What's Bugging eBay?By Lisa Vaas | Posted 03-06-2007
The eBay villagers are whispering that he can creep through eBay's internal databases and suck the lifeblood of customer accountslog-ins and passwordsright out of their pulsing, 222 million-plus customer heart. He's putting up bogus listings as fast as eBay can take them down, and that proves he's walked through a security hole as big as a barn door.
No, eBay insists, this hacker, this Romanian wiseguy who goes by the handle Vladuz, is "nothing new." He's just another phisher, says eBay spokeswoman Catherine England, one of hundreds the huge auction site has to deal with constantly.
He may be getting loads of publicity from posting onto eBay forums as a service rep and taunting eBay"Durzy is full OF sh*t," he wrote about eBay spokesperson Hani Durzy in a February posting after Durzy said that Vladuz had not accessed internal systems. But that just means he got lucky once and hit upon an internal e-mail that had a screenshot containing customer service reps' e-mail account information, eBay maintains.
Some eBay watchers attribute eBay's recent crackdown on cross-border sales for the recent spike in hijacked accounts. Hijacked accounts occur after phishers weasel log-in names and passwords out of legitimate eBay account holders and then use them to run auctions that look like they're taking place in a country with a reputation for legitimate sales, such as the United States or Canada.
They're doing so, the eBay watchers say, because eBay cracked down on counterfeit goods being sold from countries notorious for it, such as China. Like rats leaving a sinking ship, the thinking goes, crooks are turning to hijacked accounts because the counterfeit e-business has gone belly-up.
"In the last few months, eBay has really taken a look at the trust and safety of our marketplace and our Web site," England told eWEEK. "We've been incorporating a lot of new measures. My understanding is it's been a little frustrating for this fellow. He's spent some quality time poking around our site and trying to find a way in. He did find access to a small amount of customer service rep e-mail accounts. He used those to go on discussion forums, as a pinkwhen an employee posts, it's highlighted in pink. He did that in an attempt basically to say, 'Ha ha, look what I did.'"
Lies, lies, lies, says online auction activist Rosalinda Baldwin, who runs an auction watchdog group called The Auction Guild (TAG).
"There's always been phishing [attempts to get account information and second-chance offers made to bidders who didn't win] and other fraud going on," she said. "It became huge mid-December [when eBay began to prevent Chinese sellers from selling to eBay U.S., eBay Canada, etc.]. It seems to have been the trigger: [The collection of phishing attempts and hijacked accounts] went from one without pattern to one" that definitely showed a pattern, she said.
"I know eBay pretty well," Baldwin said. "They can use all the excuses and lies they want, but they have yet to explain how what is happening on this site could be happening if what I'm saying is not true: that somebody has access to the back end."
Read the full story on eWeek: What's Bugging eBay?