digg

Facebook Connect Join Digg About

Complex, Multi-Stage Botnet Attack on eBay Underway

money.cnn.com The attack, which is one of the first of its kind to employ extremely complex, multi-stage attack methods, performs a distributed and covert brute force attack on eBay accounts in an effort to obtain personal information and/or items sold/purchased via the eBay site.

Who dugg this? Made popular Sep 7, 2007

Digg DudeWhat is Digg?

Digg is a place for people to discover and share content from anywhere on the web. Digg surfaces the best stuff as submitted and voted on by the community. Take the Tour to learn more.

82 Comments

show profanity settings
expand all
  • 28dayslater, on 10/10/2007, -1/+60I think I am protected now: Paypal sent me an email a few weeks back telling me there was a security issue with my account. I just followed their link and logged into my account, and now everything is apparently okay again. Easy as pie.
  • Godlike, on 10/10/2007, -2/+33Yet another part of this is the DDOS attack that is submitting a story to DIGG.
  • doskir, on 10/10/2007, -1/+18being on the frontpage of digg ?
  • thecompkid, on 10/10/2007, -0/+17Pfft, phishing.
    That wasn't a joke. I did it too, and they even sent me some free V1@gra!!!!
  • noahhoward, on 10/10/2007, -0/+15WOOOSH!
  • r2pro, on 10/10/2007, -0/+14Is this coming from the Storm worm (trojan) herders?
  • synthpop, on 10/10/2007, -3/+16it appears SKYNET is online and operational
  • inactive, on 10/10/2007, -2/+15Glad I signed up for one of those secure key keyfobs that work w/ my PayPal and eBay accounts.

    https://www.paypal.com/us/cgi-bin/webscr?cmd=xpt/cps/securitycenter/general/PPSecurityKey-outside
  • Disjunto, on 10/10/2007, -0/+13what about guestpasswordpony13?
  • noahhoward, on 10/10/2007, -1/+13Isn't it great when arseholes band together for the common good? ***** pricks.
  • inactive, on 10/10/2007, -2/+12Ebay deserves this for not changing/upgrading their site and instead hoarding profits for all these years.
  • wshs, on 10/10/2007, -0/+9I have one of those. I got an email from eBay saying my account was compromised. (It came from eBay, passed SPF, etc, not a phish). I logged into eBay by manually typing out the URL, just to be extra sure. It made me change my password, ignoring the keyfob completely. I sent a request to eBay asking how someone managed to get into my account while I was in possession of the device. They have not responded yet, which, sadly, is typical. If someone can supposedly compromise an account that is configured to require the keyfob, they aren't that secure, or useful. Security theater, etc.
  • Salgat, on 10/10/2007, -0/+8Why not? Countless people use simple passwords, all it takes is for these bots to use a dictionary to attack an account, if it doesn't find a pass after # of trys, goes to next one.
  • cosequin, on 10/10/2007, -0/+8heck yeah, like why can't we sort by SHIPPING!?!?!?!?!?
  • jamdogg, on 10/10/2007, -0/+7security of anything is an illusion. Take a look at banks.
  • feckineejit, on 10/10/2007, -0/+7glad I got booted from ebay last year.
  • jackyyll, on 10/10/2007, -2/+9Do you understand what a DDoS attack is?
  • supaklaw, on 10/10/2007, -1/+8good answer: survey says... people are still dumb on the intertubes.
  • inactive, on 10/10/2007, -0/+6Yes but the attacks make people not want to use ebay. That makes ebay lose money. I should also mention in this day and age if you don't keep your site up and revamp it every few years, you're gonna be a target.

    So again, screw ebay and their everyone on their board of directors. That site should be worry free for buyers and sellers by now. They've had 10 years to do it.
  • CoolWind, on 10/10/2007, -0/+6It would be much better if your eBay login-ID had to be different than your eBay user-ID. This would pretty much eliminate dictionary attacks.
  • zweben, on 10/10/2007, -0/+5The example password in their photo doesn't exactly inspire confidence.

