Attacks on Ebay

By: Jaspuneet Sidhu, Rohit Sakhuja & David Zhou


 Ebay History and Statistics

 Started by Pierre Omidyar in September of 1995

 The world's largest garage sale, online shopping center,

car dealer and auction site

 Has over 162 million registered users in over 30

countries

 Has over 34,000 employees working all over the world

 Revenue: Approx. $8 Billion

 Some interesting facts..

 Most expensive item sold on Ebay- $168 million yacht

 Sandwich sold for $28,000 because it had the image of

Virgin Mary
The Email from Ebay
 Who and What?

 Ebay hackers: Syrian Electronic Army

 It was a “Hactivist Operation” and they didn’t do it to

attack people’s accounts

 What did they steal? Personal Information such as:

Names, Date of Birth, Email Addresses, Passwords and
other info.
 Identity Theft

 Credentials used to access other accounts outside Ebay.

 Paypal, Bank Accounts, Social Networking sites..

 No financial information was stolen because it was

Encrypted.
 The Attack

 The cause of the compromised eBay server was attributed to the theft of three
corporate employee log-in credentials.

 eBay itself did not disclose exactly how these credentials were compromised

 Compromised information included “eBay customers’ name,

password, email address, physical address, phone number and date of birth.”, which
were all unencrypted and unhashed except for the account passwords

 With the gathered information, even if the attackers never cracked the decryption,
the plaintext information taken from the database could lead to increased pharming
and phishing on eBay customers (possible final section material)

 the eBay encryption dealt with hashing the plaintext password and then salting this
hashed text by adding a randomized digit or two
 The Attack (cont.)

 the form of hashing and salting was described by eBay as “proprietary”

 it can be criticized that a “proprietary” method of hashing and salting

meant that the exact algorithms they used to hide user passwords could
not be scrutinized for effectiveness by outside parties

 With the lack of detail provided by eBay of the incident, speculation lead to
suggestions that the credentials were taken via phishing methods

 This resulted in eBay telling its customers that they needed to change
their passwords.

 The other major speculated idea was an internal attack done by an

employee within
 The Attack (cont.)

 eBay’s public disclosure of the incident occurred on Wednesday,

May 21, 2014. The cyber attack was carried out 3 months prior to
this disclosure

 eBay had discovered the attack 2 weeks before disclosing to the

public

 This discrepancy between eBay’s public disclosure date and the

date of the discovery was because eBay believed that the
encrypted passwords were not compromised

 eBay claimed Financial and credit card information was said to

have been stored separately in encrypted formats on another
server and was thus not affected
 The Attack (cont.)

 despite eBay’s claims of a phishing attack on their employees being the

reason for the customer information database being compromised, several
other vulnerabilities were discovered by 3rd party security researchers
soon after this disclosure

 The first noted vulnerability found was the website’s weakness to cross
site scripting (also known as XSS).

 XSS is a code injection attack where the attacker can use malicious
scripts in a user’s browser to inject a pay load into a web page that the
victim visits

 eBay’s XSS vulnerability was executing Javascript code written by the

attacker to display malicious links on a user’s browser disguised as
auction links
Example of javascript used within an eBay

This allowed an attacker to list an eBay auction that redirected

any user who visited this page to a phishing login page to steal a
user’s account and password
 Example of a phishing site
from an XSS code injection
 Second Vulnerability

 A second vulnerability that was discovered soon after the public

disclosure only needed a username or user’s email id

 The attack was exploiting a weakness in eBay’s “Forgot

Password” process which allows an attacker to change a user’s
password

 Normally the new password request would go to the user’s

email, but the attacker could intercept this request using the
“reqinput” value that could be found using a Browser’s inspect
element option
Diagram
 HTTP Request

If a user clicked on the password

reset link in the email, the attacker
would use this reqinput value to
create another HTTP request to
eBay’s server to set a new
password chosen by the attacker
 Another Vulnerability

 There was a 3rd vulnerability related to a backdoor shell

being able to be uploaded on the eBay server, but the
source website was down and from the twitter feed, the
claimed vulnerability could’ve been a hoax.
 Magento

 A more recent attack occurred on one of eBay’s

outside entities: “Magneto”

 Magneto is an open source eCommerce platform

 The attack is designed to exploit a vulnerability in

Magneto’s core through injected malicious code to
spy and steal credit card information

