Hackers still exploiting eBay’s stored XSS vulnerabilities in 2017

Fraudsters are still exploiting eBay's persistent cross-site scripting vulnerabilities to steal account credentials, years after a series of similar attacks took place. Worse still, many of the listings that exploited these vulnerabilities remained on eBay's website for more than a month before they were eventually removed.

All of the attacks stem from the fact that eBay allowed fraudsters to include malicious JavaScript in auction descriptions. Previous attacks exploited this vulnerability to place malicious redirect code on high-value vehicle listings, with the intention of stealing login credentials from other eBay members, whose accounts could then be used to list even more fraudulent vehicle listings.

But fraudsters are now using malicious scripts on a wide variety of lower-value items, including legitimate listings that had already been posted from reputable eBay accounts. Fraudsters have seemingly compromised these accounts and appended additional information to many of the members' existing listings – and this is where the malicious JavaScript is placed.

As can be seen below, the cybercriminals even used listings of dental tools to extract credentials from their victims, bypassing eBay's toothless listing policies in a similar way to the attacks that took place a few years ago.

A compromised listing for a dental tool from a Chinese seller as it appeared in eBay search results.

Clicking on the above listing took the user to the following page, which included malicious JavaScript that had been injected by the fraudster:

The malicious listing is displayed for only a split second

But the malicious code in this listing executes as soon as the page has loaded, which causes it to be displayed for only a split second. In the blink of an eye — and without any further interaction — the victim is redirected to a spoofed login form:

In the blink of an eye, the victim is redirected to a very-convincing spoof login form.

Victims are unlikely to expect a phishing form to appear as a result of clicking on an eBay search result, and so the efficacy of these attacks is likely to be far greater than the average phishing scam. Allowing listings to include arbitrary JavaScript not only facilitates this type of fraud, but also allows fraudsters to capitalize on the trust instilled by the eBay website.

In this particular example, the malicious code injected by the attacker was obfuscated to make its purpose less apparent – possibly to get around any text-based content filters implemented by eBay. The obfuscated script is used to load a much larger JavaScript payload from an external location at user54631.vs.easily.co.uk/v.js (this script, which was hosted by Easily, has since been removed).

Lightly-obfuscated malicious JavaScript as it appeared in an eBay listing

The externally-hosted script redirected victims to a data URI, which is another trick sometimes used by cybercriminals: The Base64-encoded address makes it difficult for victims to report such attacks, as by this point, the page is ostensibly not hosted anywhere.

When the victim submits his username and password, the credentials are transmitted to a script at daviddouglas.co.uk/session.php?/ws/eBayISAPI.dll?co_partnerId=2&siteid=3&UsingSSL=1 (which has also since been taken down). This PHP script receives the victim's credentials and then immediately redirects the victim to a page on the genuine eBay website, giving the impression that the listing that the victim originally attempted to visit is no longer available:

The victim is redirected to a non-existent listing after his credentials have been stolen.

The victim may not realise it — as his browser never showed the address of any externally hosted websites — but at this point, his credentials will have already been stolen by the fraudster's PHP script.

The fraudsters behind these attacks can attempt to monetize these stolen credentials by selling them to other fraudsters, or use them to propagate malicious code into even more listings. In the dental tool example, malicious JavaScript was added to the listing on 8 December 2016, and remained there until late January 2017, giving the fraudster more than a month and a half to exploit the vulnerability.

The malicious script (not visible) was added on 8 December 2016, and eBay continued to serve it for a month and a half.

The compromised seller account involved in the above attack had over a thousand of its listings infected with malicious JavaScript, many of which flew under eBay's radar for more than a month, despite having obvious malicious intentions. The only deterrent is eBay's JavaScript policy, which disallows the use of JavaScript redirects – but this is evidently not entirely effective, as it failed to prevent it being exploited for extended periods, and fraudsters will obviously not care about breaking policies that are not proactively enforced.

These latest listings were reported to Netcraft by "Jaco Bustero". Although this pseudonym is very similar to "Buster Jack" — who discovered a series of related scams in 2014 — they are, in fact, different people in the UK. Both hide behind pseudonyms because of valid concerns about their own safety – for instance, Buster Jack's efforts to combat vehicle fraud have earned him several death threats from the perpetrators of these crimes.

