Stories
Slash Boxes
Comments

SoylentNews is people

posted by Fnord666 on Wednesday May 27 2020, @02:40PM   Printer-friendly
from the taking-liberties dept.

eBay users spot the online auction house port-scanning their PCs. Um... is that OK?:

Updated Users visiting eBay have spotted that the website runs port scans against their computer, using the localhost address to inspect what may be running on your machine.

Fraud is a big issue for eBay, and if the purpose of scanning for remote-control access ports is an attempt to detect criminals logged into a user's computer in order to impersonate them on the tat bazaar, it could have some value. The behaviour, however, was described as "clearly malicious" by security researcher Charles Belmer.

The script attempts WebSocket connections to a number of ports, including 3389 (Microsoft remote desktop), 5931 (Ammy Admin remote desktop), 6333 (VNC remote connection), 7070 (realAudio and Apple QuickTime streaming) and more. The script is running locally so it is not testing for ports exposed to the internet, but rather for what is running on your local network. The port scanning script does not always run. We have only seen it run on Windows, and normally only on the first visit to eBay after some unspecified period.

Developer Dan Nemec used browser debugging tools to trace what is going on – a job made harder, he said, by JavaScript code that is "re-obfuscated on every page load" so that variables names change every time.

It is odd, though: not all the code is obfuscated, so if the script's creators really wanted to cover their tracks they could have done a better job.

Nemec did discover several points of interest, however. One is that the source of the script, called check.js, is src.ebay-us.com, which is a CNAME record pointing at h-ebay.online-metrix.net, which belongs to an organisation called ThreatMetrix Inc, part of LexisNexis Risk Solutions.

Following the scan, Nemec observed, the web page requests images, again from the Threat Metrix domain, which return a 204 code meaning "no content". The payload is in the argument accompanying the requests, which when decrypted contains the results of the port scan and other information, including the user agent (browser identifier), public IP address, and "other data, signatures and things I don't recognize," said Nemec.

[...] Updated to add

eBay got back to us to say that it is "committed to creating an experience on our sites and services that is safe, secure and trustworthy," though it has not responded to any specific concerns over privacy or security. We understand that the reason for the port scanning script is fraud prevention, seemingly by flagging up machines that may be under remote control by miscreants.


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 3, Interesting) by Anonymous Coward on Wednesday May 27 2020, @04:23PM (1 child)

    by Anonymous Coward on Wednesday May 27 2020, @04:23PM (#999751)

    Does anybody else remember the Gator Advertising Network? Everybody called it spyware. Basically what it did is spied on your browsing habits to deliver targeted advertising to you. Zoom forward a decade later and that's now the 'modern business model.'

    Nemec did discover several points of interest, however. One is that the source of the script, called check.js, is src.ebay-us.com, which is a CNAME record pointing at h-ebay.online-metrix.net, which belongs to an organisation called ThreatMetrix Inc, part of LexisNexis Risk Solutions.

    LexisNexis is an interesting find. Assuming it's valid, that is really creepy but not especially surprising. Here [wikileaks.org] is a link to a Wikileaks search for LexisNexis. There are 770 hits. LexisNexis is an information broker that gathers public and private information on individuals/organizations/journalists/media/etc and then sells it to whoever can pay. DC types use it for among normal uses such as legal research/etc but also for things such as vetting people, digging up dirt on targets, and so on. That they may connected to widespread port probing is, again, just creepy. But I'm sure 10 years from now it'll just be another standard business practice.

    Starting Score:    0  points
    Moderation   +3  
       Interesting=1, Informative=1, Touché=1, Total=3
    Extra 'Interesting' Modifier   0  

    Total Score:   3  
  • (Score: 3, Interesting) by Hyperturtle on Thursday May 28 2020, @03:36PM

    by Hyperturtle (2824) on Thursday May 28 2020, @03:36PM (#1000178)

    I do remember that, but in real life am told I am mistaken if I believe that targeted advertising is a privacy invasion--if it means someone has to stop tagging me in their photos or something like that. It turns me into a jerk to point out things they disagreed with before, but that was when they didn't get some free convenience out of it. Do something hideous but cover it up with free stuff, and that makes things much better for a lot of people who don't want to think too hard about it, or even compare to what they were thinking previously about the same stuff.

    So uh anyway a good idea for people would be to block "online-metrix.net" on a local DNS server, or within the local hosts file of your computer(s) if you can.

    I actually went to go do this on my home network's DNS, and discovered I had blocked it a long time ago because of some other company using it to report back to Lexis Nexis whatever the browsing habits were on some streaming site (I sometimes keep notes of why I add entries to my DNS or access-lists for blocking purposes--this way I have a better chance of unraveling anything I unintentionally broke--but in this case, I didn't record specifically my concern and just that it was a LexisNexis consumer behavior tracker sort of service).

    I don't know about you, but their scanning for remote control ports pisses me off. They have no reason to query whether or not I use enterprise features on my home network to make life easier because I like to pretend I know what I am doing-- maybe I am a professional, maybe I am an idiot, but the vibe here is that if I am using professional tools, they'll treat me like a an idiot because only 0wn3d people will fraudluently be remotely controlled--with those ports. (at least with VNC, I altered the default port. RDP via microsoft is a little harder to change as the default settings generally don't allow one to do that and remain compatible between OS versions)

    That said, I haven't had any problems whatsoever with ebay despite having blocked that domain. Sometimes pages run a little slow, but that I haven't noticed it hanging on a script.

    Incidentally, when I say "blocked" in DNS, it isn't really blocked--I have static entry for the domain that I assign a loopback IP address to, in order to prevent actual queries for such domains and to always provide back the loopback address to anything on my network that does a lookup via DNS. If there is an issue, I bypass the DNS servers if needed and can still get out when dealing with fully qualified domain names like that--routing and IP address control is quite different, as it is often very hard to identify a service within some ISP cloud like amazon--they shift around and often don't even know themselves where their stuff 'lives'. Better to block it by name than do it wrong via number.

    By loopback, I mean IPv4 addressing somewhere in the 127.x.x.x range. I assign different numbers per type of service based on my own unprofessional opinion about what something might be doing--plenty of sites out there that do tracking aren't exactly upfront about it, and if it takes more time than i want to research whatever that strange script is trying to call--I'll just add it to DNS and guess what it was doing or trying to do, so that I can sort of categorize it all outside of DNS based on how I set it up within DNS, but it quickly has gotten out of hand... There are lots of bad things out there, and I imagine a lot of my entries have become 'stale'. Still, it has proven to be pretty effective over time.

    Since I try to have a sense of humor about it sometimes, I use 127.6.6.6 as the entry for Facebook and its domains [and giphy now, too, ever since they announced the intent to merge giphy into Facebook]. Why 127.6.6.6? Because that guy Mark is a bit of a beast...and they use specific marks to identify us all for their ungodly purposes.