 Attacker gets the content of POST requests with

this injection

 A POST request is used to insert or update remote

data via a web server request. Examples include
uploading file or submitting web forms.
 Magento

 An attacker would encrypt

the stolen data using a
public key they define in
their script

 After the data is collected

and encrypted, it is saved
to a fake image file as an
example of image
steganography

 The attacker can download

this image file and decrypt
it using their own private
key to acquire all the stolen
data from the Magneto e-
commerce website.
 Attacks similar to Ebay

 The originally discovered eBay vulnerability of cross-site scripting (XSS)

attacks still is prevalent today in different forms

 Simple 50 second video:

https://www.youtube.com/watch?v=WuZ61NWbK_4.

 Shows attacker using a link that on first glance has the ebay.com tag at
the start to trick the more careless individual

 As you look further to the right of this link, there is a clear portion of
javascript highlighted by an ip address of 45.55.162.179.

 Ultimately, the page starting with ebay.com is actually a phishing page

designed to send log in information to that IP, into a simple text file
 Another Vulnerability

 Another recent ebay vulnerability that has popped up after eBay

has put up measures to combat JavaScript code being used to
masquerade phishing pages is the use of JSF*** (note: censored)

 JSF*** essentially a way to write java script using only six different
characters:

 ( ) + [ ] and !

 With only 6 characters to use, a simple javascript code can

become much more complex:

 The letter ‘a’ for example is “(![]+[])[+!![]]” in JSF***.

Example picture
 Aftermath

 Customers complained and criticized eBay for handling

the situation poorly.

 3 U.S. States (Connecticut, Florida and Illinois) has jointly

begun investigating the cyber-attack incident and eBay
Company’s Security Practices.

 User’s were also outraged that eBay waited for 2 weeks

before publishing the breach after they found out about it.
 Aftermath – Contd.

 EBay promised users that they

will make password resets
mandatory on the website.
Firstly, this was carried out in
days and once it was
implemented, users were unable
to reset their passwords as the
website struggled with abnormal
number of reset requests.
 Effect on eBay Revenue

 eBay posted their third quarter earnings, with revenue rising by

12% to $4.4 billion. This was primarily driven by 20% growth in
the payments’ business, as the marketplaces’ segment
continued to face headwinds.

 The latter’s revenue growth slowed to 6% in Q3, as compared to

11% and 9% growth in the past two quarters, due to reduced
levels of traffic caused by security breach and changes in
Google GOOGL -1.20% SEO (i.e., Search Engine Optimization)
algorithm.
 Possible Solution To Prevent
Data Breach

 For the best possible chance at preventing the type of data breach
that struck eBay, a proper defense strategy must be implemented.

 This involves the use of a variety of different layers that can help
identify and prevent breaches at various points during an intrusion
attempt.

 A host layer, for example, includes malware specific software, file

integrity management, web browser protection, and more.
 Possible Solution – Contd.

 The server or platform layer will have its own centralized log management
solution, password rotation on a regular basis and anti-virus protection for
all servers.

 The network layer includes a centralized patch management solution, the

ability to utilize a security scanner regularly, and a firewall with tight
access controls.
 Possible Solution – Contd.

 A security layer would include deep packet forensics collection,

forensics solutions for investigations, security incident event
monitoring, and more. All of these layers would be monitored
24/7 to identify intrusion attempts at various stages and to help
ward off attackers at all points during the traditional intrusion
processes.

 These methods require a well-trained staff, but when executed

properly they can act as a type of insurance policy to help
prevent just the type of situation that eBay currently finds itself
in.
 Important Lesson

 The most important lessons to take from this data incident are :

 Good IT Security practices for networks is essential for all

businesses

 Regular network security assessments are required

 Educate staff on security

 To have good crisis management.

 References

 https://netshield.wordpress.com/2014/06/11/ebay-cyber-
attack-aftermath/

 http://www.forbes.com/sites/greatspeculations/2014/10/16/eba
ys-earnings-continue-to-be-impacted-by-cyber-
attack/#583ef1cb723b

 http://blog.thinknettech.com/is-your-security-layered-like-your-
bean-dip/

 http://www.scmagazine.com/the-ebay-breach-
explained/article/360998/2/
 References

 S. Khandelwal, "Hacking any eBay Account in Just 1 Minute", The Hacker News, 2014. [Online].
Available: http://thehackernews.com/2014/09/hacking-ebay-accounts.html. [Accessed: 28- Feb- 2016].

