Print 30 comment(s) - last by Spacecomber.. on Sep 12 at 4:01 PM

A massive brute force attack, lasting for more than a week, threatens to compromise eBay's userbase

If the compromise last week got you down, wait until the full details of eBay's current battle come to full light.  It's not been publically confirmed by eBay representatives, but the company is at war with a zombie network.

According to an interview with security experts on eWEEK, the botnet is hammering away at eBay in an attempt to brute force its way into accounts with financial and personal information. Aladdin Knowledge Systems claims this attack has been underway for at least one week.


The zombie infection itself seems to be very complex and designed to be loaded in pieces. Apparently 300 or so infected websites are disseminating the virus to visitors that use those websites. The virus then goes out to the web and pulls several pieces of information it needs to attack the eBay accounts.

Aladdin Knowledge Systems claims there are 4 or 5 stages to the Virus to gather everything it needs to launch and participate in the attack. It is currently unknown how many machines are infected and participating in this attack.  Aladdin Knowledge Systems first noticed the botnet attack when it was discovered by their eSafe SecureSurfing product that is marketed to ISP's to monitor and filter infected websites.


Additional details, including any database compromises, have not been disclosed.

Comments     Threshold

This article is over a month old, voting and posting comments is disabled

RE: myspace as well
By AlvinCool on 9/6/2007 2:22:57 PM , Rating: 2
I don't disagree that brute force will work if given enough time. But there are certain password constraints we all know about that make it unfeasable. Using a random generator makes it almost impossible for a brute force attack to work unless the person attacking has years to do it. Simply using a combination of caps and letters with two seperate words and a 3 digit number between them would stop brute force in it's tracks. It's my understanding that brute force relys on guessing words. It would first have to exhaust all known words, known word combinations, known word combinations with caps totally, known word combinations with random caps THEN move to x amount of numbers in between all the above combinations. It just won't be successful against strong passwords in any moderate amount of time. Lets face it most people are just stupid about passwords. Me I got an Ironkey and use all random generated passwords for anything concerning finance. I hope they wear out two or three PC's trying to get into my accounts.

RE: myspace as well
By Misty Dingos on 9/6/2007 3:57:13 PM , Rating: 2
Then perhaps the way to make a brute force attack work would be to accept that you don't know the password and don't care. Just use a program that attacks the code with every possible combination made possible by a standard key board. Keep it within the normal parameters of a password. Break that attack up within bot lines. Have your bots report back all failures and successes to another bot that emails you the results. Keep working the most successful avenues of attack and re-attack for bots that were disabled. If you can infect enough PCs to ease the work load on anyone bot then you have a way around Ebay's security. Gather a few hundred thousand accounts and sell a few here and there to bad people and retire to somewhere cheap that doesn’t support extradition to your home country.

RE: myspace as well
By Spivonious on 9/6/2007 4:14:22 PM , Rating: 2
Even then it's still possible to "guess" the random password. It's all number crunching.

Try all one letter combinations, then all two letter combinations, then all three letter combinations, etc.

I would think this would be much more efficient than trying to guess full words.

RE: myspace as well
By AlvinCool on 9/6/2007 4:37:57 PM , Rating: 2
So how long do you think that would take for a 12 digit password. Just using numbers and lower case/caps thats 61 possible combinations per slot and 12 slots. With just 6 slots and about the same number of combinations, for the lottery, thats a 1 in 170 million chance of hitting. I'm not fantastic with math but wouldn't that put it in like 1 in a trillion or more for 12 slots? Anyone good at math want to figure that? And it doesn't report back hits or misses on indivual characters. It's all or nothing. I , personally, think you guys are way too confident on a brute force attack if the proper password patterns are employed.

RE: myspace as well
By Master Kenobi on 9/7/2007 8:49:24 AM , Rating: 2
I bet they started each account attack with "password" and I bet they got in on quite a few.

RE: myspace as well
By AlvinCool on 9/7/2007 9:39:03 AM , Rating: 2
I totally agree. If it were me I'l attack with all common passwords then attack again with numbers from 0 - 9 at the end. I would think you could rack up on accounts that way in a short period of time

"So, I think the same thing of the music industry. They can't say that they're losing money, you know what I'm saying. They just probably don't have the same surplus that they had." -- Wu-Tang Clan founder RZA

Copyright 2016 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki