Man-in-the-middle attack targets eBay

Trojan intercepts auction communications, possibly bidding.

A trojan has been spotted attempting to run a man-in-the-middle style hijack of connections to several eBay sites and pages. The malware seems to be targeting the eBay Motors car-selling site.

The trojan, once installed locally, sets up a proxy server and listens for attempts to visit a number of pre-defined locations run by the online auction giant, including auction query forms and vendor ratings pages. It is then able to redirect traffic to auctions of its maker's choosing, after connecting to one of several sites set up to provide it with redirection data.

eBay security has been the subject of much scrutiny recently after a hacker acquired access to an administrator account and posted several messages to forums at the site, showing off his elevated access. eBay Motors has also been criticised for its high levels of fraud, particularly since changes in bidder privacy measures were introduced earlier this year, in an effort to minimise phishing.

It is not yet known how the attack is intended to operate, as the sites serving data to infected machines have yet to issue activation codes for specific auctions to redirect to. More detailed analysis, including several screenshots, can be found in a Symantec blog entry, here.

06 March 2007

Tags: del.icio.us digg this