Members Login
Username 
 
Password 
    Remember Me  
Post Info TOPIC: The Hackfest continues...


Top Poster

Status: Offline
Posts: 3757
Date:
RE: The Hackfest continues...


I feel almost like I am late to a party. laughing.gif
I predict this is only the beginning of more & bigger problems, problems problems... Oh my!    biggrin.gif

Warning of infected auction tool



A third-party add-on for eBay used by thousands of sellers is being flagged by Google as potentially malicious, after it became infected with a trojan.


Over at auctionbytes blog it looks like they have not corrected everything yet and actually shut down the site or portions thereof. Gee, eb could learn something from those folks. Imagine, a site that wants to protect their isers so much they shut down, when they could have just kept on going and told big lies.

But really most folks have never heard of auctiva, but they habe heard of eb. They will be hearing that eb is infected. In real life it is a lot more fun telling people that too.
laughing.gif


__________________

Exposing the sleazery of ebaY and PayPal

 



Top Poster

Status: Offline
Posts: 3757
Date:

here it is kiddies, in case you didn't already find it, and want to do any "research" lmao

http://www.thoughtcrime.org/software/sslstrip/index.html

"This tool provides a demonstration of the HTTPS stripping attacks that I presented at Black Hat DC 2009. It will transparently hijack HTTP traffic on a network, watch for HTTPS links and redirects, then map those links into either look-alike HTTP links or homograph-similar HTTPS links. It also supports modes for supplying a favicon which looks like a lock icon, selective logging, and session denial. For more information on the attack, see the video from the presentation below.

__________________

Exposing the sleazery of ebaY and PayPal

 



Top Poster

Status: Offline
Posts: 3757
Date:

Fairly new, unpatched xss flaw potentially affecting Paypal users.


If you are using this software on your off-ebay site, your customer's data is at risk.

If you are donating or checking out with/through Paypal on an off-ebay site you may be at risk. Not sure if there is any way for the buyer/user to tell if this software is being used.

__________________

Exposing the sleazery of ebaY and PayPal

 



Top Poster

Status: Offline
Posts: 3757
Date:

Another fairly high-profile person gets his Paypal account hacked.
If anyone out there does not believe the hackers own Paypal, you are being very naive.

Odds are 100%   biggrin.gif  your info is in the wrong hands right now, and it is only a matter of time before you get screwed and some laughing LOL-hacker goes on a wild spending spree on your PP dime.
rofl.gif

(Then you will get screwed again when PayPal lies to you and blames you for getting hacked)

When paranoia isn't enough


laughing.gif   toocool.gif

__________________

Exposing the sleazery of ebaY and PayPal

 



Top Poster

Status: Offline
Posts: 3757
Date:

Epic LOLz!             biggrin

It is my understanding that this is the suspected paid shill who was begging for Vladuz to hack her back when he NARUd all those other suspected paid shills in late October 2007.
Which makes me wonder if perhaps the mysterious (and miraculous) V-man may have been able to hack her from inside his jail cell. roflmao

WARNING - PAYPAL AND HACKERS!!!!!!!!

 

Image Hosted by ImageShack.us
w640.png


__________________

Exposing the sleazery of ebaY and PayPal

 



Top Poster

Status: Offline
Posts: 3757
Date:

Of course this sort of thing has never ever stopped for one second, but there has been more talk of it lately...
Just using a slight variation on the theme of contact info, using an image instead of text, which again, has been going on since Feb 2007, at least)
The victims this day were xudong998, and bzbexpress, and more


FWIW, whoever is doing this form of hacking is behind the times. You don't have to look too far to know that by now, the hackers now have a direct pipeline(s) right into paypal, by which they can either collect payment for bogus listings, withdraw money, or just buy things and have them shipped/ digitally delivered (where applicable).

There are videos at a local site wherein shopping sprees have been documented live. The shipping address is changed to send the hacker's plunder to his/her choice of address, (as we know, PP policy now makes sellers ship to non-verified addy's) then the hacker continues, (while laughing their @$$ off) as they go back into the victim's accounts, order up and pay for a bunch of gay magazines, and have those shipped to the account holder/victim's actual address. lmao!

So when those tired old shills (who's very own accounts have been hacked ^ biggrin.gif ) over there keep insisting that folks have given up their passwords somehow, they are not being truthful! They are paid liars, (bought, paid for and owned) in my expert opinion. cool.gif

 

Image Hosted by ImageShack.us
w640.png

Free Image Hosting at www.ImageShack.us

QuickPost Quickpost this image to Myspace, Digg, Facebook, and others!

Free Image Hosting at www.ImageShack.us

QuickPost Quickpost this image to Myspace, Digg, Facebook, and others!

Free Image Hosting at www.ImageShack.us

QuickPost Quickpost this image to Myspace, Digg, Facebook, and others!

 



-- Edited by budnonymous at 07:59, 2009-03-05

__________________

Exposing the sleazery of ebaY and PayPal

 



Top Poster

Status: Offline
Posts: 3757
Date:

Another Paypal Vulnerability Reported biggrin


__________________

Exposing the sleazery of ebaY and PayPal

 



Top Poster

Status: Offline
Posts: 3757
Date:

Investigator is victim too

Gurnee officer who investigates ID theft hit for $947 in unauthorized transactions

|Special to the Tribune June 12, 2009

Gurnee Police Cmdr. Jay Patrick has reviewed countless cases of identity theft and unauthorized bank withdrawals, but the 22-year veteran of the force never thought he would become a victim.

Last month someone accessed his PayPal account and made three transactions, charging $947 to his bank account for purchases he did not make, he said.

"I really didn't think I was at risk of someone hacking into my PayPal account, if that is indeed what happened to me," Patrick said.

PayPal is a popular online service that allows members to send and receive money without sharing financial information, using their account balances, bank accounts or credit cards. According to its Web site, PayPal has more than 70 million active accounts worldwide.

"The PayPal system has never been compromised since its inception," claims a customer service e-mail sent to Patrick.

On May 21 he found three e-mail messages from PayPal with "your payment has been sent" in the subject line, confirming three purchases: one for $300 and two for 200 British Pounds each, he said. He received a fourth e-mail from PayPal, reading, "We have reason to believe that your account was accessed by a third party."

Patrick logged into his PayPal account and flagged the transactions as unauthorized. He juggled his finances to account for the more than $900 missing from his checking account, which was linked to his PayPal account.

"I held off on some bills and purchases," he said. "I did not bounce any checks or anything, but I did have to transfer funds from savings to cover automated withdrawals for bill payments."

Charlotte Hill, a public relations manager for PayPal, said she could not address Patrick's case because of privacy issues but said the situation he encountered is rare.

"We have a really low rate of fraud, only one-third of 1 percent," she said. "One of the reasons we are safer [than using a credit card online] is that we never share financial information with the recipient of the payment. In addition, if you paid with a credit card [on PayPal] you are still getting protected by the credit card, so you are doubly protected."

An e-mail from PayPal customer service to Patrick suggested ways to protect himself in the future, such as not sharing his password, changing his password often and being on the lookout for fraudulent PayPal Web sites.

Patrick said he did everything right, making online purchases rarely, and only on sites that use PayPal.

"I have not given my password to anyone, and I am well aware of scams and I watch for that kind of thing. I do not send personal information to anyone via e-mail, so I am not sure how someone obtained my password," he said.

Ryan Nelson, network administrator for the Village of Gurnee, said a good password is crucial to protecting money and identity online. He suggested using at least eight characters in a password that does not not include dictionary words, names or significant dates.

"Of all of the stories I have heard where accounts are compromised, poor passwords are usually the culprit," Nelson said.

Nine days after Patrick contacted PayPal about his unauthorized purchases, he received an e-mail stating the investigation was complete and he would receive a refund. The money was returned to his account Monday, he said.

While Patrick said he was inconvenienced, he knows it could have been worse.

"I certainly have heard the horror stories of what happens to victims of identity theft. Trying to get the criminal credit history removed and re-establishing their good credit can take years in some cases," he said.

"It was a clear reminder," Patrick added, "that no one is immune to criminal activity."

__________________

Exposing the sleazery of ebaY and PayPal

 



Top Poster

Status: Offline
Posts: 3757
Date:

More holes found in Web's SSL security protocol

At Black Hat, researchers say these bugs could be used with null termination certificates to create undetectable man-in-the middle attacks. Find out about the new vulnerabilities found by Dan Kaminsky

LAS VEGAS -- Security researchers have found some serious flaws in software that uses the SSL (Secure Sockets Layer) encryption protocol used to secure communications on the Internet.

At the recent Black Hat conference in Las Vegas, researchers unveiled a number of attacks that could be used to compromise secure traffic travelling between Web sites and browsers.

This type of attack could let an attacker steal passwords, hijack an on-line banking session or even push out a Firefox browser update that contained malicious code, the researchers said.


continues at link...  ^^^


 

If anyone out there cares, I have a guaranteed fix/defense for this exploit (in FF). Takes all of 10 seconds, but I won't share it publicly. Anyone who wants to know what it is can contact me.



__________________

Exposing the sleazery of ebaY and PayPal

 



Top Poster

Status: Offline
Posts: 3757
Date:

I see someone has been very hard at work having images from this thread topic deleted from image shack. I will be replacing/reuploading them as time permits. In the meantime, if anyone wants to see any of them, contact me.

Payback is going to be issued, so keep deleting...


mu-ahahahahahahaha


:cool:

__________________

Exposing the sleazery of ebaY and PayPal

 



Top Poster

Status: Offline
Posts: 3757
Date:

EBay Requires Developers to Change Their Account Passwords

Juan Carlos Perez, IDG News Service

 

It gets more funny:

Passwords compromised for eBay developers


And if that weren't enough:

eBay Developer Important Security Update - Oh Please!

But you never know...
There could be more comedy on the way.

When they get all done, they are likely to have just thrown a few more wrenches into the gears of their blivet-mobile.    biggrin.gif

__________________

Exposing the sleazery of ebaY and PayPal

 



Top Poster

Status: Offline
Posts: 3757
Date:

Breaking: Its not just Facebook. 4Chan hack Christians social network, email, Paypal accounts and more



__________________

Exposing the sleazery of ebaY and PayPal

 



Top Poster

Status: Offline
Posts: 3757
Date:

ebay Flash Redirect XSS Flaw Alive and Well





Viewers can look here, at the www.firejohndonahoe.com public blog, where Doc, from www.ebaymotorssucks.com has captured images of the source code of the phake login phishing page and more info.
http://tinyurl.com/y9yf93e


There is also another variant of the flash manipulation exploit where the hackers can actually pop right up into your "My ebaY" page.
Again, the uncorrected critical safety flaw has existed a looooong time & to the best of my knowledge still possible/and/or in use

Learn more about that by searching-reading
"Watchdog Group Gives Live Demo of eBay Security Vulnerability"
article on the auctionbytes site, March 2008. "Watchdog Group Gives Live Demo of eBay Security Vulnerability"
article on the auctionbytes site, March 2008.
http://tinyurl.com/yhsj9wa


__________________

Exposing the sleazery of ebaY and PayPal

 



Top Poster

Status: Offline
Posts: 3757
Date:

ebaY Still Hacked Cracked and Hijacked for the Holidays




ebay is still being eaten alive with fake listings and hacked hijacked accounts. The scammers and hackers are getting more creative and harder to spot.


Meet tonight's seller/victim:
recyclebabe (3615)
99.9% Positive feedback

Fake listings seen in this video:
Wood hand cranked Bass Prestwich 35mm movie camera
Item number:350276558982

White Segway i2 + Handlebar Bag, Aluminum Mats, Lock
Item number:390116018100

Yamaha Tyros3 61-key Arranger Keyboard Tyros 3 100% NEW
Item number:350276558719


PS, this lady's account still had fake listings some 2 days later.


__________________

Exposing the sleazery of ebaY and PayPal

 



Top Poster

Status: Offline
Posts: 3757
Date:

01-10-2010 19:19

Auction Ruling to Set a Precedent

An imminent ruling on a two-year-old hacking case involving Auction, which now enjoys a virtual monopoly in the nation's online open market after taking over Gmarket, is expected to set a precedent in many ways, not least of all about how tolerant the nation will be regarding online businesses. This ruling could make or break the future of the country's Internet business. ED.

By Park Si-soo
Staff Reporter

A Seoul court is expected to make a ruling Thursday on the largest private information leakage case involving the online open market site, Auction, owned by eBay. The system was hacked into in February 2008.

The company and the authorities estimate that nearly 10.81 million or 60 percent of all registered users of Auction (www.auction.co.kr) had their private information including ID numbers, home addresses, phone numbers and even bank accounts exposed to strangers by hackers allegedly from China.

Of them, 146,000 users have taken a class action against the online auction company, each demanding between one and three million won ($880-$2,650) in compensation. Police failed to identify and catch those who penetrated the company's firewall.

What the cyber attack left behind was a long, drawn out court battle between two "victims" Auction and its affected users.

The plaintiffs tried to prove that they had sustained damage as a result of the leak, citing an increase in the number of what appeared to be fraudulent calls to their mobile phones following the incident.

Auction, which was taken over by eBay in 2001, tried to defend itself on the basis that the cyber attack and resultant information leak was an unavoidable "rite of passage" for Internet-based companies at home and abroad.

"No matter how strong a firewall may be, Internet firms are bound to be susceptible to hackers," said an Auction spokesman. "At the time of the incident, we were using a state-of-the-art firewall whose defense capability was not inferior to that of the world's most popular commercial Web sites. If the court holds us responsible, online marketplaces like Auction will lose business, in turn causing a significant impact on the IT industry in general."

The spokesman underlined, "We are also a victim."

Lim Sung-geun, a presiding judge of the case, has remained tight-lipped. Given past rulings on similar cases, however, it's very likely that Auction will be held partially liable.

In November 2008, the Seoul High Court ordered Kookmin Bank to pay 200,000 won in compensation to nearly 1,000 online clients, whose private information was leaked. LG Electronics was also ordered to pay 700,000 won to those who uploaded their private information on its recruitment Web site, whose firewall was also breached. No matter how little the compensation to each user may be, the Auction spokesman says, it could pose a grave threat to its bottom line.

"If the plaintiff wins, it's possible that the remaining 10 million people who have taken no legal action against us as yet would follow suit," the Auction spokesman said.

According to a quarterly report the company submitted to the state financial watchdog in November last year, it had capital of 108.7 billion won as of Sept. 30.

__________________

Exposing the sleazery of ebaY and PayPal

 



Top Poster

Status: Offline
Posts: 3757
Date:

Just a little reminder that the hijacked fraud auctions are still going strong on ebay. Same way as always. Same lackluster job keeping them off the site by ebay's so-called security dept.

These were all from different sellers IIRC, one single email address found in all of them.

 

abrahammattewgmailcomip.png

 



__________________

Exposing the sleazery of ebaY and PayPal

 



Top Poster

Status: Offline
Posts: 3757
Date:

eBay Security Vulnerabilities Found by Researcher





eBay is working on a fix for a cross-site request forgery problem that could allow an attacker to change a user's password and get access to that user's account.

The vulnerability is one of several affecting eBay that were recently uncovered and shared with eWEEK by Nir Goldshlager, a researcher with Avnet Information Security Consulting. Among the vulnerabilities are cross-site scripting bugs in the eBay Live Help support page and eBay To Go, which the company fixed by validating user input. In addition, Goldshlager uncovered a blind SQL injection problem in the eBay donations Website.

All of the vulnerabilities have been patched except the CSRF (cross-site request forgery) flaw. According to Chad Greene, eBay's senior manager of global information security, the company has pushed code to the core site to measure the impact of potential fixes for the CSRF problem on the user and will make a decision about how to address the situation in the next three weeks.

"The nature of CSRF means that there isn't a single fix that can be applied in all cases and rolling out the wrong fix could break legitimate user functionality," Greene told eWEEK in an e-mail.

According to Goldshlager, who demonstrated a proof-of-concept attack, the CSRF vulnerability can be exploited to ultimately get control of a user's account.

"When the victim visits my malicious Website I can change his password ... to any password I choose," Goldshlager explained. "I can change the user's password because I am in control of changing his primary phone and personal information details in his eBay account. An attacker can [also] change the secret question [and] answer with the cross-site request forgery vulnerability. Then he can renew the password of the user by using the 'forget password' mechanism."

In an interview, Greene said users can report any security issues they find to eBay's security center, and the site works with members of the research community to uncover any vulnerabilities.

"We work with many members of the security community as well as the security industry we like to do community outreach and educate the user base," Greene said.


 

 



__________________

Exposing the sleazery of ebaY and PayPal

 



Top Poster

Status: Offline
Posts: 3757
Date:

ebaY seems to be under a new wave of attacks. The hackers have more than just a couple new tricks!

eBay Redirect Scam Caught On Screen Video!





Watch this response carefully. You'll see that everything which can be blocked is being blocked. You can't give the browser much less privileges. ebaY is NOT safe! Worst of all they blame the victim!

ebaY Hacked! Redirect Exploit and Fake Page Response/Follow-up



ebaY's pitiful response from Auctionbytes:

Blogger Captures eBay Motors Scam on YouTube Video -

spokesperson Johnna Hoff:


"eBay Motors is constantly and proactively monitoring the site to
prevent and address possible fraudulent behavior. As part of this
monitoring, eBay Motors has identified recent redirect issues and has
implemented specific safety measures, including updating our detection
systems with a filter to identify this particular behavior. These
additional protections should supplement smart shopping habits,
including reviewing seller ratings, communicating with sellers and
confirming transaction details through My eBay before making a
purchase, and never paying for a vehicle via instant cash-transfer
methods. eBay Motors also offers free vehicle history reports and a
Vehicle Purchase Protection program for transactions that occur on the
site, to help ensure the 10 million visitors coming to the site each
month interact in a safe, trusted marketplace."



__________________

Exposing the sleazery of ebaY and PayPal

 



Top Poster

Status: Offline
Posts: 3757
Date:

New wrinkle on an old scam...

ebaY Crafty Hackers and iPhone Scams





__________________

Exposing the sleazery of ebaY and PayPal

 



Top Poster

Status: Offline
Posts: 3757
Date:

Hilarious!

After ebaY issues a statement ^^ claiming to have fixed the flaw responsible for the allowance of these redirect scams, Doc finds the very same SUV listed and redirecting again!
Same exact photos, same fake VIN etc

eBay Motors Redirect Scam 320499691440 2007 Chevy Tahoe




But the fun just starts there.
Notice in this video that ebay changed their page design.  Notice the hackers are using ebaY's very own scripts etc.

ebaY Redirect Scam Listing Dissected




But ebaY left that listing to run for several days, omnly pulling it on 03-16-2010. The view count was over 7K as I made the vid. Not sure the final count. But wait! There's more!


eBay Motors 07 Tahoe Scam Listing 320499691440 Still Scamming After 6 Days!



After the listing got pulled, the phake page had a frame from ebay stating the listing was closed, yet the phake STILL had a redirect to yet another phake site which had already been taken down (added to blacklist, and suspended) by FF from the looks of things.

Doc has even more videos revealing more things about this. :
http://www.youtube.com/user/ebaymotorssucks

even more here:

www.ebaymotorssucks.com


FWIW, when I visited the phake page directly, as the listing was still active, I got redirected to ebaY's main page. There are a LOT of particularities about what we see here. More than either one of us has mentioned publicly so far. This is clearly something new.

Bottom line; The hackers are knee deep into ebaY's sphincter.


blankstare.gif     laughing.gif



-- Edited by budnonymous on Tuesday 16th of March 2010 09:48:01 PM

__________________

Exposing the sleazery of ebaY and PayPal

 



Top Poster

Status: Offline
Posts: 3757
Date:

Faux eBay Live Chat With A VPP Scammer!




Eaten alive!!!
Again the hackers use an ebaY api to authenticate username and password.

omfg!!! That site should be shut down!

Nothing but fraud, with the grandaddy fraudsters of them all protecting the scams for all.

-- Edited by budnonymous on Tuesday 16th of March 2010 10:01:13 PM

__________________

Exposing the sleazery of ebaY and PayPal

 



Top Poster

Status: Offline
Posts: 3757
Date:

Law Enforcement Appliance Subverts SSL


laughing.gif


__________________

Exposing the sleazery of ebaY and PayPal

 



Top Poster

Status: Offline
Posts: 3757
Date:

Fraudsters Use Phishing Attacks to Hijack eBay Accounts
By Ina Steiner
AuctionBytes.com
March 29, 2010

A 20-year veteran of the military named Doug received an email on Thursday informing him that eBay had put a temporary hold on his selling account. The email instructed him to click on a link that led to eBay.com, where he verified his account. Ten minutes later, he received 29 email messages from shoppers asking questions about products that he had not put up for sale, including bicycles and exercise equipment.


continues...

