Whois Vladuz eBay's Hacker

Thursday October 25 2007

 

Hacker taunts eBay with attacks

 
The auction site has been the target of a hacker called Vladuz, whose actions are causing concern to the website's users and owners alike.

 
Who is Vladuz? Since at least the start of this year, eBay has been looking for this hacker from eastern Europe. According to evidence seen by the Guardian, he is able to see the listings of and listen to telephone conference calls within eBay. Sources in the hacking community say that he claims to be listening in on some meetings held by eBay chief executive Meg Whitman.

 
Says eBay: "This fraudster is known to eBay, Romanian authorities and the US Secret Service who are all working towards securing an arrest and successful prosecution."

While the community mulls these issues, some have said that Vladuz could be more than one person. Another theory, perhaps both more likely and more frightening, is that there are more like him. "There are thousands of hackers. It doesn't make much sense that he'd be the only one out there," says AuctionBytes' Steiner. "It makes no sense to me that if these things are as wide open as he says, he would be the only one."

Thursday October 25 2007

What is known from the hacking community is that the individual is in his mid to late 20s and has a strong background in programming. He operates from Romania, where he was born, and has years of experience working in a corporate environment.

 
He also has a history of both operating and facilitating eBay-based scams. As early as 2004, someone calling themselves Vladuz was selling a set of PHP files designed to create phishing sites that would collect eBay data. "It is a very basic SDK [software development kit], allowing script kiddies to set up a phishing email scam," says Simon Heron, director of UK security company Network Box. "It sets up a website that uses as much as it can from the genuine eBay site to give it the right look and feel. The logon and password are sent to the scammer." In the readme file that he used to distribute the kit was the message: "Well go there and scam the fucking bastards! For ANY scam email me and I'll do it in max 30 hours."

 
While he has been in operation for several years, the spotlight has only recently fallen on Vladuz. He first came to notice in December, when Rosalinda Baldwin from The Auction Guild, an independent publisher that monitors eBay's activities (auctionguild.com), began seeing large numbers of fake auctions emerging from Chinese scammers using accounts hijacked from their real owners. "Researching that, I came across the name Vladuz in association with someone writing programs that Chinese hackers were using and building on to do these hijacks," she alleges.

September 26, 2007

We’re getting reports in our inbox this morning that the names, addresses, email addresses, credit card numbers and expiry dates, Paypal email addresses, associated eBay user ID and other information about more than 1,200 eBay users was posted to eBay’s Trust and Safety forum on Tuesday. The information, most of which appears to be valid, was still being posted when eBay shut down the forum about an hour and a half later. This eBay forum, which now spans 27 pages, shows the panicked reactions of eBay users when informed of the leak by other members.

Where the information came from remains to be seen. eBay says in a blog posting dated Tuesday that the data may not be new, but most likely comes from “previous account takeovers”. They’re denying allegations of a “hack”, and claim that the credit card information does not correspond to the information that either Paypal or eBay has stored for those users.

eBay didn’t comment on whether the malicious user was “Vladuz”, a member who claimed to have hacked eBay last December, and who successfully posted to the forums in February and March using a special account type reserved for eBay employees - eBay admitted at that time that some customer service accounts had been compromised, but not user data, says AuctionBytes.

September 25, 2007

You can find a partial list of compromised ID's here. As stated in the list, if your name isn't here, it doesn't mean you are safe! http://tinyurl.com/35n4tu

updated
on:August 10 2007

 April 27,
2005 -

eBay hacker jailed

September 25th 2007 event -

Auction Guild's article about it
From Steve-O-Meter.com
PLMK.com's collection/contributions
Thread one
Thread Two
The Guardian's take on it
AuctionByte's take on it
eBay's take on it
FireMeg.com
IDG's take on it

October's
2007 event -
AuctionByte's article on it
Thread

March 10, 2007 Over the past two months, the volatility in the number of auctions being posted and then pulled has skyrocketed. Critics say the spike is a result of a security hole in eBay's system that allows cyber-crooks to take over established accounts at will and post a flurry of fraudulent auctions. Once eBay's security team catches wind of the scams, the postings are removed, creating the sudden declines in listings.

 
eBay spokeswoman Nichola Sharpe said company security employees are taking measures to put a stop to Vladuz's intrusions. "We are in the process of putting lots of behind-the-scenes things in place to stop him," she said. "We're as confident as we can be" that the measures will work. Sharpe said members of the security team know exactly how the perpetrator is breaching the network. She declined to describe that method or to elaborate of the fixes being implemented.

