
eBay port scans visitors' computers for remote access programs - lapcatsoftware
https://www.bleepingcomputer.com/news/security/ebay-port-scans-visitors-computers-for-remote-access-programs/
======
yalogin
This site is a standard reblogger. They just regurgitate stuff that they find
on other sites or even reddit and Facebook. They don’t add anything new to the
story. If anything they take away some context from when it was originally
reported. I some how despise it a lot, the y provide no value but consistently
take away advertisement dollars and clicks from the original author.

~~~
richij
Bleeping isn't churnalism. Daft name, so for the longest time I assumed it was
garbage, but Lawrence and crew actually do good work.

------
nickt
Previous discussion:
[https://news.ycombinator.com/item?id=23246170](https://news.ycombinator.com/item?id=23246170)

~~~
lapcatsoftware
Ah, sorry. I searched HN stories for "eBay" and didn't find anything. Not sure
why that story's author chose "This Website" for the title.

~~~
robertlutece
Your article links to that exact story though.

~~~
lapcatsoftware
Yes, and the vague article title was a big reason I submitted this one
instead. :-)

I thought about submitting the other article with my own title, but I didn't
want to "editorialize".

------
crypt1d
This is suppose to help with fraud? Lets be serious for a moment. The only
thing that this is going to change is that the supposedly hacked computers
will no longer run VNC on standard ports.

I think what we might be seeing here is the outcome of some overpaid
consultant's claim that they can protect ebay from fraud with 'sophisticated'
malware detection.

~~~
anon102010
Let's be serious for a moment. A computer that is hacked and running remote
access programs poses a MUCH higher risk of account hi-jacking for ebay and
paypal purposes than another computer.

Feed that into a system that monitors lots of other inputs, and you start to
build improved fraud detection systems. Most of these systems benefit
significantly from long tail / long history monitoring - all the other
providers of systems in this space try to get beacons onto virtually all the
pages you visit, monitor all mouse and other movements you carry out etc.

Why not this pretty simple and straightforward explanation vs something
complicated about overpaid consultants? Amazon does $80B of sales or something
per year. Each 1% of fraud on this platform is worth $800 million. How
overpaid must a consultant be who can knock this down?

I'm curious how someone with crypt in their name would ignore obvious remote
access trojan installs as a threat vector?

~~~
crypt1d
I'm not ignoring anything. I'm simply stating that this is not an effective
prevention method. I'm even going to argue that this can potentially _hurt_
whatever fraud system they have in place, as it could create a lot of false-
negatives. Once the fraudsters pick up on this they'll change the ports. From
then on, this script is useless.

At best, the result of the data points created by this script is going to
create a temporary drop in fraud, which can be used by the aforementioned
'consultant' to claim (premature) victory. Give it a month or two, and the
fraud numbers are going to go back to their previous levels.

~~~
anon102010
Do you deal with fraud issues. My guess is not. "The fraudsters may adapt" is
a complaint with almost all fraud fighting approaches - and yet many even
older methods STILL have value even if fraudsters could work around them. Many
fraudsters are using scripts and tools they don't even know how to modify but
that circulate and are used. In person use has geo checks, so easy to avoid by
using cards in a local area - but fraud prevention STILL picks up out of
billing zip attempts at use.

So you'll be wrong here. And even a 6 month decline in fraud is highly
valuable to any of these large scale players.

------
girst
Note that a browser firewall like uBlock Origin with EasyPrivacy (easylist.to)
already blocks this:
[https://imgur.com/s7efEez.png](https://imgur.com/s7efEez.png)

~~~
JMTQp8lwXL
This image doesn't show any local ports trying to be accessed. I'm guessing
this endpoint is what gets called after the scan is completed, but context is
missing to be certain.

------
sloshnmosh
Copying the JavaScript to “beautifier(.)io” will show that this script does
more than just poet scan. It also uses some low-level fingerprinting
techniques using flash and various fonts to determine browser type. It also
produces a public and private key.

~~~
sdoering
So you are saying this violates GDPR if it is done without user consent?

------
vorticalbox
Read about this the other day but I have yet to be able to reproduce port
scanning.

~~~
ziml77
Me and a coworker found that uBO blocks it. Also from my tests without uBO
enabled it didn't scan every time (seemed to only scan when logged out, but
that could have been a coincidence)

------
afrcnc
Duplicate from this:
[https://news.ycombinator.com/item?id=23246170](https://news.ycombinator.com/item?id=23246170)

Also, the BC article is highly sensationalized coverage with no links to
actual source. smh, today's journalists

------
shreve
It looks like port 63333 is a common forwarding port for Postgresql.
[https://github.com/search?q=port+63333+database&type=Code](https://github.com/search?q=port+63333+database&type=Code)

------
jalla
[https://www.cbronline.com/news/halifax-port-
scans](https://www.cbronline.com/news/halifax-port-scans)

------
ferros
Fair enough, they’re doing it to protect their business.

But why should a user have to subject their machine internals to inspection by
eBay? And, without their consent.

~~~
nojito
Visiting a website implies consent.

~~~
catalogia
What percentage of ebay visitors even know what portscanning is? How can
somebody consent to something they aren't aware of, don't anticipate, and
certainly don't even understand? Your notion of "consent" is an utter joke.

~~~
jfoster
They might not know what port scanning is, but can they agree to "anti-fraud
measures?"

~~~
catalogia
Maybe they might agree to such anti-fraud measures, but I don't think they
have. I don't consider _' ignoring the terms of use buried at the bottom of
the page or in small print'_ a legitimate form of indicated consent.

~~~
jfoster
Agree with you that simply putting something in the terms of use doesn't
necessarily indicate agreement. If they're only doing it to signed in users,
then presumably they had the terms put in front of them at some point, but I
think your objection is still fair in any case.

To what extent do they need consent to port scan, though? They're not
intending to do anything malicious, and in fact (assuming you are the owner of
the account that's signed in) they're doing it partly to benefit you. Is there
a law against port scanning? Does it affect users in any way?

------
cornishpixels
> This makes sense as the programs being scanned for are all Windows remote
> access tools.

Wait. VNC is a Windows remote access tool? LOL.

------
TekMol
Is it possible to configure uMatrix so it either blocks WebRTC completely or
asks when a page tries to use it?

~~~
TD-Linux
eBay's technique does not use WebRTC at all.