Guess who got a mention?

comments at auctionbytes blog:
eBay Snoozes as Hijacker Lists 52,000 Auctions in 2 Hours
By: Ina Steiner

Thu Mar 25 2010 21:59:12

teevee.gif

My humble contribution:



-- Edited by budnonymous on Monday 29th of March 2010 05:51:28 AM

__________________

Exposing the sleazery of ebaY and PayPal

 



Top Poster

Status: Offline
Posts: 3757
Date:

eBay comes under attack, says Red Condor

01 April 2010

eBay is the victim of a phishing attack that uses its own compromised server, according to email filtering company Red Condor.

In an advisory published today, Red Condor said that a phishing mail sent by scammers reporting an eBay security alert differs from conventional phishing emails. This one tells victims that they must download a Security Shield program, which is in fact a trojan that harvests their passwords and presumably carries out other malicious activities on their machines.

Traditionally, phishing email relies on victims entering information about their accounts on spoof websites designed to look like the targeted company's genuine site. However, this mail directs victims to a web page containing a Download Now button to download software that directly compromises their machine.

continues...

 

However, as usual there is more to it.




__________________

Exposing the sleazery of ebaY and PayPal

 



Top Poster

Status: Offline
Posts: 3757
Date:

That spiffy new page look doesn't seem to be improving safety, or functionality for that matter . laughing.gif

Sort of like when a slumlord landlard hires , oops strike that that, I mean scams on, pimps out or freeloads on a bunch of crackheads to paint the crackhouse.
Along they way they break a few windows and put holes in the roof, defecate in the kitchensink. rofl.gif

hijacked account

hackedaccount0410201064.png Uploaded with ImageShack.us




-- Edited by budnonymous on Monday 17th of May 2010 07:38:12 AM

__________________

Exposing the sleazery of ebaY and PayPal

 



Top Poster

Status: Offline
Posts: 3757
Date:

Pretty obvious that ebay-paypal are hacked to the gills. There are too many signs that hackers are and have been deep into the db.
(like september 25th 2007 for instance roflmao!!!)

This is more than just "phishing" when they have your real name.
For that matter, "simple phishing" is an ancient sport nowadays. lol.

But I also wonder just who are these creepy people on the forums who are always telling outright lies to and insulting these aggrieved consumers?

Something seems very phishy about that.
It is really waaaaaaaaaaaaaaaaaaay beyond believable...

Does that seem like the sort of outfit you should trust?
Is that the sort of response you should get when problems arise?

I'm positive this is phising but why doesn't PayPal contact me?


tpaypalcontactme1404102.png


__________________

Exposing the sleazery of ebaY and PayPal

 



Top Poster

Status: Offline
Posts: 3757
Date:

yarrrriiiitte!!! rofl.gif Probably too late. blankstare.gif
besides, the CSRF flaw has a bazillion different ways.
And don't forget, above all; ebaY LIES!

PayPal Patches Critical Security Vulnerabilities

PayPal says it has closed a number of security holes uncovered by an Avnet Technologies security researcher, including one that could have allowed an attacker to access PayPal's back-end system for business and premier account reports and acquire a mountain of data.

A security researcher has uncovered multiple vulnerabilities affecting PayPal, the most critical of which could have enabled attackers to access PayPal's business and premier reports back-end system.

The vulnerabilities were patched recently by PayPal after security researcher Nir Goldshlager of Avnet Technologies brought the vulnerabilities to the site's attention. The most critical bug was a permission flow problem in business.paypal.com, and could have potentially exposed a massive amount of customer data.

"An attacker was able to access and watch any other user's financial, orders and report information with unauthorized access to the report backend application," Goldshlager explained. "When users have a premier account or business account the transaction details of their orders are saved in the reports application an attacker can look at any finance reports of premier or business accounts in the PayPal reports application and get a full month [and] day summary of the orders reports."


That includes information such as the PayPal buyer's full shipping address, the PayPal transaction ID of the buyer and the date and amount of transaction.

The other vulnerabilities Goldshlager found included an XSS (cross-site scripting) vulnerability affecting the paypal.com and business.paypal.com sites that an attacker could use to steal session IDs and hijack user accounts, as well as a CSRF (cross-site request forgery) bug that exposed user account information. The CSRF vulnerability impacts the IPN (Instant Payment Notification) system, a PayPal service that sends a message once a transaction has taken place.

Once IPN is integrated, sellers can automate their back offices so they don't have to wait for payments to come in to fulfill orders, Goldshlager explained.

