May 22, 2014

In the wake of eBay’s disclosure that a breach may have exposed the personal data on tens of millions of users, several readers have written in to point out an advertisement that is offering to sell the full leaked user database for 1.4 bitcoins (roughly USD $772 at today’s exchange rates). The ad has even prompted some media outlets to pile on that the stolen eBay data is now for sale. But a cursory examination of the information suggests that it is almost certainly little more than a bid to separate the unwary from their funds.

The advertisement, posted on Pastebin here, promises a “full ebay user database dump with 145, 312, 663 unique records”, for sale to anyone who sends 1.453 bitcoins to a specific bitcoin wallet. The ad includes a link to a supposed “sample dump” of some 12,663 users from the Asia-Pacific region.

ebay-btcThere is a surprisingly simple method for determining the validity of these types of offers. Most Web-based businesses allow one user or customer account per email address, and eBay is no exception here. I took a random sampling of five email addresses from the 12,663 users in that file, and tried registering new accounts with them. The outcome? Success on all five.

For a sanity check on my results, I reached out to Allison Nixon, a threat researcher with Deloitte & Touche LLP (and one of the best sources I’ve met for vetting and debunking these supposed “leaks”). Nixon did the same, and came away with identical results.

“A lot of this is inference — finding out whether an account exists,” Nixon said. “A lot of the time if they generate fake leaks, they’re not doing it based on data from real accounts, because if they did then they might as well hack the real web site.”

eBay does maintain separate domains for different regions and countries, including ebay.co.uk (Great Britain), ebay.cn (China) and ebay.com.au (Australia), but testing indicates that all of these eBay sites use the same accounts database.

It’s worth noting that we saw nearly the exact same scams — an offer on Pastebin to sell a list in exchange for bitcoins — right after the LinkedIn breach last year. That offer also turned out to be fake.

Nixon posits that the main target of these fake leak scammers are probably security companies eager enough to verify the data that they might just buy it to find out. Interestingly, I did have one security company approach me today about the feasibility of purchasing the data, although I managed to talk them out of it.

“I think the target victim is a security company trying to verify,” Nixon said. “Only they would have that sort of money.”


37 thoughts on “Expert: Fake eBay Customer List is Bitcoin Bait

  1. TheOreganoRouter.onion.it

    You would be 100 percent correct with your statement that Ebay.com only allows one account per email address.

    Furthermore, Ebay will not allow that same primary email to be used as a back up password recovery address to another ebay.com account on a different email address.

    1. JCitizen

      I saw a new item in the local news about a supposedly historic first, where someone claimed they bought a house with bit coins. They were flapping their lips about all the advantages, but I must admit, I’m not good at interpreting economic technicalities, I only got a ‘C’ in macro economics, but I had a sneaking suspicion about this news report – like it was a way to get people to relax about all the bad news about Bitcoin.

      Let’s face it – value is a purely psychological thing – once you lose confidence, the value goes to zero FAST! If Bitcoin had the digital equivalence of FDIC, we’d all be much more relaxed about it. lt was only the encryption scheme that makes it a similar environment.

      1. JCitizen

        Um – I wasn’t replying to you OreganoRouter.onion.it – I don’t know what happened!

        1. Nfordhk

          You do realize that the dollar is backed by nothing? The only reason that piece of paper you have holds any value is because the government says so. The same concept could very well happen to our dollar.

      2. Romney

        Bitcoins can’t be loaned out fractionally, so that means there is no need for FDIC. You are the bank when you don’t let other entities hold your Bitcoin.
        When you allow others to hold your Bitcoin, that is when risk is introduced.

        1. Mike

          Thank you for clarifying this as I don’t know enough about bitcoin.

          However, I understand plenty about FRACTIONAL RESERVE BANKING and how it is a thieving death to us.

    2. Mike Murphy

      “You would be 100 percent correct with your statement that Ebay.com only allows one account per email address.”

      this is actually no longer the case, you can use the same email account many times now on ebay , and create “guest” accounts using the same email address multiple times. I am unclear as to when a “guest” account has to , or can choose to, become a “regular” account, but I am positive that a single email address can be reused multiple times on the ebay site, for guest checkout.

  2. reader

    “From a security standpoint, the site uses 256-bit encryption, but never actually stores a username or password on the site. Instead, that information is passed to a trusted third party, which then returns to FutureAdvisor the security token that allows the site to examine, but not modify, the user’s investment information. If a user changes his password at his or her investment site, he or she will need to change it on FutureAdvisor as well.” http://www.pcmag.com/article2/0,2817,2401801,00.asp

    Don’t store the credentials on the same site as the other product data. I don’t know how ebay works. I hope it works better than it used to.

    “Because most bitcoin addresses haven’t been publicly identified — like the FBI’s — it’s hard to say exactly makes up the new Bitcoin top 10. Meiklejohn says that they’re likely to include wallets created by up-and-coming Bitcoin exchanges or businesses. One of them is the wallet that’s thought to contain 96,000 bitcoins stolen from the Silk-Road successor, Sheep Marketplace.” http://bitcoinvista.com/2014/01/18/who-owns-the-worlds-biggest-bitcoin-wallet-the-fbi/

    How did eBay fail to notice a data breach affecting 233 million customers for three whole months? – Leo Sun – The Business
    [Search domain http://www.fool.com] fool.com
    http://www.fool.com/investing/general/2014/05/22/ebay-data-breach-the-inexcusable-impact-on-233-mil.aspx

    Good question.

  3. arahkun

    Thanks for the update on the breach Mr. Krebs, I was looking for some valid info and you come through once again. /JR

  4. TheOreganoRouter.onion.it

    “Chief among the imperfections is eBay’s meter that labels chosen passwords as “weak,” “medium,” or “strong” depending on their resistance to common cracking techniques. It showed “Stlk/v/FqSx”lireFTzidyS/m” (minus the beginning and ending quotation marks) as being weak, even though the password has 25 characters that include a mix of upper- and lower-case letters and symbols, plus it isn’t included any obvious dictionary or word list.”

    After the breach: eBay’s flawed password reset leaves much to be desired
    http://arstechnica.com/security/2014/05/after-the-breach-ebays-flawed-password-reset-leaves-much-to-be-desired/

    1. Old School

      Tips for creating a strong password. Source: http://windows.microsoft.com/en-us/windows-vista/tips-for-creating-a-strong-password
      Guidelines for strong passwords
      http://en.wikipedia.org/wiki/Strong_password#Guidelines_for_strong_passwords
      As for “Stlk/v/FqSx”lireFTzidyS/m” there are three cap “S”, two cap “F”, two “l”, the word “lire” (http://dictionary.reference.com/browse/lire), three “/” and no numbers.

      My security industry credentials are available here: http://www.youtube.com/watch?v=UmzsWxPLIOo

  5. wirehack7

    Oh, really cheap. But I thought it is over 1k, . As decimal.
    Also I looked at the date, the paste has been created when the hack appeared in media.

    Nice research Mr. Krebs

  6. Anonymous

    Presumably, the target market for this sort of scam are other criminals. Hard to see why anyone else, aside from perhaps a company looking to do research with Bitcoins to spare, would be interested.

    As ‘Michael’ mentioned in Brian’s last article, thus far no one has sent this address any money, https://blockchain.info/address/1e4aLP3jKD9wRAcSRNVb7VHbd7KbcdPfA

    Did the LinkedIn scam from last year have any success?

    1. Michael

      I put it on the wrong article actually ahah 😉

  7. Edward

    In a perverse way these “scam the scammers” schemes might actually protect the actual data from being widely distributed. These secondary scammers could be killing the market for the real dataset.

    I saw this technique used in a different way in the case of the guy who posted a video from a dash cam in his car as it was being serviced at a Chevrolet dealership. He posted the misdeeds of the dealership on YouTube. The dealership sued the customer and they forced YouTube to delete the video. Then the dealership shot their own videos promoting their business and employes and posted them to YouTube with the same keywords as the original detrimental video. It’s now extremely difficult to locate the original dash cam video anywhere on the Internet.

  8. QHoster

    Tested, proved and working eBay accounts ah 🙂 … If there is a breach eBay better force new random passwords for everybody.

  9. David

    [eBay said: that a database containing encrypted passwords and other non-financial data was stolen…]

    Keep in mind that most ‘Personal Identifiable Data’ is ‘financially relevant’ and is part of the stepped process of engaging in Identity Theft.

    [eBay said: Despite admitting to the hack, the auction website said there was no evidence of suspicious activity on members’ accounts…]

    Keep in mind that the info obtained in a data breach is of relevance to more than one of the methods used to extort or divert a victim’s financial assets not just the initial account in question and may later involve the victims other financial accounts as the process of date-mining for the victims Identifiable Data can progress for months or years until achieving Identity Theft (and not just in movies but with real life victims).
    Also; it has been shown that cracking passwords is not that hard and quite easily as many use familiar Dates, Times, Names, Places, Pets, etc. which code-cracking algorithms are designed for. Once you get passed that, then you move on to see if the same was used on the victims other accounts and so on.

    You have a good sites Mr Krebs

  10. Barry Koron

    I would be very interested in reading what you have to report on the cyberwar between the US and China. How bad is it? How good are they?

    1. reader

      5.5 http://www.cs.nyu.edu/~waldman/publius/publius.pdf

      It’s expensive and impractical. If you pay and get nothing make sure you have a way to cancel payment.

      “Sometimes I chewed my pencil and gazed at the wall paper for hours trying to build up some gay little bubble of unstudied fun.” Confessions? Sell chewed up pencils.

  11. Expert

    While Bitcoin is a nice academic design, it is fundamentally broken in practice. Namely, at any time a party with more computing power than today’s group of miners can cause a fake blockchain continuation. There are loads of powerful groupsnwho can readily do this. The implication is that all your Bitcoins might overnight become worthless. There is nothing that can be done about this attack, by design of Bitcoin – that is why it is a fundamental flaw. It is shocking that most Bitcoin users do not understand this.

    1. Tony Coleby

      “Expert” allow an amateur to correct you. The Bitcoin hashing network is currently at 50 Petahashes and growing by over 1% per day. That is more than the world’s top 500 supercomputers combined (as of May 2013). There is not one group with power to match this let alone many.

      1. Expert

        Amateur, you are wrong. Even at 50 petahashes the network does not total more than several percent of the world’s estimated total computing power. It wouldn’t be much of a problem for parties like the NSA and other heavily-funded organizations to exceed that if they really wanted to bring down Bitcoin. There would be no recourse for anyone. At present, Bitcoin is too insignificant and at constant risk of self-imploding for such organizations to step in, but rest assured they can at any time if they want to.

        On a related note, what gives you the confidence that a majority of the current group of miners will keep acting honest or will not be compromised? There are only a handful of them that control and lease all of the current mining power.

      2. reader

        One of the complications is that we need to be able to trust the time; otherwise the opponent might manipulate the network time protocol to say that the date is now 2500AD and bring about general file deletion. Does this bring the Network Time Protocol (and thus the Global Positioning System and thus the US Department of Defense) within the security perimeter, or do we create our own secure time service? The mechanics of such a service have been discussed in other contexts, but there is as yet no really secure clock on the Internet. ”
        http://www.cl.cam.ac.uk/~rja14/eternity/node13.html#SECTION00049000000000000000

        Until we have a secure clock we aren’t going to have a secure Internet currency. We’ll be close. Time is money. They’re claiming it’s speech and what they say is even more inaccurate than the clocks. If you want to send fake currency for fake ID files go at it. It seems like a waste of time.

        1. reader

          Hackers Spend Christmas Break Launching Large Scale NTP …

          Over the last few weeks Symantec has seen a significant spike in NTP reflection attacks accross the Internet. NTP is the Network Time Protocol, it is a relatively obscure protocol that runs over port 123 UDP and is used to sync time between machines on a network.
          [Search domain http://www.symantec.com] symantec.com

          SO if your network activity depends on accurate time data and what doesn’t, the data could be corrupt and out of data. IOW it is low quality metadata. The routers are out of date and insecure too. Auctions help spread out of date gear and then there are security troubles. She got me a watch chain and I got her combs. She sold her hair though. I sold my watch!

  12. AtariBaby

    “bait for the unwary”, and I might add, the irredeemable, for wanting to buy that list. At least this con is targeting would-be crooks.

  13. BillB

    Ebay Fees are Way Too HIGH!
    Should be 1-2% Max.

  14. gordon

    Brian,
    Thanks for your hard work.
    I cannot follow your logic on the “sample dump”.

    You say that when you used 5 email addresses from
    the “sample dump”, you were able to create accounts
    at ebay and that this proves the “sample dump” is bogus.

    What I cannot understand, is why would anyone create a “sample dump” with fictitious data if it is so
    easily verified?

    1. BrianKrebs Post author

      Why would someone use a database stolen from some other random hacked site and try to pass it off as a database stolen from eBay, when they stand to gain ~USD$750 from doing so for each sucker who buys it? That question kind of answers itself, IMHO.

      1. reader

        So now the dollar is going into negative status. It’ll be more trouble than it is worth and borrowing won’t make it worth more. Compromised customer information is worthless. That’s easy to secure. I’m old, I remember when the dollar was secure. Gold was cheap and people were of high value. Now? Metal is expensive and people are cheap. Ebay broke and so is the health care system. You can’t get your own medical records. You have to steal them because the racketeers running the system don’t want you to have control. More stuff’s going to close down. We won’t lose money which has already lost most of the value.

        http://www.trinity.edu/rjensen/2008Bailout_files/image002.jpg

  15. reader

    ” This is a story of treasure on a deserted island.

    The historical account of Oak Island, Nova Scotia, given here is true; that is, as true as any history of events
    covering more than 150 years. It is a disappointing story, since it has no ending or real beginning.

    Most tales of this sort are founded on an ancient map or legend which point to some part of the world as
    the hiding place of great riches. Usually the man who buried the treasure, and the date of its internment, are
    well known, but the exact location of the cache is obscure.

    Yet the reverse is true of Oak Island. The particular spot where its treasure was buried has been fixed,
    within a few yards, since the late Eighteenth Century. No scrap of concrete evidence exists to connect it with
    any person or any age, and the character of the treasure is equally uncertain. We can only depend on a
    knowledge of human nature to be sure that it is something of enormous value. No satisfactory explanation of the origin of the earthworks has ever been given. The Mahone Bay area, in
    which Oak is located, was well settled by the Acadians before 1700. We must necessarily select some date prior
    to that as the date of its burial, since the labor connected with the excavation could have been kept secret only
    when the Bay was uninhabited.”
    http://baconscipher.com/OakIsland1.html

    If you send somebody treasure they will send you all this location and other data. Save your resources. More excavation? Trying to make data mining pay? Keep a worm on your end of the line and we have lots more end of the line for you as the Wolfman used to say.

  16. Rainer

    145, 312, 663 accounts?
    That number has a far to unbalanced distribution of numbers and is in itself a bit suspicious.
    2* one
    2* three
    2* six

    Or is this number actually correct?

  17. reru

    Hi! Could you upload the fake “sample dump” in its original form? It’s been removed from Mega and I’d be interested in examining it…

Comments are closed.