Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

5/23/2014
10:05 AM
JD Sherry
JD Sherry
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

eBay Breach: Is Your Identity Up For Auction?

In a sick twist of events, the roles may just have been reversed on eBay users. It's their social media identities and data that now have the greatest value in the cyber underground.

Going once, going twice, SOLD to the gentleman with the black hoodie!

Isn’t it ironic that the latest victims of a privacy breach are the users of the massive eBay online auction service? It is estimated that the platform facilitates online auctions for 145 million users. Time.com and others broke the news early on May 21 that eBay suspected that it had been compromised and was urging its user base to change their passwords.

At this juncture, details of the breach remain scarce, and eBay is indicating that no financial information in the form of credit cards or Pay Pal accounts is in scope. This has caused them a fair amount of criticism. This investigation is just getting started. Those of us who have experienced an information security breach know that the scope can expand as forensics are completed to truly determine how much data has been exfiltrated from the crime scene. In a sick twist of events, the roles may just have been reversed on eBay users. Could their identities be up for auction in the cyber underground? 

Trend Micro predicted that in 2014 we would see one or more major security breaches a month. Unfortunately, this current breach adds to an extremely long list of casualties of organizations and, subsequently, individuals who have fallen prey to sophisticated and stealthy cyber campaigns. These targeted attacks are aimed directly at compromising sacred datasets. Our identities continue to suffer serious flesh wounds, and many of us have experienced complete identity theft.

The news of the Experian data leak was probably most frightening -- even more so than the recent Target breach. Reports indicate that approximately 200 million Americans’ information was leaked, Social Security numbers included. When you couple all of these data breaches together, you can clearly see that a blueprint on your identity can and will be constructed to commit identity theft. We continue to see this impact on our friends and family, ultimately causing financial and emotional stress on our personal and professional lives. Time and serious investigative work will tell if the eBay breach becomes Top 10 worthy. The overall fallout could be staggering simply due to the sheer numbers of people who conduct online auctions with eBay.

Prices falling for stolen cards, rising for identity info
There has been plenty said about the price of stolen credit cards and how they are distributed and sold in the cyber underground. In fact, Trend Micro’s Forward-Looking Threat Research group has carefully profiled the Russian Underground in 2011 and again in late 2013. What is astonishing is that the price of stolen credit cards is falling. The reason comes down to basic economics. The supply of stolen cards is starting to balloon in the black market, thus prices are dropping. The cyberheists are piling up. However, the focus on quality and overall longevity of acquired datasets is shifting.

The shift seems to be more around identities and personal information housed in social media accounts or credentials used in many places. For example, prices for American credit cards were around $2.50 in 2011 and now are $1.00 and in some cases less. On the contrary, social media accounts like Facebook and Gmail accounts are going for $100 each. The main reason is that there is a tremendous amount of personal data attached to these accounts. Many use Facebook and Gmail accounts to authenticate and access other online services. This makes them extremely attractive for extending the attacker’s reach.

So what does a compromised eBay account go for? Here are the associated values in the cyber underground for compromised eBay accounts:

• 0-5 Feedbacks = $0.2 + mail = $1 

• 6-20 Feedbacks = $1 + mail = $5

• 21-50 Feedbacks = $3 + mail = $15

• 51-70 Feedbacks = $5 + mail = $20 

• 71-100 Feedbacks = $7+ mail = $30

• 101-300 Feedbacks = $10 + mail = $40

• 301-600 Feedbacks = $18 + mail = $55 

• 601-1,000 Feedbacks = $25 + mail = $70 

• 1,001-2,000 Feedbacks = $40 + mail = $100 

• 2,001-4,000 Feedbacks = $60 + mail = $150 

As you can see, these command some pretty steep prices compared to other black market datasets. In short, our identities and personal information should not be up for auction. Organizations like eBay continue to fight the endless battle against targeted attacks daily. Two-factor authentication and encryption will one day be ubiquitous for all services that store our personally identifiable information. Until then, we must take charge of monitoring our own identities, knowing that incidents like this are becoming the new normal.

