Custom-built botnet steals eBay accounts
"This is a very sophisticated, very complex attack," Elzam claimed, ticking off obfuscation techniques, multipart malware downloads and encryption among the tactics used by the thieves.
The resulting botnet is being used to call an eBay application programming interface (API) with pairs of possible usernames and passwords, said Elzam. The API allows the Trojan horse-infected PC -- the bot -- to communicate directly with the eBay database using XML-formatted code. If the database contains the username-password pair, it responds, which the Trojan horse notes, then later transmits to a hacker controlled server.
With enough username-password combinations -- the brute-force part of the attack -- the criminals can uncovering a limited number of real credentials.
"Each bot may be using as few as six pairs of usernames and passwords" in an attempt to come in under the security radar of eBay, said Elzam. "I don't think that eBay is even aware of the attack. The distributed nature of the attack may make it look like a merchant sending confirmations to buyers," he said.
Although Aladdin pieced together the evidence only Tuesday, Elzam said that clues indicate it might have started in early August.