    "123456"
  • Pyroxene, on 10/10/2007, -1/+6Just FYI my key is 652781....no wait now it is 992326......now it's 725114 I wish this thing would make up it's mind.
  • graemee, on 10/10/2007, -0/+5swordfish
  • fkr3, on 10/10/2007, -2/+6The traffic digg sends to a site like CNN wouldn't be a bump on their daily traffic graph.
  • wshs, on 10/10/2007, -0/+3It's made by Verisign, which, I believe, is a direct competitor to RSA.
  • supaklaw, on 10/10/2007, -0/+3note: "Phishing is involved" so why worry about a botnet attack... obviously it's just a brute force attack on someone dumb enough to give up personal info already. Pump up your passwords to the max, ebay has a 40 key limit for passwords. Maybe "guest" and "password" and "pony13" aren't such good ideas, yes?
  • indicas, on 10/10/2007, -1/+4What a crap article... Little to no details given. It reads like an advertisement for Aladdin Security Team.
  • deadzone, on 10/10/2007, -0/+3Having dealt with PayPal customer "service" in the past I can tell you to get anything done you should ask for a Senior Agent. They actually know what's going on and can get things done in much less time than the peons answering the phones.
  • UncleChachi, on 10/10/2007, -0/+3 That must be how my account got hacked. They're showing my damn password in the photo!
  • SyberMile, on 10/10/2007, -0/+3nothing is unhackable including this
  • torpedoes83, on 10/10/2007, -1/+3Ebay isn't the one that is going to lose all their money.
  • inactive, on 10/10/2007, -0/+2I wouldn't be at all surprised (actually I'd be happy) if these tokens are made mandatory, at least for sellers.
  • inactive, on 10/10/2007, -0/+2Aren't Alexa stats based on people having to install an Alexa browser plugin (an inherently geeky thing), and thus pretty much worthless?
  • jamdogg, on 10/10/2007, -0/+2True I still had a simple one from years back. I just upgraded it to a tougher one.
  • Cyber_Akuma, on 10/10/2007, -0/+1What about "123isthecombinationofmyluggage"?
  • sexybobo, on 10/10/2007, -1/+2http://tinyurl.com/2waqkk (alexa stats of digg and cnn)
    Digg is getting close to the same number of page views as alexa so it would be possible for digg to almost double the hits cnn gets if every one that views digg follows the link to cnn. don't doubt the power of digg.
  • deadzone, on 10/10/2007, -0/+1Having used SecurID at a previous job, and now using the PayPal/eBay Security key I can say they're functionally identical. I have no experience with the serverside aspect but to the end user there is no difference between the two.
  • inactive, on 10/10/2007, -0/+1@ foxhoundadmin Ah, as a Mac user running Camino (as opposed to a Windows user running IE or perhaps Firefox), I've never encountered Alexa software myself. As a result, my knowledge of it is limited. I was under the impression that it was some kind of opt-in browser plugin thing that most people would not know about or bother with.
  • cosequin, on 10/10/2007, -0/+1From that article, it seems you should give your account a longer, harder to brute password, since hacked websites install the trojan, those zombie botnet computers then collaborate together in some way to brute-force your ebay passwords. So a solution is give your ebay password more characters, making it harder to bruteforce it. My first one was x, then xx, now it's xx+12 characters.
  • simpleid, on 10/10/2007, -0/+1the answer is always yes and no.
  • Rijnzael, on 10/10/2007, -0/+1Does anyone know if this is a branded version of RSA Security's SecurID Token for two-factor authentication?
  • inactive, on 10/10/2007, -0/+1@zybch and again @fishbert, please read the above comment by digg member wshs.
    It seems the key fob is less secure than purported to be, yes?
    http://digg.com/users/wshs
  • CMiYC, on 10/10/2007, -2/+3" effort to obtain personal information and/or items sold/purchased via the eBay site."
    I'm glad I just recently received my Paypal/EBay security Key...
    https://www.paypal.com/securitykey
  • DietMountainDew, on 10/10/2007, -0/+1Yeah, but just wait until the security key breaks (As Mine Did) and you're on the phone with an eBay supervisor trying to get the key code off of your account, and he has no idea what key you're talking about.

    Been there, never using PayPal security key again.
  • Burgerman851, on 10/10/2007, -0/+1It should be fine -- if you include the question mark.

    What was your user name, again?
  • inactive, on 10/10/2007, -0/+1Don't be stupid.
    Do you think that EVERY creditcard given out by any bank is actually going to have John Citizen as the name and 1234 5678 90etc etc as the card number as well??
  • foxhoundadmin, on 10/10/2007, -0/+1heh... UNinstalling or "NEVERinstalling" ANYTHING "alexa" is an inherently geeky thing! ;)
  • fishbert, on 10/10/2007, -0/+1beg to differ...
    http://pages.ebay.com/securitycenter/security_key.html
    http://pages.ebay.com/securitykey/faq.html#3
  • Mutiny32, on 10/10/2007, -0/+1Whew, I'm glad they aren't getting DDoSed, my companysells/supports their firewalls and I just got off of work.
  • sjbdallas, on 10/10/2007, -1/+2You were being dugg down for some reason but I get your point. This sounds more like an advertisement for whatever Alladin is selling. I've never heard of them so i'm inclined to bury the whole story as SPAM.
  • Fetching more discussions...
    Show 51 - 82 of 82 discussions

  • Add a Comment

    Login or register to comment!
    Or, sign-in super fast with your Facebook account ...


© Digg Inc. 2009 — Content created and posted by Digg users is dedicated to the public domain | Terms of Use Updated | Privacy Policy
DIGG, DIGG IT, DUGG, DIGG THIS, Digg graphics, logos, designs, page headers, button icons, scripts, and other service names are the trademarks of Digg Inc.