Attacks/Breaches
5/23/2014
10:05 AM
JD Sherry
JD Sherry
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

eBay Breach: Is Your Identity Up For Auction?

In a sick twist of events, the roles may just have been reversed on eBay users. It's their social media identities and data that now have the greatest value in the cyber underground.

Going once, going twice, SOLD to the gentleman with the black hoodie!

Isn’t it ironic that the latest victims of a privacy breach are the users of the massive eBay online auction service? It is estimated that the platform facilitates online auctions for 145 million users. Time.com and others broke the news early on May 21 that eBay suspected that it had been compromised and was urging its user base to change their passwords.

At this juncture, details of the breach remain scarce, and eBay is indicating that no financial information in the form of credit cards or Pay Pal accounts is in scope. This has caused them a fair amount of criticism. This investigation is just getting started. Those of us who have experienced an information security breach know that the scope can expand as forensics are completed to truly determine how much data has been exfiltrated from the crime scene. In a sick twist of events, the roles may just have been reversed on eBay users. Could their identities be up for auction in the cyber underground? 

Trend Micro predicted that in 2014 we would see one or more major security breaches a month. Unfortunately, this current breach adds to an extremely long list of casualties of organizations and, subsequently, individuals who have fallen prey to sophisticated and stealthy cyber campaigns. These targeted attacks are aimed directly at compromising sacred datasets. Our identities continue to suffer serious flesh wounds, and many of us have experienced complete identity theft.

The news of the Experian data leak was probably most frightening -- even more so than the recent Target breach. Reports indicate that approximately 200 million Americans’ information was leaked, Social Security numbers included. When you couple all of these data breaches together, you can clearly see that a blueprint on your identity can and will be constructed to commit identity theft. We continue to see this impact on our friends and family, ultimately causing financial and emotional stress on our personal and professional lives. Time and serious investigative work will tell if the eBay breach becomes Top 10 worthy. The overall fallout could be staggering simply due to the sheer numbers of people who conduct online auctions with eBay.

Prices falling for stolen cards, rising for identity info
There has been plenty said about the price of stolen credit cards and how they are distributed and sold in the cyber underground. In fact, Trend Micro’s Forward-Looking Threat Research group has carefully profiled the Russian Underground in 2011 and again in late 2013. What is astonishing is that the price of stolen credit cards is falling. The reason comes down to basic economics. The supply of stolen cards is starting to balloon in the black market, thus prices are dropping. The cyberheists are piling up. However, the focus on quality and overall longevity of acquired datasets is shifting.

The shift seems to be more around identities and personal information housed in social media accounts or credentials used in many places. For example, prices for American credit cards were around $2.50 in 2011 and now are $1.00 and in some cases less. On the contrary, social media accounts like Facebook and Gmail accounts are going for $100 each. The main reason is that there is a tremendous amount of personal data attached to these accounts. Many use Facebook and Gmail accounts to authenticate and access other online services. This makes them extremely attractive for extending the attacker’s reach.

So what does a compromised eBay account go for? Here are the associated values in the cyber underground for compromised eBay accounts:

• 0-5 Feedbacks = $0.2 + mail = $1 

• 6-20 Feedbacks = $1 + mail = $5

• 21-50 Feedbacks = $3 + mail = $15

• 51-70 Feedbacks = $5 + mail = $20 

• 71-100 Feedbacks = $7+ mail = $30

• 101-300 Feedbacks = $10 + mail = $40

• 301-600 Feedbacks = $18 + mail = $55 

• 601-1,000 Feedbacks = $25 + mail = $70 

• 1,001-2,000 Feedbacks = $40 + mail = $100 

• 2,001-4,000 Feedbacks = $60 + mail = $150 

As you can see, these command some pretty steep prices compared to other black market datasets. In short, our identities and personal information should not be up for auction. Organizations like eBay continue to fight the endless battle against targeted attacks daily. Two-factor authentication and encryption will one day be ubiquitous for all services that store our personally identifiable information. Until then, we must take charge of monitoring our own identities, knowing that incidents like this are becoming the new normal.

