eBay account details found online, phished?
Technorati Tag: Security Breach
Date Reported:
10/13/08
Organization:
eBay Inc.
Contractor/Consultant/Branch:
None
Location:
San Jose, California
Victims:
Customers
Number Affected:
5,534*
*A lot of "accounts don't exist or are no longer registered users, but there's enough live accounts in there for this to be something of a worry"
Types of Data:
"EBay Username, Password and EMail account"
Breach Description:
"Christopher Boyd, Director of FaceTime Security Labs, a malware research firm, has found a list of hacked eBay logins. The list includes 121 pages and carries 5,534 eBay accounts, including usernames, passwords and mail address"
Reference URL:
FaceTime Security Labs Blog
ECommerce-Guide
SPAMfighter News
Report Credit:
Christopher Boyd, FaceTime Security Labs
Response:
From the online sources cited above:
While investigating an unrelated case of Phishing yesterday, we came across the biggest haul of stolen EBay logins we've ever seen.
[Evan] Phishing is still alive and well in the world of cybercrime. People should be as vigilant as ever. Some tips are provided in the Commentary section below.
Unfortunately, there are 5,534 of them and they're spread across 121 pages.
Quite a lot of the accounts don't exist or are no longer registered users, but there's enough live accounts in there for this to be something of a worry (there also don't appear to be any duplicates, which is unusual for a collection this big).
At first glance, it's hard to say exactly where the data has come from or how new / old some of it is (it's apparently been passed around various file download sites over the past week or two), though a massive "roll-up" of stolen accounts from various Phishers seems most likely.
Most of the live accounts we saw look like this:
Source: FaceTime Security Labs
These would be newly registered users, or users with low feedback scores because they don't tend to use EBay that much.
These are prime targets for Phishers, because they're more likely to be fooled by fake logins.
[Evan] Exactly. Phishing relies on fooling someone into providing confidential (login, credit card information, bank account information, etc.) information to someone that appears to be legitimate but isn't. eBay and PayPal are always amongst the most targeted phishing brands.
Another worry is that many new / inexperienced users on EBay use the same login details for Paypal, so there's the possibility of being able to access two sets of accounts from the same data.
[Evan] Absolutely! I think this may be of primary concern. Obtaining unauthorized access to an eBay account in and of itself has a limited scope of damage. Gaining access to eBay, PayPal, Wells Fargo, etc. makes matters much worse for a victim. Fraudsters know that a huge percentage of internet users employ the same usernames and passwords for multiple online accounts. They count on it.
it's not just new EBayers that can be caught out by these kinds of scams - there were quite a few high scoring EBayers in the stolen logins too
A source tells me that hackers attempting to use these logins claim some have been "locked out" (presumably logging in on an account from an unfamiliar IP address is triggering EBay Security checks) though my source also tells me there are people bragging about there being "A lot of goodies" still in the list.
We've notified EBay, and had the data removed from the web where possible (a hat tip to Google for assisting in the removal of some cached data from their search engine).
[Evan] One of the good guys at work.
Hopefully EBay will act quickly on the information they've been provided and assist those unfortunate enough to have been Phished.
Commentary:
People are people and will always be susceptible to social engineering type attacks, of which phishing is one. I personally know too many people that have fallen victim to phishing and know how easy it can be.
The key to protection is constant awareness. One of the best sites for obtaining information about phishing is the Anti-Phishing Working Group, although there are many others also. Here is a link to their "How to Avoid Phishing Scams" advice.
Here are some rules of thumb that have helped keep me from falling victim to phishing attacks.
I remember seeing my first phishing email 8+ years ago. It was an eBay phish too and I was amazed by how tricky it seemed to me at the time. Since then I would guess billions of dollars have been made by the bad guys (and gals). Phishing is a multi-(m or b)illion dollar a year industry.
Past Breaches:
eBay:
September, 2007 - eBay customer information exposed, but how?
Date Reported:10/13/08
Organization:
eBay Inc.