Wednesday, March 07, 2007
Some eBay watchers attribute eBay's recent crackdown on cross-border sales for the recent spike in hijacked accounts.

Hijacked accounts occur after phishers weasel log-in names and passwords out of legitimate eBay account holders and then use them to run auctions that look like they're taking place in a country with a reputation for legitimate sales, such as the United States or Canada.

They're doing so, the eBay watchers say, because eBay cracked down on counterfeit goods being sold from countries notorious for it, such as China.

Like rats leaving a sinking ship, the thinking goes, crooks are turning to hijacked accounts because the counterfeit e-business has gone belly-up.

"In the last few months, eBay has really taken a look at the trust and safety of our marketplace and our Web site," England told eWEEK. "We've been incorporating a lot of new measures. My understanding is it's been a little frustrating for this fellow. He's spent some quality time poking around our site and trying to find a way in. He did find access to a small amount of customer service rep e-mail accounts. He used those to go on discussion forums, as a pink — when an employee posts, it's highlighted in pink. He did that in an attempt basically to say, 'Ha ha, look what I did.'"

Lies, lies, lies, says online auction activist Rosalinda Baldwin, who runs an auction watchdog group called The Auction Guild (TAG).

"There's always been phishing [attempts to get account information and second-chance offers made to bidders who didn't win] and other fraud going on," she said. "It became huge mid-December [when eBay began to prevent Chinese sellers from selling to eBay U.S., eBay Canada, etc.]. It seems to have been the trigger: [The collection of phishing attempts and hijacked accounts] went from one without pattern to one" that definitely showed a pattern, she said.

"I know eBay pretty well," Baldwin said. "They can use all the excuses and lies they want, but they have yet to explain how what is happening on this site could be happening if what I'm saying is not true: that somebody has access to the back end."

March 6, 2007

 

The auction behemoth is being skewered by Vladuz, the Romanian impaler, and the e-villagers are whispering that he's sucking customer and service rep account lifeblood directly from eBay's internal databases. Is he that spookily talented, or is he just another, albeit talented and lucky, phisher who also stumbled on an e-mail with internal accounts?[q url="http://redtape.msnbc.com/2007/03/how_far_has_vla.html"]Friday, March 2, 2007

There is no disputing that a hacker who goes by the name Vladuz has at the very least become a public nuisance to eBay. But some observers think the hacks Vladuz has pulled off reveal a much deeper problem at the auction giant.

 
Vladuz claims to have broken into eBay’s computers, imperiling the integrity of auction site’s entire system of buying and selling. And the hacker has provided some evidence, last week posting messages to eBay's Web site while posing as employees of the site.

 
Vladuz demonstrated the hack by posting notes on the customer service bulletin board using the same bold pink background used by actual eBay employees.

February 23, 2007

A person eBay called a "known Romanian fraudster going by the handle Vladuz" appeared again on discussion boards on eBay's German site. This time, he created or possibly renamed an eBay customer service representative's User ID and posted under the name "vladuzsgi."

 
AuctionBytes first reported on an incident involving Vladuz on Thursday February 22, 2007

after eBay acknowledged that someone had gained access to a handful of customer service representatives' email accounts, without having accessed any customer data.

Friday 23rd February 2007

Like all good conspiracy theories, eBay's denials of anything more than a limited security breach has only fueled suspicions that something much more nefarious was afoot. "Nothing is compromised at eBay!" one forum participant, with just a bit of sarcasm, wrote shortly after Vladuz made his most recent appearance.
 
Even Vladuz couldn't resist registering his skepticism about a cover up. After quoting statements eBay spokesman Hani Durzy recently made to the effect that the hacker had only limited access, the intruder retorted: "Oh really? Crappy email servers, they seem to be linked to the main ebay servers, including financial servers.
 
