The eBay villagers are whispering that he can creep through eBays internal databases and suck the lifeblood of customer accounts—log-ins and passwords—right out of their pulsing, 222 million-plus customer heart. Hes putting up bogus listings as fast as eBay can take them down, and that proves hes walked through a security hole as big as a barn door.
No, eBay insists, this hacker, this Romanian wiseguy who goes by the handle Vladuz, is "nothing new." Hes just another phisher, says eBay spokeswoman Catherine England, one of hundreds the huge auction site has to deal with constantly.
He may be getting loads of publicity from posting onto eBay forums as a service rep and taunting eBay—"Durzy is full OF sh*t," he wrote about eBay spokesperson Hani Durzy in a February posting after Durzy said that Vladuz had not accessed internal systems. But that just means he got lucky once and hit upon an internal e-mail that had a screenshot containing customer service reps e-mail account information, eBay maintains.
Some eBay watchers attribute eBays recent crackdown on cross-border sales to the recent spike in hijacked accounts. The spike in traffic might not be wholly attributable to Vladuzs work, but he or she is being credited for most of it. The multitalented hacker is leaving a calling card behind with his or her name, spelled backwards, attached to malicious code injected in live auctions. Hes taunting eBay by posting to its forums as a customer service rep. His name is associated with a company name that is in turn associated with eBay hacking tools being found for sale online.
Hijacked accounts occur after phishers weasel log-in names and passwords out of legitimate eBay account holders and then use them to run auctions that look like theyre taking place in a country with a reputation for legitimate sales, such as the United States or Canada.
This is nothing new, but eBay watchers say the number of hijacked accounts and their changed behavior makes it begin to look as if somebody had set up tools to automatically skim customer accounts from eBays internal accounts—and such are Vladuzs reputation and braggadocio, at this point, that experts believe he or she could be responsible.
eBay watchers say the trigger for the spike was eBays recent crackdown on counterfeit goods being sold from countries notorious for it, such as China. Like rats leaving a sinking ship, the thinking goes, crooks such as Vladuz are turning to hijacked accounts because the counterfeit e-business has gone belly-up.
"In the last few months, eBay has really taken a look at the trust and safety of our marketplace and our Web site," England told eWEEK. "Weve been incorporating a lot of new measures. My understanding is its been a little frustrating for this fellow. Hes spent some quality time poking around our site and trying to find a way in. He did find access to a small amount of customer service rep e-mail accounts. He used those to go on discussion forums, as a pink—when an employee posts, its highlighted in pink. He did that in an attempt basically to say, Ha ha, look what I did."
Lies, lies, lies, says online auction activist Rosalinda Baldwin, who runs an auction watchdog group called The Auction Guild (TAG).
"Theres always been phishing [attempts to get account information and second-chance offers made to bidders who didnt win] and other fraud going on," she said. "It became huge mid-December [when eBay began to prevent Chinese sellers from selling to eBay U.S., eBay Canada, etc.]. It seems to have been the trigger: [The collection of phishing attempts and hijacked accounts] went from one without pattern to one" that definitely showed a pattern, she said.
"I know eBay pretty well," Baldwin said. "They can use all the excuses and lies they want, but they have yet to explain how what is happening on this site could be happening if what Im saying is not true: that somebody has access to the back end."
Quantifying the hijacking of accounts is another eBay watcher, Genie Livingstone. Livingstone is a PHP programmer and runs the Internet host and domain name registration site Dotyou.Com.
Heres an example (check out the five links at the bottom) of the Web monitors, based on RSS eBay tools, that Dotyou.com is using to track eBay scam auctions in real time. Livingstone is also tracking eBay listing totals on MedVed.net.
What shes found for the past few weeks is that the daily count of eBay listings has been "a series of sharp spikes of 1 [million] to 3 million items, instead of the usual gradual curve that reflects items being listed and sold," she said.
The seesawing appears, she said, "as if someone is flooding the site with hacked listings that eBay is pulling down, only to have them immediately relisted, only to have them pulled down, etc., etc."
This is MedVeds graph for eBay listings in February 2007, compared with February 2006. Notice the seesawing that begins on Feb. 22, 2007, with sharp increases and decreases that are of equal value, as if the same number of listings are being posted, delisted and posted again, in multiple daily cycles.
eBays England said that she looked into site activity over the past six months and found "absolutely no significant movement in number of account takeovers." However, she has not yet looked into the flux of listings numbers, she said.
Still, she insists, theres nothing new to see here, even if Livingstone credits eBay with having perfected automated tools to remove the bogus listings, which recently have been coming down after only 30 seconds.
"Weve had a variety of automated tools in place for a long time," said England, in San Jose, Calif. "This is nothing new. I wish I could say its some big, exciting thing. Its your standard, typical phishing scam thats been happening a long, long time. I think this person, because [he or she] went on discussion boards and posed as an employee, it got more attention. The reality is these scams have been around years and years. As [we] shut these guys down, they adapt. Theyre obviously intelligent people. But as they evolve, so do we."