But fortunately, the end of script-based attacks may soon be in sight on eBay. In an effort to make its listings mobile-friendly, eBay plans to limit the use of active content (such as JavaScript) at some point in 2017, before eventually blocking it altogether. If this is implemented as a technical control (for example, by using iframes with Content Security Policy and sandbox restrictions), then such attacks should become impossible to carry out against modern browsers.

The most recent attacks have taken place over the past 12 months, after eBay had responded to 'previous reports' of JavaScript-based attacks, when it claimed not to have found any fraudulent activity stemming from these cross-site scripting vulnerabilities.

In some cases, it could be that eBay is simply unaware of the fraud it is facilitating. When one customer phoned eBay Trust & Safety to report these redirect attacks, the eBay handler was unable to see the redirection due to security settings on their internal systems. Consequently, reporting such vulnerabilities to eBay can prove frustrating, as well as fruitless: When Jaco posted a similar warning to the eBay Motors community forum, he claims his message was quickly deleted.

A year ago, we predicted that it would be difficult to prevent this type of fraud when listings are still able to include arbitrary JavaScript. With these recent attacks proving eBay's interim measures are still insufficient to prevent abuse, only technically-enforced controls on the execution of JavaScript will finally put a stop to this fraud.

Posted by Paul Mutton on 17th February, 2017 in Security

I went to London and saw the Queen

Pussycat, Pussycat, where have you been? I've been to London and saw the Queen.

Yesterday, I went to the opening of the National Cyber Security Centre by Her Majesty the Queen and HRH the Duke of Edinburgh. This was a more exclusive event than I had expected, and guests outside the NCSC were royalty, ministers, senior civil servants & people running NCSC partner companies.

The NCSC showed our countermeasures system to disrupt malware, phishing and advance fee fraud to guests, though I don't know whether the Queen saw it, as she & Prince Philip had a private viewing of the demonstrations.

I was introduced to the Queen and HRH Duke of Edinburgh, which I hadn't anticipated, and there's a picture from the Royal Family's twitter feed of me telling the Queen (sadly out of the picture to the left) and the Duke of Edinburgh what we do & how it works. I sensed that they liked the notion of counterattacking and disrupting attacks as opposed to passively blocking them. And, although our business is spread all around the world, it felt good to be contributing to something that makes the UK a safer and better place.

HRH the Duke of Edinburgh asks how it works

I must say how impressive the Queen and the Duke of Edinburgh are and how good they were with people at the event. At 90 & 95 respectively, few, if any people can have had more experiences and in a world where some of the most powerful elected politicians seem completely frazzled, how urbane & reasonable our monarch appears by contrast.

Posted by Mike Prettejohn on 15th February, 2017 in Netcraft Services

Most Reliable Hosting Company Sites in January 2017

Rank	Performance Graph	OS	Outage hh:mm:ss	Failed Req%	DNS	Connect	First byte	Total
1	Qube Managed Services	Linux	0:00:00	0.000	0.144	0.059	0.119	0.119
2	CWCS	Linux	0:00:00	0.004	0.210	0.072	0.166	0.166
3	Netcetera	Linux	0:00:00	0.004	0.105	0.076	0.155	0.155
4	New York Internet	FreeBSD	0:00:00	0.008	0.350	0.026	0.056	0.235
5	Anexia	Linux	0:00:00	0.008	0.280	0.082	0.178	0.178
6	Hostname.cl	Linux	0:00:00	0.008	0.394	0.184	0.389	0.389
7	XILO Communications Ltd.	Linux	0:00:00	0.034	0.239	0.067	0.135	0.135
8	Aruba	Windows Server 2012	0:00:00	0.042	0.185	0.080	0.170	0.170
9	EveryCity	SmartOS	0:00:00	0.059	0.119	0.074	0.183	0.183
10	One.com	Linux	0:00:00	0.063	0.191	0.036	0.106	0.106

See full table

Qube Managed Services started the year in first place after responding successfully to all of Netcraft’s requests made during January 2017. This UK-based managed hosting provider has had one of the top ten most reliable hosting company websites ten times in the past 12 months, including three times at number one.

