A trojan, called bayrob, is capable of presenting fake eBay pages even though you log into the real eBay site. It works by changing files on your computer so that when you click on a link on eBay it seamlessly directs you to a fake site. Users should, as always, make sure their anti-virus software is up to date and be cautious of clicking on links and attachments unless they are sure they are legitimate.
The trojan performs what’s known as a “man in the middle” attack . Normally hackers attempt to trick you into logging on to a fake site in attacks known as phishing and pharming, but this new approach is harder for the user to detect. It also has the potential to bypass the security of the new PayPal Verisign tokens, which generate a unique one time password whenever you log on.
The trojan acts as a local proxy server on your PC and directs traffic bound for eBay through this local proxy. To force traffic through its proxy server instead of direct to eBay it changes the hosts file. Normally when you access a website such as my.ebay.com your computer will look up the correct IP address from the Internet using a Domain Name Server (DNS). Once the trojan has edited your local hosts file your computer will rely on this instead of checking online. This enables the trojan to direct you to any website it wishes instead of the legitimate site.
Now that the trojan can direct a user to a fake website even though they logged on to the legitimate site fake pages can be sent, for instance Symantec has a screenshot of a fake “Ask seller a question page” and even a fake feedback page which the trojan could use to convince you of a legitimate transaction.
Symantec are still working to unravel the full functionality of the trojan and conclude “The exact motive behind the Trojan is still a mystery since at the time of writing the servers are not sending down the %item_number% and %seller_name% variables that may show which auction the user should be redirected to, and without which, the Trojan will not start to show fake pages.” They promise updates as soon as they have more information.
In the mean time as always we suggest keeping your anti-virus software up to date, don’t open email attachments unless you know who they are from and what they are, and don’t visit websites or click on any links unless you trust the sites they relate to.