Serious Security: Beware eBay scrapers promising to help you

Thanks to Andrew Last and Peter Mackenzie of Sophos Support for their help with this article.

If you’re an eBay user, the question you’ve probably been asked most often by friends and family – notably by those who’ve used it either never or rarely – is, “Don’t you get ripped off a lot?”

When you’re buying and selling at a distance, so that one of you has to ship before getting paid or to pay before it’s shipped, there are plenty of ways for the transaction to go wrong.

But for all the horror stories, most eBay transactions work out just fine – no one gets ripped off and there’s a net positive outcome for everyone.

Of course, it’s not just buyers and sellers on online trading sites that can lead you astray.

Here’s an example of a recent eBay spam that we investigated.

Judging by the automated look of the message, the spammer is scraping the details of items soon after sellers publish them and then offering eBay-related “viral promotion” services.

The text even includes some machine-generated – though admittedly not very convincing – flattery claiming a special interest in the product being advertised:

The message actually has no spaces in it – the gaps between the words are filled with a Unicode character known officially as MODIFIER LETTER UP TACK (presumably because it looks like a drawing pin or tack with the point facing upwards).

We’re guessing this is a simple trick intended to stop basic text analysis tools from splitting the message into words, given that most European languages use the regular space character (Unicode value +0020; ASCII 32) to denote word endings, rather than an obscure TACK character (Unicode value U+02D4).

Ebay doesn’t allow links in messages, both to reduce fraud and to discourage buyers and sellers from moving off-market, so the spammer has to fall back on embedding their advert in an image instead:

The URL in this case is a short vanity name in the .ME domain, hooked up to a URL redirector service that lets the owner of the domain change the final destination of the URL any time they like.

That makes it cheap and technically simple spammer to make an easily typed URL such as…

buyme.example

…redirect immediately to a much more complex URL such as:

online.service.example/showads?affiliate=14432&search=custom%20stuff&rating=3

In other words, the spammer effectively has their very own URL shortening service, and once they own buyme.example, they also get the right to use any and all subdomains, too.

So they can set up a number of different redirects for different online sites, such as ebay.buyme.example, amazon.buyme.example, alibaba.buyme.example and more.

Each one then takes you to a different advertising URL, tagged with the spammer’s affiliate code so that they get a modest click-through fee any time someone uses the link, and with search terms vaguely relevant to the product you’re selling right now, or related to the trading site you’re using.

Bingo!

The spammer now has their very own targeted advertising service – admittedly with very modest revenue, but on an even more modest budget.

Better yet for the spammer, they can run the whole thing largely automatically, and run dozens of these schemes at the same time, too.

The spammer gets to use the cloud for everything, and doesn’t need to set up any servers or services of their own – they don’t need to know a thing about how to operate DNS, how to run a web server, or how to format HTTP 301 redirects.

The whole campaign can be run using little more than a web browser, a few site-scraping scripts and a low-value pre-paid credit card.

But where’s the harm?

Apart from the annoyance of eBay message spam, is there any harm done or risk posed by this sort of “service”?

In the example we checked out, the spam took us to a set of online ads on popular “gig outsourcing” site Fiverr, offering the very sort of services that lots of home-business eBay users might actually find useful.

Cheap and cheerful photo-editing of product shots to make them sell for a few more dollars – what’s the harm in paying someone $5 to help you realise $15 more in your product’s auction?

Product videos, ready to use – what’s the harm in paying $30 to someone to do the work for you in a country where that’s serious money, and where the “gig worker” has no realistic local prospects of a job at all?

Actually, there are risks, regardless of what you think of the ethical and moral righteousness of zero-hour contracts and the so-called gig economy.

We tried the link in this spam many times from various parts of the world, in different browsers, and at different times of the day, and although we almost always ended up with the same ads, tagged with the same affiliate codes…

…we occasionally also received the added bonus of a COOL FREE DOWNLOAD that turned out to be malware, including one sample that tried to trick us into installing a cryptocurrency miner.

The cryptominer foisted on us was, of course, preconfigured to mine for someone else so that we’d be paying for the electricity but they’d get the cryptocoins.

Your mileage may vary

By the way, don’t forget that the malware we bumped into while investigating this message isn’t necessarily the same as what you might experience, even if you followed exactly the same link from exactly the same spammer.

In fact, it’s not merely possible, but actually quite likely that your experience would be different to ours.

The crooks use the cloud these days to deliver malware on demand, instead of packaging it into self-spreading viruses or worms like they used to, because that means they can alter the details of each malware attack at will.

They can infect only every fifth visitor, or hit German users with keyloggers but everyone else with ransomware, or try to infect you only during office hours, and so on.

How bad can it be?

When you type in unsolicited links – especially links like the one in this spam, which was deliberately presented in a way to sidestep the accepted policies on links in eBay messages – you’re putting an awful lot of trust where it doesn’t belong.

Let’s assume that the original spammer is essentially honest, and is aiming merely to make a humble income out of advertising other people’s attempts to make a humble income out of your own attempts to make a modest income out of selling stuff on eBay, who will in turn make a modest income out of your sale.

Well, there’s still a lot that can go wrong, including:

• The original URL is an HTTP link. Anyone in the path between the spammer and you can not only detect that you’ve clicked an ad, but also modifiy or completely rewrite the reply that goes back to you.

Remember that even though an HTTPS link doesn’t say much about the truth or trustworthiness of the content that comes back from a secure web server, HTTPS nevertheless makes it very much harder for other people to mess with the content you do see, whereas HTTP links provide no protection against in-transit modifications at all.

• The spammer could have chosen a poor password. Anyone who can guess or recover the password to the spammer’s internet account can modify the redirection URL at any time, and carry out a DNS hijack or a redirection hijack.

DNS hijacks are where a crook changes the signpost that points to your web server, so that some, many or all of the future requests to visit your server end up taking the wrong route and reaching the wrong destination.

Redirection hijacks are very similar, but they let the original web request get through to the usual server – with any encryption done correctly – and then trick the web server itself into farming off the request to a new site, once again with any encryption done correctly.

Worse still, crooks can turn the redirections on and off at will, thus revealing their treachery (or pushing out their malware) only occasionally and unpredictably, allowing them to stay unnoticed for longer.

• Ad spammers could end up taking you to untrustworthy or badly run ad-serving services. When a spammer is aiming to make a few cents out of other people making a couple of dollars out of you making a few tens of dollars selling an unwanted gift, there isn’t a whole lot of time for due diligence.

When an ad server is compromised and rogue ads are added into the queue, the resulting is known as malvertising, short for ‘ads that may lead to malware’.

Malvertising is a tricky problem because most ad services deliberately target their ads for every visitor, depending on who’s visiting, where they’re coming from, and which advertisers are bidding at that moment; as a result, rogue ads may show up only occasionally, and reproducing the rogue ad may be difficult or even impossible.

What to do?

• Don’t type in unsolicited links just to take a look. At best you will come out OK, and you’ll have lost nothing but time. At worst you could end up under attack from malware.
• Run an anti-virus and web filtering tool. Sophos Home is free, and protects you not only from malware downloads but also from visiting known-dodgy URLs in the first place, whether by accident or design.
• Report messages that are obviously constructed to look like something they are not. URLs in weird fonts embedded into images are there because the sender already knows they aren’t supposed to be there at all, so report this sort of thing to the provider of the service.