 J. Leyden, “Theregister.co.uk, "EBAY... You keep using that word 'ENCRYPTION' – it does not mean what
you think it means", 2014. [Online]. Available:
http://www.theregister.co.uk/2014/05/22/ebay_password_encryption/. [Accessed: 28- Feb- 2016].

 P. Paganini, "A new series of critical eBay vulnerabilities still menaces 145M users", Security Affairs, 2014.
[Online]. Available: http://securityaffairs.co/wordpress/25177/hacking/critical-ebay-
vulnerabilities.htmlve.html. [Accessed: 29- Feb- 2016].

 J. Pagliery, "EBay customers must reset passwords after major hack", CNNMoney, 2014. [Online].
Available: http://money.cnn.com/2014/05/21/technology/security/ebay-passwords/. [Accessed: 29- Feb-
2016].

 24 Amazing EBay Stats." DMR. Digital Stat Article, 06 Jan. 2015. .

http://expandedramblings.com/index.php/ebay-stats/. 02 Mar. 2016.

 Wikipedia. Wikimedia Foundation, n.d. https://en.wikipedia.org/wiki/Ebay. 02 Mar. 2016.

 References (cont.)

 10 Entertaining EBay Facts You Might Not Know."

Mashable. N.p., n.d.
http://mashable.com/2010/08/07/ebay-
facts/#jRqx5fWodsqi. 02 Mar. 2016.
 It's Been More than 24 Hours since EBay (EBAY)
Revealed It Was Hacked. Yet the Company Still Hasn't
Emailed All of Its Users to Notify Them That They Must
Change Their Passwords. "Why Hasn't EBay Emailed
Customers about the Attack?" CNNMoney. Cable News
Network, n.d.
http://money.cnn.com/2014/05/22/technology/security/eb
ay-hack-email/ 02 Mar. 2016.
 References (cont.)

 T. Ring, "eBay e-commerce platform under attack", SC Magazine UK, 2015. [Online]. Available:
http://www.scmagazineuk.com/ebay-e-commerce-platform-under-attack/article/423576/. [Accessed:
02- Mar- 2016].

 P. Gramantik, "Magento Platform Targeted by Credit Card Scrapers", Sucuri Blog, 2015. [Online].
Available: https://blog.sucuri.net/2015/06/magento-platform-targeted-by-credit-card-scrapers.html.
[Accessed: 02- Mar- 2016].

 YouTube, "eBay XSS iframe phisher demonstration", 2016. [Online]. Available:

https://www.youtube.com/watch?v=WuZ61NWbK_4. [Accessed: 02- Mar- 2016].

 C. Brook, "A Year Later, XSS Vulnerability Still Exists in eBay", Threatpost | The first stop for security
news, 2015. [Online]. Available: https://threatpost.com/a-year-later-xss-vulnerability-still-exists-in-
ebay/112493/. [Accessed: 02- Mar- 2016].

 L. Vaas, "eBay XSS bug left users vulnerable to (almost) undetectable phishing attacks", Naked
Security, 2016. [Online]. Available: https://nakedsecurity.sophos.com/2016/01/13/ebay-xss-bug-left-
users-vulnerable-to-almost-undetectable-phishing-attacks/. [Accessed: 02- Mar- 2016].

 D. Goodin, "eBay has no plans to fix “severe” bug that allows malware distribution [Updated]", Ars
Technica, 2016. [Online]. Available: http://arstechnica.com/security/2016/02/ebay-has-no-plans-to-fix-
severe-bug-that-allows-malware-distribution/. [Accessed: 02- Mar- 2016].
 Questions?

 What type of employee’s does IT Security department at any company be required to

stop this type of security breach to occur?

Ans: A very well-trained and educated staff who can implement new and current IT
Security standards.

 How would a hacker intercept a “New Password Request” that is being sent to the
user’s email?

Ans: Normally the new password request would go to the user’s email, but the attacker
could intercept this request using the “reqinput” value that could be found using a Browser’s
inspect element option

 How would the attacker encrypt stolen data?

Ans: An attacker would encrypt the stolen data using a public key they define in their script