wait until the full details of eBay's current battle come to full light.  It's not been publically confirmed by eBay representatives, but the company is at war with a zombie network.

According to an interview with security experts on eWEEK, the botnet is hammering away at eBay in an attempt to brute force its way into accounts with financial and personal information. Aladdin Knowledge Systems claims this attack has been underway for at least one week.

 

The zombie infection itself seems to be very complex and designed to be loaded in pieces. Apparently 300 or so infected websites are disseminating the virus to visitors that use those websites. The virus then goes out to the web and pulls several pieces of information it needs to attack the eBay accounts.


Aladdin Knowledge Systems claims there are 4 or 5 stages to the Virus to gather everything it needs to launch and participate in the attack. It is currently unknown how many machines are infected and participating in this attack.  Aladdin Knowledge Systems first noticed the botnet attack when it was discovered by their eSafe SecureSurfing product that is marketed to ISP's to monitor and filter infected websites.

 

Additional details, including any database compromises, have not been disclosed.



Comments     Threshold


This article is over a month old, voting and posting comments is disabled

myspace as well
By GhandiInstinct on 9/5/2007 5:10:55 PM , Rating: 2
you guys ever receive advertisement messages weekly on myspace for porn sites etc..from your friends? and you wonder why, and then you realize it wasnt them.

same compromise on myspace.




RE: myspace as well
By FITCamaro on 9/5/2007 5:16:10 PM , Rating: 5
To me myspace is a plague upon mankind. I won't even click on a link to a friends myspace account.


RE: myspace as well
By Master Kenobi (blog) on 9/5/2007 6:01:18 PM , Rating: 3
quote:
To me myspace is a plague upon mankind.

I agree. I won't touch anything remotely associated with myspace.


RE: myspace as well
By marsbound2024 on 9/5/2007 6:08:46 PM , Rating: 3
I agree a bit. I used to use Myspace but now it is so BLOATED (like Creative's software packages with Audigy or budget computers and their AOL and etc BS) and disorganized. It's pretty much yuck. Users put WAY too much "bling" on their websites that makes it a pain to browse. I prefer the simplistic and functional style of Facebook.


RE: myspace as well
By Lazarus Dark on 9/5/2007 6:27:18 PM , Rating: 4
I finally caved a couple weeks ago an got a myspace after resisting for so long. I still hate myspace. But it's free and all the bands that I like, that's the only place to get samples of their music and contact them. It serves a purpose I'm afraid. I tried Facebook, but I hate it, mostly cause it's less anonymous.

But the amount of spam on myspace is ridiculous. And last week, one of my friends accounts was hacked and they sent out links to virus sites to everyone.


RE: myspace as well
By Gul Westfale on 9/6/2007 12:26:19 AM , Rating: 1
quote:
To me myspace is a plague upon mankind.


DOWN WITH EMOS!


RE: myspace as well
By animedude on 9/6/2007 1:23:19 AM , Rating: 2
That is why we have the upstart of o mighty facebook


RE: myspace as well
By AstroCreep on 9/5/2007 6:26:10 PM , Rating: 4
No, it's not the same compromise.
What happens at myspace is the 'friend' in question clicks on some dumb link inside of a bulletin or whatever, then they get a page that asks them to log back into myspace - but they didn't realize that they actually 'logged in' to a phishing site. So the phishing now has their username & password which they immediately use to post bogus bulletins and comments.
That and/or said 'friend' clicked on some link in a message/bulletin that they shouldn't have, it runs some sort of script which creates a new posting that looks like it came from your account.

What's going on here with eBay is botnet full of zombies simply trying to break-in to accounts with brute-force 'attacks'. Not quite as elegant, but I guess it's effective.


RE: myspace as well
By Misty Dingos on 9/6/2007 8:04:12 AM , Rating: 2
I wonder what are the defenses that ebay can deploy to combat this attack? No I am not joking. Perhaps the last resort line of defense would be taking down the servers with customer info on them? But perhaps they could load counter viruses into a server disguised as account info then use the counter viruses to disable the bot network?

I am not an IT guy so this is just guess work. Anyone got any ideas that might work?


RE: myspace as well
By Master Kenobi (blog) on 9/6/2007 9:57:21 AM , Rating: 2
Short of auto-locking accounts after 3 failed attempts, none. Brute force works if you have the time and power to do it.


RE: myspace as well
By AlvinCool on 9/6/2007 2:22:57 PM , Rating: 2
I don't disagree that brute force will work if given enough time. But there are certain password constraints we all know about that make it unfeasable. Using a random generator makes it almost impossible for a brute force attack to work unless the person attacking has years to do it. Simply using a combination of caps and letters with two seperate words and a 3 digit number between them would stop brute force in it's tracks. It's my understanding that brute force relys on guessing words. It would first have to exhaust all known words, known word combinations, known word combinations with caps totally, known word combinations with random caps THEN move to x amount of numbers in between all the above combinations. It just won't be successful against strong passwords in any moderate amount of time. Lets face it most people are just stupid about passwords. Me I got an Ironkey and use all random generated passwords for anything concerning finance. I hope they wear out two or three PC's trying to get into my accounts.


RE: myspace as well
By Misty Dingos on 9/6/2007 3:57:13 PM , Rating: 2
Then perhaps the way to make a brute force attack work would be to accept that you don't know the password and don't care. Just use a program that attacks the code with every possible combination made possible by a standard key board. Keep it within the normal parameters of a password. Break that attack up within bot lines. Have your bots report back all failures and successes to another bot that emails you the results. Keep working the most successful avenues of attack and re-attack for bots that were disabled. If you can infect enough PCs to ease the work load on anyone bot then you have a way around Ebay's security. Gather a few hundred thousand accounts and sell a few here and there to bad people and retire to somewhere cheap that doesn’t support extradition to your home country.


RE: myspace as well
By Spivonious on 9/6/2007 4:14:22 PM , Rating: 2
Even then it's still possible to "guess" the random password. It's all number crunching.

Try all one letter combinations, then all two letter combinations, then all three letter combinations, etc.

I would think this would be much more efficient than trying to guess full words.


RE: myspace as well
By AlvinCool on 9/6/2007 4:37:57 PM , Rating: 2
So how long do you think that would take for a 12 digit password. Just using numbers and lower case/caps thats 61 possible combinations per slot and 12 slots. With just 6 slots and about the same number of combinations, for the lottery, thats a 1 in 170 million chance of hitting. I'm not fantastic with math but wouldn't that put it in like 1 in a trillion or more for 12 slots? Anyone good at math want to figure that? And it doesn't report back hits or misses on indivual characters. It's all or nothing. I , personally, think you guys are way too confident on a brute force attack if the proper password patterns are employed.


RE: myspace as well
By Master Kenobi (blog) on 9/7/2007 8:49:24 AM , Rating: 2
I bet they started each account attack with "password" and I bet they got in on quite a few.


RE: myspace as well
By AlvinCool on 9/7/2007 9:39:03 AM , Rating: 2
I totally agree. If it were me I'l attack with all common passwords then attack again with numbers from 0 - 9 at the end. I would think you could rack up on accounts that way in a short period of time


"There's no chance that the iPhone is going to get any significant market share. No chance." -- Microsoft CEO Steve Ballmer











botimage
Copyright 2014 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki