Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 828
  • Last Modified:

Has EBay Been Hacked????

I just received an email purporting to be from EBay.  The click-here link goes to South Korea.  Nothing unusual so far.

The unusual part is that this email included a notice that my card was expired (it was) and I owed $1.15 for a recent auction.  Even worse is that it included the last four digits of my old card.

I sent it to EBay and they responded that it is not legit and they will check into it (through an auto-generate email).  If EBay has not been hacked what could have exposed this information? I am running SuperAntiSpyware now and have found three things - Adware tracking cookie, Trojan Security Toolbar, and Parasite Spyaxe Installer.

I have been regularly running AVG, Adaware, and Spybot and everything was clean as of the last check a few days ago.  I am going to run AVG again and see if a virus is indicated.  Any other suggestions?  Any idea how?
0
slink9
Asked:
slink9
  • 10
  • 8
  • 2
  • +2
2 Solutions
 
Lee W, MVPTechnology and Business Process AdvisorCommented:
Of course it's POSSIBLE they were hacked... but I think it's more probable that you were... and keep in mind - those messages go out to THOUSANDS and THOUSANDS of people - picking a random set of 4 numbers means at least 1 in 10000 will match.
0
 
slink9Author Commented:
I have run CWShredder and HijackThis and nothing is unusual.  The only thing that I saw under HT was a reassignment of the DNS, but both of those IPs are located in NC (along with my ISP).

As far as random numbers goes, sure they could get the last four digits right.  How could they get the balance?

I would tend to believe that it is something on my machine, but I would expect one of the many security programs that I have to uncover it.  Is there a better freeware AV program than AVG?
0
 
r-kCommented:
It could not really be your machine that was hacked, since you would not have a record of your balance there, plus very unlikely you would have your charge card numbers stored there.
0
Put Machine Learning to Work--Protect Your Clients

Machine learning means Smarter Cybersecurity™ Solutions.
As technology continues to advance, managing and analyzing massive data sets just can’t be accomplished by humans alone. It requires huge amounts of memory and storage, as well as high-speed processing of the cloud.

 
r-kCommented:
Having said the above, it is possible that your balance and partial charge card number info could have been in a recent legit email from eBay, and that could have been read by some trojan at either end, or on some mail server along the way.
0
 
slink9Author Commented:
Good point.  I will leave it open for a few days and see what else comes up.
0
 
r-kCommented:
If you want to be really sure your PC is clean, I would suggest:

 RootkitRevealer from: http://www.sysinternals.com/Utilities/RootkitRevealer.html

Try not to use the computer too much while it is scanning. If anything noteworthy is found post a summary here. It will catch things like keyloggers and rootkits that other programs don't.

In addition, you can do an online scan at:  http://safety.live.com/site/en-us/default.htm

Use the "Full Service Scan" button on that page. It is slow but does a pretty good job overall with trojans and spyware.
0
 
rpggamergirlCommented:
My guess would be that somehow it was just your browsing that was tabbed.
Very similar thing happened to me after I tried to make an account with Paypal.

After a while, I've got 2 consecutive emails, a very legit looking supposedly from paypal informing me to click on some link to change my password because somehow they found a vulnerability in the program they were using.

I know for a fact that I did not make a paypal account so why would I even have a password? I thought that was very weird.

To be sure, you can run some scanners to scan your system, maybe clean out your history, temp files, and check your DPF folder for unknown entry(you can do that with hijackthis) because you can't see everything in your DPF unless you first unregister occache.dll
DPF folder is where normally those installers/nags hide because of the fact that explorer will only show activex/plugins in that folder.
 
Check for Rootkits, etc.

Good luck!
0
 
slink9Author Commented:
Here is the results from RootKit.  I don't see much of interest.  What do you think?

