E-mails with legitimate slide shows of cars for sale on eBay are quietly dropping a Trojan that redirects a victim when he or she clicks on a link to a legitimate auction. If the victim bids, his or her money winds up going to the criminal with no car going anywhere.
Symantec says if the infected recipient decides to check on the seller's ratings page, the Trojan.Bayrob file also presents a fake feedback page that raves about the seller.
Symantec calls this man-in-the-middle attack "very unusual" and also "difficult to code correctly." The security company first blogged about the attack on March 5 but has since uncovered more details of how it works.
Symantec says that the e-mail probably contains two crucial components: a link to a real eBay auction and an executable. The executable drops two files into a temp folder: a legitimate slide show of the car being auctioned and the Trojan.Bayrob file.
In a typical attack, a victim receives an e-mail about a car for sale, opens it and runs the attachment. As he or she is viewing the photos, the Trojan has already been installed. The victim decides he or she is interested in the car and clicks on the link to the real eBay auction.
In the background, Trojan.Bayrob is directing Web traffic bound for eBay through a local proxy server, which listens on local host port 80. To accomplish that, Symantec found, the Trojan changes files on the infected PC to force traffic bound for these sites through the local proxy server:
"My.ebay.com Cgi.ebay.com Offer.ebay.com Feedback.ebay.com Motors.search.ebay.com Search.ebay.com"
Next, the Trojan connects to these servers and downloads configuration data and an updated list of the control servers if possible:
"Superdigitalprices.com Wai-k-mart.com Wal-stop-mart.com Onemoreshoot.com Jdo24nrojseklehfn.com"
These sites have all been taken offline since Symantec first starting tracking the Trojan. Symantec says that the servers were clones of each other, each containing these scripts:
"Var.php Cfp.php Hst.php Var-user.php Ping.php Isup.php Ban.php Setvar.php Getip.php Hostname.php Hst-user.php Exe.php Contact.php"
The var.php script downloads variables including tokenized versions of legitimate eBay pages.
Meanwhile, the victim, if having checked the feedback page, is reading a fake page that claims that the seller is genuine and trustworthy.
"At this point, the attack is almost complete," Symantec's blog says. "All the attacker has to do now is wait for the victim to complete the purchase and for the money to arrive."
Although the controlling servers have been taken offline, Symantec says the attackers are sure to set up new ones.
How to avoid being victimized? As always, never click on e-mail attachments from sources you don't trust.
eBay hadn't responded to a request for feedback by the time this was posted, but the online auction giant reportedly knows about the issue and is working with Symantec to stop the spread of infection.
eBay is a favorite target for criminals. It's been enjoying the attentions of Romanian criminals in particular, with one by the name of Vladuz giving the company headaches for months now. Check out this slideshow to see Vladuz's handiwork.