How do you know if the Web site you’re visiting is legitimate or not?
Given the rise of Web-based (and money-driven) attacks, an average Internet user would probably have a hard time telling. After all, hackers have gone to lengths making sure they trick as many users as possible: URL redirection, IFRAME injection, phishing…and all that jazz.
Of course, the more cautious Web surfers have also noticed these malicious tactics and have since found means to make sure that they are protected from such scams/attacks. Perhaps one of the most popular techniques is the use of third-party “validation” sites, which help ensure that online transactions–e.g., products and sellers–are legit, and that customer data (and money) do not fall into the wrong hands. But what happens when these security measures are also spoofed?
The Register reports of an info-stealing Trojan spyware that steals eBay account information by masquerading as–in a sense–eBay itself. No wonder it has already robbed one eBay user her $8,600.
Indeed, according to the said report, the spyware installs a “scaled down” Web server that hosts several spoofed eBay pages, as well as pages related to “motors” validation sites like Carfax.com, Autocheck.com, and Escrow.com. Simply put, this spyware (detected by Trend Micro as TSPY_BAYROB.B) does not simply monitor specific pages…it goes to another level and spoofs an entire transaction.
Engineers at TrendLabs have analyzed the sample of the spyware that we’ve received, and it seems that it doesn’t really “install” the Web server–or from the looks of it, servers–but rather accesses them by connecting to the following sites:
As of this writing, though, these sites are already inaccessible.
What is also notable about this spyware is that it appears to be an updated version of TROJ_BAYROB.A, which first made rounds last March. Symantec has posted a blog entry regarding the said Trojan…and it seems the authors behind these threats are really into vehicle scams. Indeed, it connects to the Web site https://signin.ebay.com/ebaymotors/ws/ebayISAPI.dll and attempts to place a bid.
Notice that it even attempts (albeit unsuccessfully) to launch Kodak Viewer Express in order to hide its malicious routines, so users may get an error message instead:
Nevertheless, Trend Micro continues to provide solutions to protect users from such scary dopplegangers. Of course, safe computing practices is still the key, so users are still advised to be wary when performing online transactions. Otherwise, becoming roadkill in the hands of these online doppelgängers would be an understatement.