Zugg Software :: View topic - eBay Account Hijacking

Posted: Sun Sep 10, 2006 9:26 pm

This is a public service announcement to anyone who has an eBay account.

For the second time in about 2 weeks, my eBay account has been hijacked and used to post dozens of "Chanel handbag" auctions.

When this happened 2 weeks ago, I contacted eBay via their Live Chat and got the auctions deleted and my account status restored. I changed my password and followed all of their other security recommendations.

Obviously I understand about hacking and scams. I *never* click on URL links in emails (especially from sites claiming to be eBay or Paypal or stuff like that). I have up-to-date virus checking and don't have any key loggers or anything like that.

Regardless of our care, eBay claims that somehow somebody got my password and used it to post these auctions. But I don't believe them.

The fact that my account was hijacked again this morning convinces me that something else is going on with eBay. I haven't logged into eBay since I changed the password, and it's not something that anyone could guess. It's a combination of letters and numbers.

But I did a Google search for "ebay hacked chanel" and found many other people in my same situation. This seems to be something that started happening in August.

What happens is that somehow the eBay account gets hacked and they are using some sort of 3rd party software to post the automatted auctions. In my case, an entry from "mpire corporation" was added to my 3rd party authorizations on the date of the first account hijack.

From my research, "mpire corporations" makes eBay auctioning software. My guess is that the hacker used this software for posting the auctions. But when using the eBay API, once you get added to the 3rd party authorizations, you can continue to access the eBay account even after the password has changed.

So, the work that I did to secure the account 2 weeks ago didn't matter. eBay didn't tell me to look at my 3rd party authorizations, and since it still had an entry, they were able to use my account again yesterday.

If you have an eBay account, go to your Account Details, then Preferences, and then scroll down and look for 3rd party authorizations. Check that to be sure anything listed is valid. Many things (contests, etc) can apparently add entries here.

But I think someone has figured out how to hack the API via the 3rd party software and getting rid of any unauthorized 3rd parties is important to keep your account secure.

I have a scheduled phone call with some eBay IT people tomorrow to discuss this issue further. I'll let you know what else I learn from them.

But in my opinion, eBay is not responding to security issues as well as they should. The Live Chat people didn't know about checking the 3rd party authorizations, nor is it listed in the documentation on securiing your account access.

Reading through various forums today in search of the solution to this issue just made me sick to my stomach. The amount of fraud and abuse on eBay is incredible. In fact, I doubt I'll be using eBay for buying or selling anytime soon. I think eBay is trying to keep a clamp on the bad press from these security issues, but it's only a matter of time before the general public looses trust of eBay and it goes downhill fast.

Anyway, if you have an eBay account, go double-check your 3rd party authorizations, and make sure you don't have a password that can be easily guessed or hacked. I hope this helps someone else avoid getting their account hijacked.

Wizard Joined: 10 Oct 2000 Posts: 1551 Location: Australia

Nasty nasty, after hearing that I'm glad I don't ebay!

A lot of my friends are very into it though, so I'll warn them, cheers for the heads-up.

Posted: Mon Sep 11, 2006 2:19 am

I just did a check on mine... I just saw something for Auctionworks that was there since April. Not sure what it was, but since I didn't explicitly add it, I made it a point to delete. I don't ebay that much anyway. Thanks for the heads up Zugg.

Posted: Mon Sep 11, 2006 2:22 am

So I just took another look and saw I had an alert. A bid I had place on a Thinkpad X41 for a ridiculously low price was recalled because the sellers account was compromised. The notice was sent on... Aug. 8.

I'll be even more skeptical when at eBay now.

Magician Joined: 09 Oct 2003 Posts: 459 Location: USA

This isn't the only one I've heard about concerning eBay. They've recently had a rash of people hijacking accounts. One of my friends just bid on a used short-bus on a whim and supposedly, the winner backed out. The person that hijacked the auctioneer's account told my friend that they'd be willing sell for a lower price if my friend sent the money to a different paypal account than the one listed for the seller... so my friend contacted eBay fraud department.

Newbie Joined: 20 Sep 2006 Posts: 3

My account was hijacked recently also, with scores of Chanel handbags listed -- all with 'buy it now" option, and all to end within 24 hours.

I too am concerned that there could be something more going on here than simple phishing.