In second place is CWCS, which successfully responded to all but one of Netcraft's requests. CWCS narrowly beat Netcetera, with the same number of failed requests but with a faster average connection time of 0.072 seconds. CWCS is a UK-based managed hosting provider with data centres in Nottingham, London and Manchester, with additional facilities available in Dallas, Miami and Toronto.

Netcetera took third place, also with only one failed request, with an average connection time of 0.076 seconds. Netcetera, which is based on the Isle of Man, has been in the top ten for eight of the past 12 months, and five of these occasions saw it make its way into the top three.

Seven of the top ten most reliable hosting company sites in January 2017 were running Linux, with the remainder using FreeBSD, Windows Server 2012 and SmartOS.

Netcraft measures and makes available the response times of around forty leading hosting providers' sites. The performance measurements are made at fifteen minute intervals from separate points around the internet, and averages are calculated over the immediately preceding 24 hour period.

From a customer's point of view, the percentage of failed requests is more pertinent than outages on hosting companies' own sites, as this gives a pointer to reliability of routing, and this is why we choose to rank our table by fewest failed requests, rather than shortest periods of outage. In the event the number of failed requests are equal then sites are ranked by average connection times.

Information on the measurement process and current measurements is available.

Posted by Netcraft on 1st February, 2017 in Hosting, Performance

January 2017 Web Server Survey

In the January 2017 survey we received responses from 1,800,047,111 sites and 6,328,006 computers, reflecting a gain of 61 million sites and 159,000 computers.

Microsoft gained the largest number of sites this month – 38 million – although it was closely followed by Apache, which gained 32 million. Nearly 822 million sites (45.7%) are now powered by Microsoft webserver software.

Meanwhile, nginx gained 17 million sites, and has also continued to show strong and steady computer growth. This month's gain of 60,000 web-facing nginx computers was the largest seen by any vendor, outweighing Microsoft's and Apache's gains of 40,000 and 20,000. If last year's trends continue in 2017, it seems plausible to expect that nginx could overtake Microsoft to become the second largest vendor (by computers) in the second half of 2017.

Microsoft's latest version of Internet Information Services – IIS 10.0, which uses Windows Server 2016 as its primary platform – was found powering 45,000 websites this month. Future migration to IIS 10.0 may be slower than with previous IIS versions, however, as Microsoft announced Windows Server Premium Assurance in December 2016, which extends the support period from 10 to 16 years for existing Windows Server products. This means Premium Assurance customers will continue to receive security updates (as well as "critical" and "important" bulletins) for Windows Server 2008 until January 2026. In January 2017, more than 600 million sites are served from Windows Server 2008 machines.

Each of the other major server vendors released updates last month. nginx 1.11.7 mainline version was released on 13 December, followed by 1.11.8 on 27 December. Both releases included several bug fixes and a few new features.

The mainline 1.11.x branch of nginx is typically updated every 4-6 weeks and is aimed at users who require the latest features, whereas the 1.10.x stable branch is only updated when critical issues need to be fixed. Only two updates have been released on the stable branch since 1.10.0 was forked from mainline in April 2016. Stable is the most commonly used branch: nearly 24 million sites are using 1.10.x stable, compared with 2.2 million using 1.11.x mainline.

Apache 2.4.25 was released on 20 December 2016, incorporating security, feature and bug fixes (including many from the unreleased 2.4.24 version). The security fixes include a mitigation for issues caused by the httpoxy vulnerability, and better enforcement of the HTTP request grammar in RFC 7230 to reduce the likelihood of response splitting and cache pollution attacks.

While many sites still use older versions of Apache, such as the 2.2.x legacy versions, the Apache Project continues to point out that the latest release from the 2.4.x stable branch represents the best available version of Apache HTTP Server. Nonetheless, most sites—just over 100 million— report to be using 2.2.x legacy versions, compared with 69 million sites that use 2.4.x. The most commonly observed Apache Server banners are Apache/2.4.7 (Ubuntu) (36 million sites), followed by Apache/2.2.15 (CentOS) (25 million); however, these servers may not necessarily be as old and vulnerable as their version numbers imply. Netcraft previously discussed this "backporting" behaviour a few years ago.