According to Katherine Carington Smith, who is affiliated with the eBay-related blog Pheebay.com, this is the third time Vladuz has been able to enter eBay forums and make "pink postings," a reference to the color of borders designating comments from eBay officials.
 
Durzy says eBay officials have been working with the US Secret Service and law enforcement officials in Romania to close in on Vladuz. "We're still working with law enforcement to try to bring this guy to justice," he said.
 
eBay officials quickly removed the postings, but not before we took screen shots. Shortly after the posting of this article, Vladuz graced the German pages of an eBay forum. eBaymotorssucks.com has those screenshots  here.

February 22, 2007

eBay spokesperson Hani Durzy told AuctionBytes on Wednesday that at no time did the fraudster have access to any member's personal or financial information. Durzy said a Romanian had obtained access to a handful of email accounts from some customer service representatives. The only information he had access to was information contained in emails, which did include some screenshots of some backend tools, Durzy said. Email servers are kept separate from servers hosting member data, he said.

 

eBay has a policy that prohibits employees from putting customers' financial information in emails, such as credit card numbers or social security numbers (street addresses do not fall under that policy, Durzy said, since that is already in the public domain). eBay customer service representatives are trained about what they can and can't put in emails.

Durzy claims the perpetrator was a "known Romanian fraudster" going by the handle Vladuz. "Our number one priority is to see him caught and locked up," Durzy said.

Over the past few weeks, eBay had removed multiple threads from its discussion boards in which members discussed the Vladuz incident, including on its German and UK sites. But users kept the pressure on eBay by discussing Vladuz on their own sites that sport such quirky names as FireMeg.blogspot.com, PheeBay.com and eBayMotorsSucks.com. Durzy said eBay forum threads were removed because they included the screenshots that had been obtained illegally. "We do not allow people to link to that information on our boards."

Asked why eBay did not address member concerns in the discussion boards, Durzy said it would not be appropriate for him to comment on a specific case, but said eBay makes decisions that are in the interest of the marketplace as a whole.

Simon Heron - Managing Director, Network Box UK [2007.07.09]

The general trend this year will be to see Spam, phishing and keyloggers on the increase. With the Rock Phish group and Storm malware creating large botnets for hire, it seems likely that the security industry will have their work cut out to keep customers safe from the various ploys to deceive and steal from them.

There is a lot of evidence (Google Online Security Blog) showing that the newest form of attack is via infected websites. Whether these are sites that have been infected (see The Register: Cyber crooks hijack 10,000 websites) or sites set up deliberately for the purpose of infecting visitors, this is currently the preferred way of installing malware. This is largely because hackers are finding it increasingly difficult to infect machines via email given the increased defence in depth that is being deployed by users. However, users are still not protected in depth with anti-virus systems that scan http traffic and are still not savy to the threats posed by illegitimate websites.

With the continued expansion of botnets many are being used to host these websites as it is possible to keep moving the websites as they are discovered and shutdown. This is a trend that will continue as sites are closed down more quickly by authorities.

Voice over IP (VoIP) is continuing to grow and is always being highlighted as the next significant threat vector but it seems likely that a degree of consolidation will have to occur to make it worthwhile for hackers to attack. As with IM, hackers will find it difficult to target companies while they are all using different manufacturers and slightly different implementations in the same way that IM has proved difficult to attack. However, if the take up of VoIP is as steep as projected it seems that a DDoS attack would effectively take out not just data but voice as well on companies that are susceptible. As discussed above, the issue will be if the monetary gain for the risk involved will mean that attacks will be made.

More money will be spent on business communications in 2007/8 and this will result in greater spend on security as the amount of data increases. The Radicati Group forecasts that the data that a typical corporate email account will receive by 2010 will grow from 16MB today to 21MB per user per day, an increase of over 30%. Most companies now accept that their Internet connectivity is absolutely critical to their business and even delays in emails are now becoming a major concern despite the fact that email does not guarantee a timed delivery.

Many have considered that the massive increase in Spam over the past few years would see the end of the email revolution but it seems that end users' impression is not one of being deluged. This is thanks to the efforts of the industry and its general effectiveness in detecting and blocking Spam. While the battle will go on through 2007/2008, it does seem that the Spammers are not having it all their own way and email is still tremendously popular in business communication.