- Joined
- Jan 5, 2006
- Messages
- 18,584 (2.62/day)
| System Name | AlderLake |
|---|---|
| Processor | Intel i7 12700K P-Cores @ 5Ghz |
| Motherboard | Gigabyte Z690 Aorus Master |
| Cooling | Noctua NH-U12A 2 fans + Thermal Grizzly Kryonaut Extreme + 5 case fans |
| Memory | 32GB DDR5 Corsair Dominator Platinum RGB 6000MT/s CL36 |
| Video Card(s) | MSI RTX 2070 Super Gaming X Trio |
| Storage | Samsung 980 Pro 1TB + 970 Evo 500GB + 850 Pro 512GB + 860 Evo 1TB x2 |
| Display(s) | 23.8" Dell S2417DG 165Hz G-Sync 1440p |
| Case | Be quiet! Silent Base 600 - Window |
| Audio Device(s) | Panasonic SA-PMX94 / Realtek onboard + B&O speaker system / Harman Kardon Go + Play / Logitech G533 |
| Power Supply | Seasonic Focus Plus Gold 750W |
| Mouse | Logitech MX Anywhere 2 Laser wireless |
| Keyboard | RAPOO E9270P Black 5GHz wireless |
| Software | Windows 11 |
| Benchmark Scores | Cinebench R23 (Single Core) 1936 @ stock Cinebench R23 (Multi Core) 23006 @ stock |
When visiting the eBay.com site, a script will run that performs a local port scan of your computer to detect remote support and remote access applications.
Many of these ports are related to remote access/remote support tools such as the Windows Remote Desktop, VNC, TeamViewer, Ammy Admin, and more.
After learning about this, BleepingComputer conducted a test and can confirm that eBay.com is indeed performing a local port scan of 14 different ports when visiting the site.
This scan is being conducted by a check.js script [archived] on eBay.com that attempts to connect to the following ports:
BleepingComputer has not been able to identify the targeted program on port 63333. If you recognize it, please let us know.
The script performs these scans using WebSockets to connect to 127.0.0.1, which is the local computer, on the specified port.
According to Nullsweep, who first reported on the port scans, they do not occur when browsing the site with Linux.
Once they tested in Windows, though, the port scans occurred.
This makes sense as the programs being scanned for are all Windows remote access tools.
Likely done to detect hacked computers
We first heard about eBay's port scanning script from Jack Rhysider of DarkNetDiaries, and it was theorized that it was being done for ad delivery, fingerprinting, or fraud protection.
As the port scan is only looking for Windows remote access programs, it is most likely being done to check for compromised computers used to make fraudulent eBay purchases.
In 2016, reports were flooding in that people's computers were being taken over through TeamViewer and used to make fraudulent purchases on eBay.
As many eBay users use cookies to automatically login to the site, the attackers were able to remote control the computer and access eBay to make purchases.
It got so bad that one person created a spreadsheet to keep track of all the reported attacks. As you can see, many of them reference eBay.
The script being used for fraud detection is further confirmed by Dan Nemec's great write-up, where he traced it to a fraud detection product owned by LexisNexis called ThreatMetrix.
As part of ThreatMetrix's description, they discuss how they detect and protect sites from Remote Access Trojans (RATs).
"Malware protection helps businesses mitigate the risk by being protected from Man-In-The-Browser (MITB), Remote Access Trojan (RAT), high velocity/frequency bot attacks to low-and- slow attacks mimicking legitimate customer behavior, ransomware, key logging attempts, etc," ThreatMetrix's product page explains.
While the scanned for programs are all legitimate, some of them have been used as RATs in phishing campaigns.
Regardless of the reasons, port scans like this are still intrusive and not something that many users would want to happen when visiting a site.
When we reached out to eBay for statement we were told:
"Our customers’ privacy and data remains a top priority. We are committed to creating an experience on our sites and services that is safe, secure, and trustworthy."
Many of these ports are related to remote access/remote support tools such as the Windows Remote Desktop, VNC, TeamViewer, Ammy Admin, and more.
After learning about this, BleepingComputer conducted a test and can confirm that eBay.com is indeed performing a local port scan of 14 different ports when visiting the site.
This scan is being conducted by a check.js script [archived] on eBay.com that attempts to connect to the following ports:
BleepingComputer has not been able to identify the targeted program on port 63333. If you recognize it, please let us know.
The script performs these scans using WebSockets to connect to 127.0.0.1, which is the local computer, on the specified port.
According to Nullsweep, who first reported on the port scans, they do not occur when browsing the site with Linux.
Once they tested in Windows, though, the port scans occurred.
This makes sense as the programs being scanned for are all Windows remote access tools.
Likely done to detect hacked computers
We first heard about eBay's port scanning script from Jack Rhysider of DarkNetDiaries, and it was theorized that it was being done for ad delivery, fingerprinting, or fraud protection.
As the port scan is only looking for Windows remote access programs, it is most likely being done to check for compromised computers used to make fraudulent eBay purchases.
In 2016, reports were flooding in that people's computers were being taken over through TeamViewer and used to make fraudulent purchases on eBay.
As many eBay users use cookies to automatically login to the site, the attackers were able to remote control the computer and access eBay to make purchases.
It got so bad that one person created a spreadsheet to keep track of all the reported attacks. As you can see, many of them reference eBay.
The script being used for fraud detection is further confirmed by Dan Nemec's great write-up, where he traced it to a fraud detection product owned by LexisNexis called ThreatMetrix.
As part of ThreatMetrix's description, they discuss how they detect and protect sites from Remote Access Trojans (RATs).
"Malware protection helps businesses mitigate the risk by being protected from Man-In-The-Browser (MITB), Remote Access Trojan (RAT), high velocity/frequency bot attacks to low-and- slow attacks mimicking legitimate customer behavior, ransomware, key logging attempts, etc," ThreatMetrix's product page explains.
While the scanned for programs are all legitimate, some of them have been used as RATs in phishing campaigns.
Regardless of the reasons, port scans like this are still intrusive and not something that many users would want to happen when visiting a site.
When we reached out to eBay for statement we were told:
"Our customers’ privacy and data remains a top priority. We are committed to creating an experience on our sites and services that is safe, secure, and trustworthy."
eBay port scans visitors' computers for remote access programs
When visiting the eBay.com site, a script will run that performs a local port scan of your computer to detect remote support and remote management applications.
www.bleepingcomputer.com