LiteSpeed suffered the largest loss of sites this month, returning to October 2016 levels after plummeting by 42 million sites to leave a total of 5.5 million. Despite the large loss of sites, the number of web-facing computers using LiteSpeed increased modestly by 323 to 9,740. LiteSpeed 5.1.11 was released on 15 December, featuring improved caching and a few bug fixes.

December also saw the release of Tengine 2.2.0 development version, which came nearly two years after the previous development version, and a year after the most recent stable version. Not only does Tengine have a relatively sedate release cycle, but its latest version is based on nginx 1.8.1 (the final version of nginx's previous stable branch), which itself is already a year old.

Despite having relatively infrequent releases, 58 million sites are currently using Tengine. Most of these sites do not reveal which version has been installed, but among the 18 million that do, about two-thirds are using the relatively old 1.4.2 development version which was released in November 2012 and based on the nginx 1.2.x stable branch. Tengine was originally created by the Chinese marketplace Taobao, which modified the nginx core to better suit its requirements. It was released as an open source project in December 2011, and today sites under the taobao.com domain account for only 5% of its users.

Developer	December 2016	Percent	January 2017	Percent	Change
Microsoft	783,790,492	45.07%	821,905,283	45.66%	0.59
Apache	354,949,196	20.41%	387,211,503	21.51%	1.10
nginx	300,839,507	17.30%	317,398,317	17.63%	0.33
Google	18,602,544	1.07%	17,933,762	1.00%	-0.07

Continue reading →

Posted by Netcraft on 12th January, 2017 in Web Server Survey

Most Reliable Hosting Company Sites in December 2016

Rank	Performance Graph	OS	Outage hh:mm:ss	Failed Req%	DNS	Connect	First byte	Total
1	Netcetera	Linux	0:00:00	0.004	0.103	0.075	0.156	0.187
2	Qube Managed Services	Linux	0:00:00	0.021	0.143	0.058	0.117	0.117
3	XILO Communications Ltd.	Linux	0:00:00	0.021	0.222	0.066	0.132	0.132
4	Anexia	Linux	0:00:00	0.021	0.254	0.081	0.174	0.174
5	Aruba	Windows Server 2012	0:00:00	0.034	0.182	0.079	0.165	0.165
6	New York Internet	FreeBSD	0:00:00	0.038	0.343	0.026	0.055	0.232
7	One.com	Linux	0:00:00	0.038	0.192	0.038	0.109	0.109
8	krystal.co.uk	Linux	0:00:00	0.063	0.158	0.072	0.155	0.155
9	EveryCity	SmartOS	0:00:00	0.063	0.121	0.073	0.147	0.147
10	Webair Internet Development	Linux	0:00:00	0.092	0.156	0.051	0.110	0.111

See full table

Netcetera rounded off the year by having the most reliable hosting company site in December 2016, successfully responding to all but one of Netcraft's requests. In 2016, Netcetera made eight appearances in the top ten, reaching second place in February, March and June. Earlier in 2016, Netcetera celebrated 20 years of successful business, thanking its clients, including some that have been with the company since the day it opened.

Netcetera is based on the Isle of Man, a self-governing territory of the United Kingdom known for its low-tax economy. Netcetera's data centre, The Dataport, uses several energy-saving technologies including Free Air Cooling and virtualisation, which when coupled with carbon offsetting, make it a zero carbon data centre. This carbon-neutral approach is estimated to have saved more than two million kilograms of CO₂ to date.

Qube Managed Services took second place in December, with five failed requests. Qube also fared well over the course of 2016, with December marking its tenth appearance in the top ten, including two times at the top of the table, in March and October. Qube uses data centres in London, New York and Zurich to provide its cloud, colocation and managed services; and like Netcetera's website, Qube's is served from a Linux machine.

