Reports that eBay has been running port scans against the computers of visitors to the platform have caused alarm over potential security issues.
Port scanning is something that many people associate with cyber-attacks and penetration (‘pen’) testing. Port scanning scripts are used to determine which ports a system may be listening via, by sending packets of information to a user’s machine and varying the destination port. This can help an attacker to determine what services may be running on the system and, therefore, get an idea of the operating system a target user has.
Port scanning can also be used to counter the activities of cybercriminals by scanning for remote-control access ports to detect any criminals that may be logged into a user’s computer in order to impersonate them on various platforms/sites e.g. to make fraudulent purchases.
In the recent observations of port scanning by eBay according to US-based security researcher Charlie Belmer and recorded on his nullsweep.com blog, Mr Belmer reported that eBay appeared to be looking for VNC services being run on the host (the same thing that was reported for bank sites). The ports scanned by eBay are generally used for remote access and remote support tools e.g. Windows Remote Desktop, VNC, TeamViewer and others.
Mr Belmer has listed the 14 different ports he observed as being scanned by eBay and has concluded that the port scanning he observed being run from eBay was “clearly malicious behaviour and may fall on the wrong side of the law”.
On his blog, Mr Belmer urges anyone else who observes this port scanning behaviour to “complain to the institution performing the scans, and install extensions that attempt to block this kind of phenomenon in your browser, generally by preventing these types of scripts from loading in the first place”.
Bearing in mind that there were reports 4 years ago of cybercriminals taking over users’ computers using TeamViewer to make fraudulent purchases on eBay, it may be very likely that the port scanning observed is simply part of eBay’s efforts to fight fraud by trying to detect if a compromised computer is being used to make fraudulent purchases on its platform.
Being an auction site, eBay clearly must take measures to ensure that fraudulent purchases cannot be made and to guard against and problems similar to those experienced with TeamViewer four years ago. It is understandable, however, that a practice often associated with criminal activity and penetration testing may cause alarm among those familiar with the more technical aspects of Internet security. Although the matter has been reported by Mr Belmer on his blog, it is unclear yet what action or statements, if any, are likely to come from eBay.