"This CSRF exploit method exposes the same information from the buyer as the first vulnerability ... to exploit a CSRF attack that adds a Instant Payment Notification access, the attacker will make an attack that adds his own Website address to the victim account IPN settings, and when there is transaction on PayPal the victim's transaction details will be sent to the attacker's Website," he said.

Goldshlager also uncovered smaller CSRF issues, he said. He reported the bugs to the site in February. According to PayPal, nearly all the problems Goldshlager uncovered were fixed right away.

"As you know, these types of security issues are very complex and we are grateful for our strong working relationship with the security researcher as well our partnership with the security community that have brought these issues to light," a PayPal spokesperson told eWEEK in an e-mail. "We have a shared mission to make PayPal and the Internet as safe as possible for our customers."






-- Edited by budnonymous on Friday 16th of April 2010 06:46:43 AM

__________________

Exposing the sleazery of ebaY and PayPal

 



Top Poster

Status: Offline
Posts: 3757
Date:

ecrater comes under DDoS attack.
eCRATER.com :: View topic - downtime 05/02/2010 http://community.ecrater.com/viewtopic.php?t=23861

ecraterddos05022010640.png Uploaded with ImageShack.us


Now who would want to do that, and why?
confuse.gif

It also strikes me odd that Paymate also came under DDoS attack apparently not once, but twice recently.

http://paymateblog.blogspot.com

I bet if and when eb-PP go down again it will hurt them a lot more than the above sites.

blankstare.gif


__________________

Exposing the sleazery of ebaY and PayPal

 



Top Poster

Status: Offline
Posts: 3757
Date:

budnonymous wrote:

 

eBay comes under attack, says Red Condor

01 April 2010

eBay is the victim of a phishing attack that uses its own compromised server, according to email filtering company Red Condor.

In an advisory published today, Red Condor said that a phishing mail sent by scammers reporting an eBay security alert differs from conventional phishing emails. This one tells victims that they must download a Security Shield program, which is in fact a trojan that harvests their passwords and presumably carries out other malicious activities on their machines.

Traditionally, phishing email relies on victims entering information about their accounts on spoof websites designed to look like the targeted company's genuine site. However, this mail directs victims to a web page containing a Download Now button to download software that directly compromises their machine.

continues...

 

However, as usual there is more to it.



In case no one was paying attention, the file JS Pdfka-OE you see mentioned in the video as being a false positive by a pink has turned out to be a genuine exploit from the looks of things.

It now shows as malicious on half the major virus scanners via virustotal.com. So anyone who took eb's advice got owned. laughing.gif

Still, no announcement, no retraction, update, clarification... no nothing from eb?
I wonder why that is? After all, it's only literally millions of people's lives potentially ruined?

I can't stress this enough, the file was and likely still is being hosted on ebay very own servers, along with the other 'security shield', which is still being found on about me pages.


virustotalmd5e4a873cd31.th.png Uploaded with ImageShack.us

 



__________________

Exposing the sleazery of ebaY and PayPal

 



Top Poster

Status: Offline
Posts: 3757
Date:

Original release date:04/20/2010     
Last revised:04/21/2010

Vulnerability Summary for CVE-2009-4771

Overview

The PayPal Website Payments Standard functionality in the Ubercart module 5.x before 5.x-1.9 and 6.x before 6.x-2.1 for Drupal does not properly validate orders, which allows remote attackers to trigger unspecified "duplicate actions" via unknown vectors.

Vulnerability Summary for CVE-2009-4772

Overview

Unspecified vulnerability in the PayPal Website Payments Standard functionality in the Ubercart module 5.x before 5.x-1.9 and 6.x before 6.x-2.1 for Drupal, when a custom checkout completion message is enabled, allows attackers to obtain sensitive information via unknown vectors.


Vulnerability Summary for CVE-2009-4773

Overview

Cross-site request forgery (CSRF) vulnerability in the order-management functionality in the Ubercart module 5.x before 5.x-1.9 and 6.x before 6.x-2.1 for Drupal allows remote attackers to hijack the authentication of unspecified victims via unknown vectors.

__________________

Exposing the sleazery of ebaY and PayPal

 

«First  <  16 7 8 9 10 11  >  Last»  | Page of 11  sorted by
Quick Reply

Please log in to post quick replies.

Tweet this page Post to Digg Post to Del.icio.us


Create your own FREE Forum
Report Abuse
Powered by ActiveBoard