The Macrosite for News, Analysis and Opinion about the Future of the Internet
Maksym Schipka

Phishing & Hacking, the eBay Way

Written by Maksym Schipka
6/11/2008 4 comments
no ratings
DISCUSS     Email This

What if you wanted to hack someone’s account or you needed to buy a new exploit? How would you do this? This is a task that would stump most of us. But how about looking on eBay Inc. (Nasdaq: EBAY)?  After all, the online auction house is a place where almost anything is sold and bought. Curious, I decided to check it out.

From eBay's homepage, I typed “exploit” in the search box and back came approximately 20 results, the following among them: Phish and Hack Unlimited MySpace Accounts – New Exploit.  For $25, this auction offers the means to phish or hack any MySpace account. Initially, the person sold a phishing or hacking toolkit, but now the black-hat is offering a service to break into accounts of the buyer’s choice.  

The seller shows an adept familiarity with methods used to detect phishing techniques. For instance, if the alias for the link indicates a different location than a link itself, it is already suspicious. The seller circumvents such protection by hosting the kit on MySpace itself. This means that both the link and the alias could point to the same location, and unless the user has Webmaster skills, the end user would have difficulties differentiating between this creation and the legitimate MySpace application. 

Admittedly, the seller’s feedback count is relatively low, which means that eBay does a reasonably good job of closing down such accounts. Otherwise the feedback would have been much higher. It would be no surprise if by the time of publishing, the item would be closed and the user deregistered by eBay authorities. [Ed. note: The item is no longer available on eBay.] 

This is just one more example of the bad guys’ ability to offer products and services to anyone in the world without boundaries and limitations. It continues to work to the great advantage of many legitimate businesses, and at the same time, the same principle helps the online shadow economy flourish.   

It is known that there are underground auctions trading zero-day exploits much more dangerous and for more money than the example above. However, by taking more proactive measures, end users and companies can help diminish the potential of the online shadow economy and its hacker exploits. For example: 

Vigilance is key: Be extra cautious when choosing whom to trust. For example, the exploit above depends on the user’s willingness to accept Web applications that are not trustworthy. Look for signs of malicious behavior and analyze the application. For instance, check for incorrect spelling within the description of the Web application; question whether friends or colleagues would recommend the application; ask yourself if you really need the Web application; and decide whether the Website appears to be trustworthy and professional.  

Economics are the secret weapon: Use economics to hurt the bad guys. After all, if it weren't for our money, they would be struggling to stay in business. Buy goods only from trustworthy shops that you know to have a long-established reputation. Buy goods that were legally imported into the country.  Spend time researching the shop or individual with which you are planning to do business. Never, under any circumstances, spend money with a business when it does not feel right.  

Safety first: Develop a habitual sense of security when browsing the Internet. There are many sites like GetSafeOnline.org that offer valuable security advice on dos and don'ts for using the Internet. Become familiar with them as you would basic traffic code. 

The solution is not always simple, as the problem is quite complex. Just as it is nearly impossible to bring down the world global economy, such is the case with the Internet’s shadow economy. Nevertheless, using common sense is the best way for end users to protect themselves. 

— Maksym Schipka, Senior Architect, MessageLabs

DISCUSS     Email This
Current display:       newest comments first       display in chronological order
Mr. Roques
Researcher
Friday June 20, 2008 10:04:22 AM
no ratings

Hey Joe, sorry to tell you but the link is still there. It goes to "http://www.stmaryofthecataract.com//plugins/access.html"

Just the "access.html" freaks me out!

Human imagination is great or horrible in this case. They will come up with anything to try to phish you.

Joe_Earhart
IQ Crew
Friday June 20, 2008 1:33:41 AM
no ratings

Here's the latest attempt I received.... "Mensure??"  I didn't know if the sender wanted money or needed Midol.

