The eBay breach in review

 

 

 

 

 

 

 

What has happened at eBay sounds like either a targeted phishing attack or a successful social engineering campaign against eBay employees. Based on what we are hearing from sources, it is most likely a successful social engineering attack that affected about 100 employees—eBay’s public statement mentions “a small number of employee log-in credentials were compromised.” Earlier this month, eBay’s security team started to find anomalous activities being generated that lead them to the root of the breach. After their investigation, they found that the attackers had been on their network since February. This would mean that the attackers had been on the network for about 84–98 days before detection. This is surprisingly low since the average attacker is on a network for about 229 days, according to the Mandiant’s 2014 threat report. So the fact that eBay security personnel were able to find this in such a timely manner is a credit to the team. Now once the investigation is complete and they determine root cause. It will be interesting to see what changes in technology and process take place to find this breach faster next time.

Below is a link where a sample of the data that was released, and for how much the data dump is selling.

———————–

http://pastebin.com/vmvjGw3N

A possible ebay dump has been made available for sale with a free sample of 12,663 users from the APAC region. We are currently unsure if this dump and/or the sample data is real. Current analysis of this data is being performed to check if any of our customers are shown on the list. Further investigation will be performed until the data has been validated as real or a scam.

If you cannot access pastebin for whatever reason, or the paste has been removed, here is the copied text:

=== full ebay user database dump with 145 312 663 unique records ===

to get a copy:

1) send 1.453 BTC to1e4aLP3jKD9wRAcSRNVb7VHbd7KbcdPfA

2) immediately email the transaction id from 1) to KbcdPfA@hushmail.com<mailto:KbcdPfA@hushmail.com>

3) link to ebay-dump-2014-03-26-145312663.csv.zip will be sent to the original email with information on a unique transaction id

=== sample dump of 12 663 users from apac region ===

NAME|PASS|EMAIL|ADDRESS|PHONE|DOB

https://mega.co.nz/#!FAwBQKpI!D4BQ6GD4qMjU5x1CyNCQiaMmSifGrFLLAl1rg7_f5yg

————————-

After analyzing the sample data, we have confirmed that the data has name, address, username, contact number, date of birth and the encrypted password. While this looks to have come from a real database, researchers that have tested the data have confirmed that the data was false as they were able to sign up for accounts with the email addresses from the data dump. If this was current data, then the account setup process would notify that the email address is already in use. This seems to be a combination of dumps, including some legitimate eBay users that have been previously released. The only way to confirm this data would be to buy the complete dump for 1.453 BTC and attempt to create accounts with each email address.

The passwords on the released dump are encrypted with a sha 256 algorithm (http://en.wikipedia.org/wiki/SHA-2). Even if you have the salt it would still take years to brute force the passwords int his database utilizing this encryption algorithm. If the database is not salted you could utilize rainbow tables (http://en.wikipedia.org/wiki/Rainbow_table) and attempt to brute force weak passwords.

This brings us to the point that having a defense-in-depth strategy for your environment is critical. What is even more critical is the monitoring of the output from the architecture that has been deployed as part of the strategy. Your defense against these type of attacks are only as good as your people, process and technology.