There have been a number of stories in the press regarding Aladdin Software’s discovery of a botnet which is attempting to guess eBay user names and passwords. A “bot” is a computer which has been compromised and a hacker can use to hide their real identity – any attack appears to come from the compromised computer. A “botnet” is an automated tool distributed across hundreds of compromised computers to attack websites. This botnet is using the eBay API (Application Program Interface, for third party applications to talk to eBay) and sending user name and password pairs to see if they work.
Aladdin is reporting this incident as if it was a new phenomenon, and many other sites are repeating the story. eBay told TameBay:
We find it very concerning that “security firms†like Aladdin describe well-known techniques used by bots and other identity-theft-tools as “new†or “first of its kind.†eBay has been protecting its site from attacks like this for the past several years and works with a wide variety of leaders in the anti-virus software industry to share information and best practices”
eBay also mask all sensitive financial information, so if a user’s computer and their sign in credentials used on eBay are compromised through whatever means, their sensitive financial data is still protected, reducing the possibility of ID theft.
The long awaited PayPal security key (which is available in the US) would go a long way towards addressing account takeovers and leave attacks such as the current one useless. Even one time passwords from security key are not the complete solution, it’s an ongoing battle that neither side can conclusively win. As companies like eBay put new defences in place hackers work to circumvent them.
As always it’s the users themselves that can do most to protect their accounts, strong passwords using upper and lower case, letters and number go a long way towards making passwords impossible to guess with a brute force attack. eBay have advice on how to choose a secure password that’s memorable as well as some tips on what type of passwords to avoid.