JD Sherry has successfully implemented large-scale public, private, and hybrid clouds, leveraging the latest in virtualization technologies. For the past decade, JD has established himself as a trusted senior advisor and cloud security specialist for the Payment Card Industry ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
voxelman
50%
50%
voxelman,
User Rank: Apprentice
5/29/2014 | 10:02:16 AM
Re: Re : eBay Breach: Is Your Identity Up For Auction?
Both eBay and Paypal offer two-factor authentication. I have a security FOB that provides an ever changeing numeric addendum to my password to prevent the vulnerability issues associated with single factor authentication. This is a feature that is available to all eBay and Paypal users.
SachinEE
50%
50%
SachinEE,
User Rank: Apprentice
5/26/2014 | 12:54:34 PM
Re : eBay Breach: Is Your Identity Up For Auction?
Do you know why Google and Facebook accounts information are more expensive when being sold in the black-market? They have stiff privacy measures for their users and this means it is very difficult for hackers to access other people's information. eBay should try borrowing a leaf from these companies in making their privacy policies safe, hacking-free and effective. In doing this they will win back their customers trust.
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
5/25/2014 | 11:18:34 AM
Re: Experian Data Leak
Thats all well and good moving forward however in the current time, this does not help mitigation of the leak for the user. If there is nothing that can be done from the enterprise or user perspective in this regard then it seems that the only plausible way to detect if you information is being used malicious is to stay attentive. Monitor you credit history every 4 months which is free and feasible or use a credit checker. Otherwise you are at the mercy of the exploiter.
jd.sherry
50%
50%
jd.sherry,
User Rank: Author
5/25/2014 | 10:44:22 AM
Re: Experian Data Leak
Great question.  I think as we see the pending EU data privacy regulation unfold that organizations will fundamentally have to pay more attention to this globally.   Serious fines will be levied against organizations that leak data (up to 5% of global sales).  Cyber security investments will become a larger part of their "cost of doing business."  These fines will also be on top of the traditional lawsuits and brand damage that occurs post a breach.  Just look at Target with sales down over 30%. Experian's stock is also down post breach.
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Apprentice
5/25/2014 | 10:34:40 AM
It's been so long since I've used eBay...
...Perhaps the hackers can remind me what my password is.
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
5/23/2014 | 6:38:53 PM
Experian Data Leak
The experian data leak is the most concerning part of the article for me. Since we have very little control over this realm. Is there anyway this risk can be mitigated from a user standpoint because even if you don't have any interaction with experian directly, they are a bureau that make it there business to have data about you? I don't believe there is any opt out clause here besides using cash for your entire life.

Any tips?
jd.sherry
50%
50%
jd.sherry,
User Rank: Author
5/23/2014 | 12:13:34 PM
Re: Supply & Demand
Anywhere you can enable two factor authentication with your social media accounts or any accounts for that matter is a great place to mitigate stolen credentials.  Also, there are solid platforms that integrate well with social media privacy settings especially FB and Twitter. See this blog on what you can do to protect privacy as well. http://blog.trendmicro.com/trend-micro-privacy-scanner-can-help-balance-privacy-sharing-social-networks/#.U39ylVhdUbc

Additionally, here is another way to help detect malware with a free service for FB users. https://www.facebook.com/TrendMicroTitanium/app_361071450629111
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
5/23/2014 | 11:31:13 AM
Re: Supply & Demand
That's pretty creepy and scary. I guess I'll be spending some time locking down my social accounts. What's the best play to start?
jd.sherry
50%
50%
jd.sherry,
User Rank: Author
5/23/2014 | 11:25:42 AM
Re: Supply & Demand
Thank you! Full credentials and cart blanche on the account Marilyn.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
5/23/2014 | 11:20:13 AM
Supply & Demand
Fascinating article, JD. Especiallly about the shift from card data to PII. Do you know what exactly these cybercrooks are harvesting from ebay? What does $100 get you from Facebook?
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading, September 16, 2014
Malicious software is morphing to be more targeted, stealthy, and destructive. Are you prepared to stop it?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-5700
Published: 2014-09-22
Multiple cross-site scripting (XSS) vulnerabilities in Baby Gekko before 1.2.2f allow remote attackers to inject arbitrary web script or HTML via the (1) id parameter to admin/index.php or the (2) username or (3) password parameter in blocks/loginbox/loginbox.template.php to index.php. NOTE: some o...

CVE-2014-0484
Published: 2014-09-22
The Debian acpi-support package before 0.140-5+deb7u3 allows local users to gain privileges via vectors related to the "user's environment."

CVE-2014-2942
Published: 2014-09-22
Cobham Aviator 700D and 700E satellite terminals use an improper algorithm for PIN codes, which makes it easier for attackers to obtain a privileged terminal session by calculating the superuser code, and then leveraging physical access or terminal access to enter this code.

CVE-2014-3595
Published: 2014-09-22
Cross-site scripting (XSS) vulnerability in spacewalk-java 1.2.39, 1.7.54, and 2.0.2 in Spacewalk and Red Hat Network (RHN) Satellite 5.4 through 5.6 allows remote attackers to inject arbitrary web script or HTML via a crafted request that is not properly handled when logging.

CVE-2014-3635
Published: 2014-09-22
Off-by-one error in D-Bus 1.3.0 through 1.6.x before 1.6.24 and 1.8.x before 1.8.8, when running on a 64-bit system and the max_message_unix_fds limit is set to an odd number, allows remote attackers to cause a denial of service (dbus-daemon crash) or possibly execute arbitrary code by sending one m...

Best of the Web
Dark Reading Radio