XILO Communications Ltd came third, also with five failed requests, but with a slower average connection time than Qube. XILO uses enterprise-class Dell hardware for its shared, reseller and cloud hosting services, and also made ten appearances in the top ten during 2016, which included a first place in July. Like Qube, XILO is headquartered in the UK and uses Linux to host its own website.

Seven of December's top ten most reliable hosting company sites were served from Linux machines, including Anexia's, which also had only five failed requests. The remainder used Windows Server 2012, FreeBSD and SmartOS. Linux was the most common operating system used amongst the top ten hosting provider sites over the course of 2016, with two months having a top ten that consisting entirely of Linux-powered websites.

Information on the measurement process and current measurements is available.

Posted by Netcraft on 3rd January, 2017 in Hosting, Performance

December 2016 Web Server Survey

In the December 2016 survey we received responses from 1,739,031,487 sites and 6,169,471 web-facing computers; this reflects a large increase of 302 million sites, but a small loss of 55,900 computers.

All three of the largest server vendors gained sites this month, with growth concentrated at a handful of lesser-known web hosting providers. These changes have triggered large jumps in market share, with nginx (+3.2 percentage points) and Microsoft (+1.6 p.p.) gaining, and Apache losing (-2.2 p.p.).

The growth in number of sites was not reflected in other metrics this month, however, with small drops being seen in both the total number of web-facing computers (-0.9%) and the number of active sites (-0.8%).

Nginx was the only major web server vendor to experience gains across all metrics this month, including active sites, web-facing computers, and the million busiest sites. It now stands only 390,000 computers (6 percentage points) behind second place Microsoft, having surpassed Microsoft in terms of active sites in January 2012, and the top million busiest sites in May 2013.

Previously the 10th most commonly seen web server in terms of active sites, “Webs.com/1.0”, has vanished this month after the website builder began using the Cloudflare CDN service. Cloudflare uses a customised version of nginx (cloudflare-nginx), that powered over 3.6 million active sites in the December survey.

Looking back over 2016, the total number of sites seen in the survey has grown significantly, from 900 million in January to 1.7 billion in December. Much of this growth can be attributed to Microsoft, which has gained more than 520 million hostnames and risen from 28.95% market share to 45.07%. However, the more stable active sites metric shows nginx grew the most this year, having increased by 4.8 million active sites and 2.85 percentage points of market share over the course of 2016.

The year also saw the notable rise of OpenResty: in January, OpenResty was being used by 760,000 sites, 200,000 active sites, and just 3,100 web-facing computers; but in September, tumblr.com switched from using nginx to OpenResty for millions of Tumblr blogs. The number of sites using OpenResty in December is now nearly 15 million, the number of active sites is 5.8 million, and the number of web-facing computers seen running OpenResty has increased to nearly 8,000. The server is now the 9th most popular by number of web-facing computers.

Microsoft’s newest web server software, IIS 10.0, was released this year although it is yet to make a significant impact in the number of sites. Windows Server 2016, the primary operating system for running IIS 10.0 was only fully released in October after months of preview releases; the December 2016 survey finds the operating system being used on 5,800 web-facing computers to host 18,250 sites.

Another notable arrival during 2016 were the hundreds of thousands of Western Digital My Cloud personal storage devices. These Network Attached Storage (NAS) devices run an Apache web server and each has a hostname on the wd2go.com domain. The fact that these devices are placed in end-users' homes, using less-stable home Internet connections, and more commonly powered off than a typical web server has increased the volatility of the Apache web-facing computer data. The December 2016 survey found 680,000 sites for these devices.

Developer	November 2016	Percent	December 2016	Percent	Change
Microsoft	625,173,664	43.51%	783,790,492	45.07%	1.56
Apache	324,174,417	22.56%	354,949,196	20.41%	-2.15
nginx	202,932,122	14.12%	300,839,507	17.30%	3.17
Google	20,689,273	1.44%	18,602,544	1.07%	-0.37

Continue reading →

Posted by Netcraft on 21st December, 2016 in Web Server Survey

« Previous 1 2 3 4 5 6 7 8 9 … 210 Next »

Share:

Share:

Share:

Share:

Share:

Share:

Advertisers Directory