HKLM\SOFTWARE\Classes\CLSID\{E7B204E0-BEBC-178E-3D5843FA29654C53}\{3C878D1C-F718-E518-23B546720DC1FE96}\{EDC76395-4F05-4B1F-261E6161FD3BFAB2}*      3/7/2006 9:42 AM      0 bytes      Key name contains embedded nulls (*)
HKLM\SOFTWARE\Microsoft\UPnP Device Host\Description\{979BBCAC-6828-4A58-81D6-0617E57D8CF1}      5/30/2006 5:44 PM      0 bytes      Hidden from Windows API.
C:\Documents and Settings\SLink.SLINKHM\Application Data\Microsoft\Word\AutoRecovery save of Normal.as$      5/30/2006 5:57 PM      34.00 KB      Hidden from Windows API.
C:\Documents and Settings\SLink.SLINKHM\Local Settings\Temp\~DFF539.tmp      5/30/2006 5:57 PM      512 bytes      Hidden from Windows API.
C:\Documents and Settings\SLink.SLINKHM\Local Settings\Temp\~WRF3257.tmp      5/30/2006 5:56 PM      16.00 KB      Hidden from Windows API.
C:\Documents and Settings\SLink.SLINKHM\Local Settings\Temporary Internet Files\Content.IE5\XNR751SA\CAX70QCK.HTM      5/30/2006 5:55 PM      1.15 KB      Hidden from Windows API.
C:\Documents and Settings\SLink.SLINKHM\Recent\Church.lnk      5/26/2006 4:46 PM      476 bytes      Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\SLink.SLINKHM\Recent\RootkitRevealer (2).lnk      5/30/2006 5:55 PM      722 bytes      Hidden from Windows API.
C:\Documents and Settings\SLink.SLINKHM\Recent\RootkitRevealer (3).lnk      5/30/2006 5:55 PM      516 bytes      Hidden from Windows API.
C:\Documents and Settings\SLink.SLINKHM\Recent\sr1.pdf.lnk      5/5/2006 5:05 AM      529 bytes      Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\Prefetch\HH.EXE-2D1A70B3.pf      5/30/2006 5:56 PM      54.24 KB      Hidden from Windows API.
0
 
r-kCommented:
No, you definitely don't have a hidden rootkit or keylogger, so that's good.

Makes one wonder how far these phishers going these days....
0
 
r-kCommented:
I should have said "you don't have a hidden rootkit or a hidden keylogger"

Some keyloggers don't make much attempt to hide themselves, and should be looked for with traditional spyware programs, such as HJT or Windows Defender (or that online scan from Microsoft, link above).
0
 
r-kCommented:
rpggamergirl, I have been getting those "Paypal" emails about finding a vulnerability and changing passwords even though I haven't been to Paypal in years, so it is more likely coincidence. But you never know, do you :)
0
 
slink9Author Commented:
I got one of those today also.  It didn't have any credit card info in it, though.  I get at least five per week between those and bank phishing emails.
0
 
slink9Author Commented:
I wish I had broadband.  I live in the middle and can't get either cable or DSL.  I am 1/2 mile one way from DSL and a mile in the other direction from digital cable.  This is some slow downloading!!!
0
 
slink9Author Commented:
I let the scan run all night long and it came up with a few things.  Come to think of it, it only showed me two when it seems to find six total.  I will see if I can discover what else it found.
0
 
slink9Author Commented:
How do I see the previous results?
0
 
rpggamergirlCommented:
Well, I'm glad I'm not the only one getting those phishing emails, :)

Rootkit Revealer didn't find any but junk in your temp folder which you could easily cleanup.

>>How do I see the previous results?<<
Sorry, which results did you mean Windows Defender?
0
 
slink9Author Commented:
Results from the live scan.
0
 
gidds99Commented:
You should check this with ebay if you are concerned.
0
 
slink9Author Commented:
I did but haven't heard from them yet.
0
 
gidds99Commented:
Good.  All very good advice above but the only way to determine whether your account details may have been compromised is to check with EBay.  Also they will be aware of any such phising type email which may be doing the rounds at the moment.
0
 
r-kCommented:
"How do I see the previous results?"

At the end, the results window should have a tree-like structuce with + signs that you can expand to see everything that was found.
0
 
slink9Author Commented:
It only showed two things but it looked like six were found when I went to bed on it.  Oh well, everything seems to be fine now.  I wish EBay would send me an email to let me know how my info was obtained.
0
 
r-kCommented:
Thanks and good luck. Do let us know if you hear back from eBay anytime soon.
0

Featured Post

Threat Trends for MSPs to Watch

See the findings.
Despite its humble beginnings, phishing has come a long way since those first crudely constructed emails. Today, phishing sites can appear and disappear in the length of a coffee break, and it takes more than a little know-how to keep your clients secure.

  • 10
  • 8
  • 2
  • +2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now