JD Sherry is Chief Revenue Officer for Remediant, Inc. He has spent the last decade in executive senior leadership roles at Optiv Security, Cavirin and Trend Micro, and has successfully implemented large-scale public, private and hybrid clouds emphasizing ...
View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
voxelman
50%
50%
voxelman,
User Rank: Apprentice
5/29/2014 | 10:02:16 AM
Re: Re : eBay Breach: Is Your Identity Up For Auction?
Both eBay and Paypal offer two-factor authentication. I have a security FOB that provides an ever changeing numeric addendum to my password to prevent the vulnerability issues associated with single factor authentication. This is a feature that is available to all eBay and Paypal users.
SachinEE
50%
50%
SachinEE,
User Rank: Apprentice
5/26/2014 | 12:54:34 PM
Re : eBay Breach: Is Your Identity Up For Auction?
Do you know why Google and Facebook accounts information are more expensive when being sold in the black-market? They have stiff privacy measures for their users and this means it is very difficult for hackers to access other people's information. eBay should try borrowing a leaf from these companies in making their privacy policies safe, hacking-free and effective. In doing this they will win back their customers trust.
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
5/25/2014 | 11:18:34 AM
Re: Experian Data Leak
Thats all well and good moving forward however in the current time, this does not help mitigation of the leak for the user. If there is nothing that can be done from the enterprise or user perspective in this regard then it seems that the only plausible way to detect if you information is being used malicious is to stay attentive. Monitor you credit history every 4 months which is free and feasible or use a credit checker. Otherwise you are at the mercy of the exploiter.
jd.sherry
50%
50%
jd.sherry,
User Rank: Author
5/25/2014 | 10:44:22 AM
Re: Experian Data Leak
Great question.  I think as we see the pending EU data privacy regulation unfold that organizations will fundamentally have to pay more attention to this globally.   Serious fines will be levied against organizations that leak data (up to 5% of global sales).  Cyber security investments will become a larger part of their "cost of doing business."  These fines will also be on top of the traditional lawsuits and brand damage that occurs post a breach.  Just look at Target with sales down over 30%. Experian's stock is also down post breach.
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
5/25/2014 | 10:34:40 AM
It's been so long since I've used eBay...
...Perhaps the hackers can remind me what my password is.
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
5/23/2014 | 6:38:53 PM
Experian Data Leak
The experian data leak is the most concerning part of the article for me. Since we have very little control over this realm. Is there anyway this risk can be mitigated from a user standpoint because even if you don't have any interaction with experian directly, they are a bureau that make it there business to have data about you? I don't believe there is any opt out clause here besides using cash for your entire life.

Any tips?
jd.sherry
50%
50%
jd.sherry,
User Rank: Author
5/23/2014 | 12:13:34 PM
Re: Supply & Demand
Anywhere you can enable two factor authentication with your social media accounts or any accounts for that matter is a great place to mitigate stolen credentials.  Also, there are solid platforms that integrate well with social media privacy settings especially FB and Twitter. See this blog on what you can do to protect privacy as well. http://blog.trendmicro.com/trend-micro-privacy-scanner-can-help-balance-privacy-sharing-social-networks/#.U39ylVhdUbc

Additionally, here is another way to help detect malware with a free service for FB users. https://www.facebook.com/TrendMicroTitanium/app_361071450629111
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
5/23/2014 | 11:31:13 AM
Re: Supply & Demand
That's pretty creepy and scary. I guess I'll be spending some time locking down my social accounts. What's the best play to start?
jd.sherry
50%
50%
jd.sherry,
User Rank: Author
5/23/2014 | 11:25:42 AM
Re: Supply & Demand
Thank you! Full credentials and cart blanche on the account Marilyn.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
5/23/2014 | 11:20:13 AM
Supply & Demand
Fascinating article, JD. Especiallly about the shift from card data to PII. Do you know what exactly these cybercrooks are harvesting from ebay? What does $100 get you from Facebook?
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/9/2020
Introducing 'Secure Access Service Edge'
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  7/3/2020
Russian Cyber Gang 'Cosmic Lynx' Focuses on Email Fraud
Kelly Sheridan, Staff Editor, Dark Reading,  7/7/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15001
PUBLISHED: 2020-07-09
An information leak was discovered on Yubico YubiKey 5 NFC devices 5.0.0 to 5.2.6 and 5.3.0 to 5.3.1. The OTP application allows a user to set optional access codes on OTP slots. This access code is intended to prevent unauthorized changes to OTP configurations. The access code is not checked when u...
CVE-2020-15092
PUBLISHED: 2020-07-09
In TimelineJS before version 3.7.0, some user data renders as HTML. An attacker could implement an XSS exploit with maliciously crafted content in a number of data fields. This risk is present whether the source data for the timeline is stored on Google Sheets or in a JSON configuration file. Most T...
CVE-2020-15093
PUBLISHED: 2020-07-09
The tough library (Rust/crates.io) prior to version 0.7.1 does not properly verify the threshold of cryptographic signatures. It allows an attacker to duplicate a valid signature in order to circumvent TUF requiring a minimum threshold of unique signatures before the metadata is considered valid. A ...
CVE-2020-15299
PUBLISHED: 2020-07-09
A reflected Cross-Site Scripting (XSS) Vulnerability in the KingComposer plugin through 2.9.4 for WordPress allows remote attackers to trick a victim into submitting an install_online_preset AJAX request containing base64-encoded JavaScript (in the kc-online-preset-data POST parameter) that is execu...
CVE-2020-4173
PUBLISHED: 2020-07-09
IBM Guardium Activity Insights 10.6 and 11.0 does not set the secure attribute on authorization tokens or session cookies. Attackers may be able to get the cookie values by sending a http:// link to a user or by planting this link in a site the user goes to. The cookie will be sent to the insecure l...