Contractor/Consultant/Branch:
None
Location:
San Jose, California
Victims:
Customers
Number Affected:
5,534*
*A lot of "accounts don't exist or are no longer registered users, but there's enough live accounts in there for this to be something of a worry"
Types of Data:
"EBay Username, Password and EMail account"
Breach Description:
"Christopher Boyd, Director of FaceTime Security Labs, a malware research firm, has found a list of hacked eBay logins. The list includes 121 pages and carries 5,534 eBay accounts, including usernames, passwords and mail address"
Reference URL:
FaceTime Security Labs Blog
ECommerce-Guide
SPAMfighter News
Report Credit:
Christopher Boyd, FaceTime Security Labs
Response:
From the online sources cited above:
While investigating an unrelated case of Phishing yesterday, we came across the biggest haul of stolen EBay logins we've ever seen.
[Evan] Phishing is still alive and well in the world of cybercrime. People should be as vigilant as ever. Some tips are provided in the Commentary section below.
Unfortunately, there are 5,534 of them and they're spread across 121 pages.
Quite a lot of the accounts don't exist or are no longer registered users, but there's enough live accounts in there for this to be something of a worry (there also don't appear to be any duplicates, which is unusual for a collection this big).
At first glance, it's hard to say exactly where the data has come from or how new / old some of it is (it's apparently been passed around various file download sites over the past week or two), though a massive "roll-up" of stolen accounts from various Phishers seems most likely.
Most of the live accounts we saw look like this:
Source: FaceTime Security Labs
These would be newly registered users, or users with low feedback scores because they don't tend to use EBay that much.
These are prime targets for Phishers, because they're more likely to be fooled by fake logins.
[Evan] Exactly. Phishing relies on fooling someone into providing confidential (login, credit card information, bank account information, etc.) information to someone that appears to be legitimate but isn't. eBay and PayPal are always amongst the most targeted phishing brands.
Another worry is that many new / inexperienced users on EBay use the same login details for Paypal, so there's the possibility of being able to access two sets of accounts from the same data.
[Evan] Absolutely! I think this may be of primary concern. Obtaining unauthorized access to an eBay account in and of itself has a limited scope of damage. Gaining access to eBay, PayPal, Wells Fargo, etc. makes matters much worse for a victim. Fraudsters know that a huge percentage of internet users employ the same usernames and passwords for multiple online accounts. They count on it.
it's not just new EBayers that can be caught out by these kinds of scams - there were quite a few high scoring EBayers in the stolen logins too
A source tells me that hackers attempting to use these logins claim some have been "locked out" (presumably logging in on an account from an unfamiliar IP address is triggering EBay Security checks) though my source also tells me there are people bragging about there being "A lot of goodies" still in the list.
We've notified EBay, and had the data removed from the web where possible (a hat tip to Google for assisting in the removal of some cached data from their search engine).
[Evan] One of the good guys at work.
Hopefully EBay will act quickly on the information they've been provided and assist those unfortunate enough to have been Phished.
Commentary:
People are people and will always be susceptible to social engineering type attacks, of which phishing is one. I personally know too many people that have fallen victim to phishing and know how easy it can be.
The key to protection is constant awareness. One of the best sites for obtaining information about phishing is the Anti-Phishing Working Group, although there are many others also. Here is a link to their "How to Avoid Phishing Scams" advice.
Here are some rules of thumb that have helped keep me from falling victim to phishing attacks.
- NEVER click on a link in an email that leads to a login page AND login. This is probably the most important rule to follow in order to reduce your chances of being successfully phished. I have never clicked on an email link and logged into a site.
- ALWAYS type the URL into your browser manually or use a bookmark that you know is safe (from a Word document you created, from a password manager program, etc.) Preferably not a browser bookmark.
- Check accounts regularly.
- Change passwords regularly.
- Use different passwords for different sites. I use Password Safe to manage my passwords which is a good program, but there are others out there as well.
- Question how things work. If you think something feels not quite right, it probably ain't. Investigate.
- Patch, patch, patch. Patch your routers, patch your switches, patch your firewalls, patch your desktops and laptops, patch your servers, patch your applications (including browsers), patch everything. Maybe I should say test, then patch.
I remember seeing my first phishing email 8+ years ago. It was an eBay phish too and I was amazed by how tricky it seemed to me at the time. Since then I would guess billions of dollars have been made by the bad guys (and gals). Phishing is a multi-(m or b)illion dollar a year industry.
Past Breaches:
eBay:
September, 2007 - eBay customer information exposed, but how?
Posts Atom 1.0
Comments