. mombe.org
home of the mad cow 		  Not A Blog
noop :: issues :: ebayhacked1
 

Tuesday, July 27, 2004

eBay hacked ... or really?

Last night, Russell and I had a lively debate on #rucus about whether News 24's article on eBay being hacked was legitimate or not.

It seems that this discussion has become a lot larger than our little network and I've been asked to publish some comments I made on our local 'varsity discussion forums forum available in a more public place. So here we go:

Posted by guy: Jul 27 2004, 12:02 PM

There are lots of inconsistencies with this. My gut feel is that it is a scam and that eTV and News24 have cleverly been tricked into furthering malicious goals.

For example, why is "Johannesburg Commercial Branch" hosting information on a .com and .org domains when they have a perfectly good .gov.za domain. Take a look at http://www.saps.gov.za/divstat/commercial/ and http://www.commercialbranch.com/ and tell me which you trust more? Why is 419legal.org or commercialbranch.com not mentioned on http://www.saps.gov.za/crimeprev/nig.htm#nig

Also have a look at the registration information for those domains and notice they're registered to someone in Durban (odd for Jo'burg), that both the post code and the telephone number are almost, but not quite right, etc. Why is not registered in the SAPS's name, or why hasn't it been changed to be? Why were the domains were registered through a US-based registrar when we have several perfectly good registrars in South Africa.

The 419legal.org site is hosted by a generic hosting company in the USA, yet the rest of the SAPS's site is hosted on the government's own netblock in South Africa. Add to that the fact that they thank RealXchange.co.za for hosting -- yet RealXchange.co.za is hosted on a completely different network in the UK.

Then realise that every one of the logos and pictures you see on 419legal.org can be found on other web sites (for example, the Jo'burg commercial branch's logo is on the saps.gov.za site, the RealXchange face is on their web site, etc).

The final straw is that they ask you to enter your credit card number in order to check it. There is no way in hell that's good Internet practice. They could have asked for your surname and last four digits, or something similarly unique. They purport it to be a "secure" site, but notice how they don't have their own SSL certificate. Instead they piggy-back of someone else's (www2.securesiteserver.co.uk). Why is that? I suspect it is because they couldn't provide the necessary certificate of incorporation, etc required by all commercial SSL vendors.

It has scam written all over it in big letters.

There is more to this than meets the eye. Last night eTV carried it as headline news. I e-mailed them straight after their 8pm news bulletin to point out the inconsistencies we'd worked out by that point (we've found more since) and as yet I've had no reply from them. I was going to phone them but unfortunately they don't have a contact number for their news desk on their website. The broadcast it at the end of every news bulletin, so I'll call after the 6.15 one -- I'll probably post more on this later. (and I did.)

Update: 2004/07/28.11h07

It appears that this might be worse than we originally thought. Instead of being the sort of scam that we suspected, it looks like this might actually be sort of semi-legitimate. Neil hinted at this earlier today, and subsequent events seem to be bearing out that notion. I'm still trying to reconcile the idea that so many simple mistakes could have been made in the setting up of a legitimate site.

I've got nothing against the idea of hosting this sort of information online, I'd just prefer it was done properly. If this is indeed legitimate (and we're still waiting to find that out), it'd be nice if some of the inconsistencies Russell and I noticed were cleaned up, and, more importantly, if the whole idea of searching a credit card database was revised. Imagine a stolen credit card database being stolen again, or people illegitimately using the details therein to commit further fraud. If it is a project of the Jo'burg Commercial Branch, I'd like to see someone at the SAPS take responsibility for its proper running. I'd also like proper, traceable contact details to be available on the site.

Anyway, News24 have carried another article on the saga. It claims that a police statement is forthcoming, something we're all waiting with baited breath to read.

Update: 2004-08-01.23h14

It appears the whole ebay hacking saga is almost solved. Yay! IOL carried a story today that just about says it all. I'm just glad we're getting to the bottom of this and that, for once, people (read "the popular media") seem to be taking issues of Internet security seriously.

posted by guy at: 18:01 SAST | path: /issues | permanent link

Bloxsom Powered

© 2002-2005, webmaster@mombe.org
 
<-December 2008->
Sun Mon Tue Wed Thu Fri Sat
  1 2 3 4 5 6
7 8 9 10 11 12 13
14 15 16 17 18 19 20
21 22 23 24 25 26 27
28 29 30 31      
 
RSS Valid XHTML 1.0!

Creative Commons License