Wachovia New Security Mensure

Thursday, June 19, 2008 9:00 AM
From:
Add sender to Contacts
To:
REDACTED@yahoo.com
Important NotificationThis official letter is to announce that we've finished moving to a new
bullet-proof server to avoid downtimes in future. As you may know,

we've been under massive DDoS attack. Someone is willing to break

normal operating mode of our site, but now all his malicious intents will be precluded.
We are really sorry for inconvenience caused by server downtime.
< /p >  <<------------- Not HTML Literate, closing paragraph tag without opening tag first

[LINK DELETED]  Mouse over indicated URL was "STMARYOFTHCATERACT" perhaps indicating the Phisher's Phishy Faux Pas was in the service of raising money for eye surgery he so desperately needed?

Failing to eke out a living at PHISHING, I suspect he will find employment at a global call center in the near future....

We apologise for any inconveniences we may have cause you.

Mr. Roques
Researcher
Thursday June 12, 2008 10:16:11 AM
no ratings

Thanks for the link Paul! It seems that social responsibility isn't very clear inside Ebay. Maybe they should add the "Don't do evil" statement - it has worked for Google.

This happens when the mission of the company has profit before satisfaction. In this article in Reuters, Google's CEO Eric Schmidt said: "The goal of the company is not to monetize everything, the goal is to change the world ... We don't start from monetization. We start from the perspective of what problems do we have," referring to big, world-class problems. 

By having that philosophy, they worry about the users and their problems then they think of how can they solve that problem and if by doing that they can become profitable too.

Paul Whyte
Researcher
Wednesday June 11, 2008 2:02:09 PM
no ratings

Hi Maksym,

Whilst your post basically call on end users to be proactive which is quite appropiate, i also believe that eBay should be seen to do more to curb this rampant phishing and hacking in the online shadow economy. In a landmark ruling in France, a judge concluded that eBay " failed to act to prevent reprehensible use of the site to the detriment of users"

EBay's Faux Pas

I think this was a landmark decision which severely undermines eBay perceive immunity that they are not directly responsible for what is on their site. So rather than urging users alone to take proactive measures, eBay has alot to do in curbing the growing online shadow economy!!

The ThinkerNet does not reflect the views of TechWeb. The ThinkerNet is an informal means of communication to members and visitors of the Internet Evolution site. Individual authors are chosen by Internet Evolution to blog. Neither Internet Evolution nor TechWeb assume responsibility for comments, claims, or opinions made by authors and ThinkerNet bloggers. They are no substitute for your own research and should not be relied upon for trading or any other purpose.
previous posts from Maksym Schipka
Maksym Schipka
Maksym Schipka   4/21/2008   4 comments
Online crime today is bigger than the global drugs trade, and worth more than $105 billion. The shadow economy is driven by a sophisticated online black market with tens of thousands of participants, who’ve little chance of being caught. The market’s level of specialization and sophistication is arrayed to resemble that of the global economy, with price competition, division of labor, specialized trade, and product marketing.
IETV: the thinkerNet on film
5
of
Kim Davis
Big-Data Can’t Always Sell Wine
5|21|13   |   2:23   |   4 comments

Whole Foods Global Wine Purchaser Doug Bell told me about some of the constraints on using analytics in the US wine market.
Paul J. Fleuranges
Digital Signage Keeps NYC Subway Straphangers on Track
5|6|13   |   3:51   |   No comments

New York's Metropolitan Transit Authority is conducting a pilot test of digital kiosks to guide subway users to where they want to go more efficiently and at lower cost.
Kim Davis
Fast Forward to the Future
4|23|13   |   2:29   |   20 comments

A look back at tech writing in the 90s makes us wonder where enterprise IT will be 20 years from now.
Mitch Wagner
Google Launches Its Most Depressing Service Yet
4|15|13   |   2:59   |   10 comments

Google's new Inactive Account Manager lets you control how Google disposes of your accounts when you die.
Second Shooter
Argument Over Top-Level Domains Is 'Stupid'
4|11|13   |   2:07   |   3 comments

The whole Amazon.reader debate is a double-stupid. It's stupid to think that there's any e-book buyer who doesn't know Amazon's URL, and it was stupider to let ICANN launch the whole free-form TLD initiative to start with.
Kim Davis
Ladies, Your Tablet Awaits
3|21|13   |   2:22   |   37 comments

ePad Femme is the world’s first tablet “made exclusively for women.”
Wisdom of the Big Chair
NFC Moves Into the Mainstream
3|20|13   |   2:16   |   No comments

