A new threat against visitors to eBay Motors from a Trojan attempts to use a man in the middle attack that seems to do more than just phish a username and password from people.
The problem right now is researchers at Symantec, which discussed the Trojan.Bayrob attack, aren’t sure what the attackers may be trying to accomplish.
Whatever it is can’t be good for people whose systems pick up this new bit of nastiness. Symantec said in its Security Response Blog that the attempted use of a man in the middle attack in this manner is “very unusual.”
When the Trojan infects a system, it implements a local proxy server that listens on port 80, the default port for http traffic. It alters the local etc/hosts file to force traffic through the proxy if the user tries to visit one of these URLs:
My.ebay.com
Cgi.ebay.com
Offer.ebay.com
Feedback.ebay.com
Motors.search.ebay.com
Search.ebay.com
The Trojan then connects to one of several other servers to grab files. These will be used to deliver the fake eBay pages in the browser window. Symantec said the Trojan downloads ten fake pages, but that number could change.
One of those fake pages shows a high feedback rating. Since eBay visitors tend to rely on feedback to determine if they should bid or not on an auction, a deceptive feedback rating could dupe them into bidding and finishing a transaction.
“The exact motive behind the Trojan is still a mystery since at the time of writing the servers are not sending down the %item_number% and %seller_name% variables that may show which auction the user should be redirected to, and without which, the Trojan will not start to show fake pages,” said Symantec.
—