I design websites and actually teach others how to use the web safely. I know that many other people do respond to phishing emails unknowingly and are lax with security. I've had people tell me their passwords and usernames and freely admit, "Oh, I use that for everything." Not me. I have a firewall/security software in place -- even on my Mac. And also, like another recent victim here, I hadn't accessed my ebay account in many, many months.

That's not to say it's impossible for someone to have guessed or discovered my username/pw. My worst security sin here was probably that I hadn't changed this particular pw in forever, since I also hadn't accessed ebay in a while. (Long enough for someone to figure it out?)

Anyway, once I got my account back in good standing, I asked ebay to keep the account on hold for security reasons. This means I can no longer access ebay (until I reinstate the account), but it seemed safer and saner than waiting for this to happen again.

If this happens to you, go directly to ebay's LIVE CHAT. Following the other steps they give you (log in, change pw, delete listings -- which you have to do one by one) will take too long. In my case, one person had made a purchase and my account had been suspended by ebay for copyright violations before I could delete one listing. (I'm glad this happened, because by that point, I was just glad to see all the listings go away.)

Which brings up a question: Why post something that will automatically trigger ebay's security to delete the listings? I wonder if this isn't meant more as an attack on ebay and its reputation than on individual users. It certainly makes me think twice about using such services.

Suggestion to ebay: Why not put a "FRAUD ALERT" button on everyone's account that will allow one to put an immediate, temporary hold on all activity and listings with one click? I am an experienced computer user, but after nearly an hour had only managed to get through the pw change, checking personal info and then delete one auction (steps ebay recommends before contacting them) -- mainly because in the middle, I got notice that a buyer had made a purchase, so then had to let him know not to send anyone any money. So disruptive and frustrating!

Ebay claims they let others know I was not the person who listed the fraudulent items, but would not supply me a copy of that email. The whole thing was very unfortunate and unsettling.

Posted: Wed Sep 20, 2006 7:31 pm

akson: be sure to go into your eBay Preferences and look in the 3rd Party Authorizations for anything wierd. That's an important step that the Live Chat people don't seem to know about.

Also, from what I understand, eBay doesn't lock accounts for too many unsuccessful login attempts. So I think they way they got my original password is using the eBay API and writing a program to just try millions of combinations to eventually crack a password. Once cracked, they enter a 3rd party authorization so that they can continue accessing the account even if the password is changed.

eBay really needs to lock accounts after too many unsuccessful logins, or at least send an email so that people could see that their account was being hacked. I wouldn't mind getting an email each time I enter my password wrong.

eBay definitely has a lot of work on their hands to improve this situation.

Newbie Joined: 20 Sep 2006 Posts: 3

Agreed. But I can't get into my account at all right now, and no one else can either, as I had it placed on hold.

I was just planning to go back to live chat to ask them to check 3rd party authorizations based on what you said. I assume that since I can't sign on, neither can the 3rd party.

But given the situation, I'm thinking maybe I should just be asking ebay to delete my account altogether. If they don't lock accounts for too many unsuccessful logins, we've basically got no protection from the most basic kinds of attacks.

Combined with their assumption (in the live chat helper's script) that any victim probably responded to a phishing scam, this is just too much. Maybe we need to send ebay a canned script about the value of property security on login accounts, just as they "educated" us about phishing scams.

OK, I guess I'm getting too riled here. Anyway, what did you learn in your phone conversation? Any progress?

Newbie Joined: 26 Sep 2006 Posts: 1

Posted: Tue Sep 26, 2006 4:41 pm

Newbie Joined: 20 Sep 2006 Posts: 3

In addition to suggesting that you surely must have clicked on something you shouldn't have at some point, Ebay will tell you to change your email pw and suggest that it probably has been compromised.

After some paranoia and changing of passwords (not a bad thing), I realized that this did not make much sense ...

For one thing, if my home e-mail password had been compromised, the hackers didn't do much with it. My email username and password had not been changed at the time I accessed my account to survey the damage, so clearly they didn't use my e-mail to find out or change my username/pw. Also, if it had been compromised, I might have expected more than just my ebay account to show the effects.

It seems obvious to me that it is their system w/the security issue and is somehow susceptible to hacking. Read the tip from Zugg about the 3rd party authorizations and absolutely do not re-activate your account without checking there first.

Good luck!