While NFC's original goal was to enhance mobile commerce applications, it is finding its way into a number of other uses, which is creating both opportunity as well as challenges for IT departments.
Wisdom of the Big Chair
Integrating Security Into Your Cloud Contract
3|19|13   |   3:35   |   No comments

Enterprises would like to move to cloud computing but are hesitant because they are concerned about providers’ ability to secure company data. Here are some tips that help to ensure that if breaches occur, the business is not left holding the bag.
Brian Baron
How Edmunds.com Collects Customer Information
3|18|13   |   1:15   |   No comments

Edmunds separates customers into segments based on the info it collects on its site and from partners, and uses that to push out custom content, said Brian Baron, director of business analytics for Edmunds.com, at Predictive Analytics Innovation Summit.
Brian Baron
How Edmunds.com Uses Analytics to Customize Site
3|14|13   |   0:47   |   No comments

The automotive website uses propensity modeling to target ads and customer registration forms, said Brian Baron, director of business analytics for Edmunds.com, at Predictive Analytics Innovation Summit.
an IBM information resource
sponsored content
big blue blog
Todd Watson
an IBM information resource
sponsored content
Expert Integrated Systems: Changing the Experience & Economics of IT
In this e-book, we take an in-depth look at these expert integrated systems -- what they are, how they work, and how they have the potential to help CIOs achieve dramatic savings while restoring IT's role as business innovator.
READ THIS eBOOK
your weekly update of news, analysis, and
opinion from Internet Evolution - FREE!
REGISTER HERE
Wanted! Site Moderators
Internet Evolution is looking for a handful of readers to help moderate the message boards on our site – as well as engaging in high-IQ conversation with the industry mavens on our thinkerNet blogosphere. The job comes with various perks, bags of kudos, and GIANT bragging rights. Interested?

Please email: moderators@internetevolution.com
Internet Evolution – not for thickies
Keep Critical Data With a Knowledge Management System
Taimoor Zubair
Fortune 500 companies lose at least $31.5 billion a year by failing to share knowledge. A Knowledge Management System (KMS) can help companies significantly reduce these costs.
CLICK FOR MORE
M2M: Rise of the Machines? Not Yet
David Weldon
In the 1970 science fiction thriller Colossus: The Forbin Project, two giant supercomputers from the United States and Soviet Union secretly join forces to take control of the collective nuclear might of the two countries. In the film, the two machines discover each other's existence, communicate back-and-forth, share their collective data, and cut their human creators out of the process. It is the ultimate example of machine-to-machine communications, or M2M.
CLICK FOR MORE
Write a Strong Corporate Social Media Policy in a Wishy-Washy World
Mary E. Shacklett
Social media has been with us for a decade -- but employer policies and the law are anything but firm about the most appropriate usage of this powerful tool.
CLICK FOR MORE
IT Helps Companies Find the Water
Matt Heusser
I've been writing about how the next evolution of the Internet might just be an advertising revolution, and how corporate IT can stay involved as the enablers and providers of the technologies that make this possible.
CLICK FOR MORE
Write a Strong Corporate Social Media Policy in a Wishy-Washy World
Mary E. Shacklett
Social media has been with us for a decade -- but employer policies and the law are anything but firm about the most appropriate usage of this powerful tool.
CLICK FOR MORE
M2M: Rise of the Machines? Not Yet
David Weldon
In the 1970 science fiction thriller Colossus: The Forbin Project, two giant supercomputers from the United States and Soviet Union secretly join forces to take control of the collective nuclear might of the two countries. In the film, the two machines discover each other's existence, communicate back-and-forth, share their collective data, and cut their human creators out of the process. It is the ultimate example of machine-to-machine communications, or M2M.
CLICK FOR MORE
Is Your Site .Com or .Irrelevant?
Dan Cypra
Businesses often struggle to decide which domain to use. When it comes to purchasing a domain name, you have plenty of extensions to choose from, ranging from .com and .net, to .me, and even .mobi. But which one should you pick?
CLICK FOR MORE