Mysterious 'Vladuz' again hacks eBay employee servers

A hacker has once again managed to pilfer eBay credentials that allow him to masquerade as an official company representative even as he taunts eBay officials on the company's message boards. It's at least the second time the person going by the name Vladuz has pulled off the prank, which is causing many users to question the adequacy of eBay security.

The hacker, said to be living in Romania, claims to have acquired the ability to penetrate the company's perimeter at will. Combined with a rash of hacked accounts, the assertion has created a small but vocal group of users who believe eBay is covering up a massive back door in its defenses.

…
Just two days ago, eBay officials said they had quashed Vladuz's access to employee parts of the network, a claim the spokesman says now appears to be incorrect.
…

Full news story here:
http://www.theregister.co.uk/2007/02/23/vladuz_strikes_again/

HE'S BAAACK!

http://www.auctionbytes.com/cab/abn/y07/m02/i23/s01

"A person eBay called a "known Romanian fraudster going by the handle Vladuz" appeared again on discussion boards on eBay's German site. This time, he created or possibly renamed an eBay customer service representative's User ID and posted under the name "vladuzsgi."

AuctionBytes first reported on an incident involving Vladuz on Thursday (http://www.auctionbytes.com/cab/abn/y07/m02/i22/s03) after eBay acknowledged that someone had gained access to a handful of customer service representatives' email accounts, without having accessed any customer data.

On Thursday, Vladuz was back on the eBay Germany boards. After eBay deleted his posts, vladuzsgi came back and wrote, "I hope eBay won't sue me for waking up their staff" before the entire thread was removed.

eBay spokesperson Hani Durzy said he did not intentionally mislead reporters when he said on Wednesday that eBay had successfully prevented Vladuz from continuing to access the handful of customer service email addresses, but said that was true to the best of eBay's knowledge at the time. "He's very good," Durzy said of Vladuz, "and apparently brazen." Durzy said to the best of eBay's knowledge, Vladuz has only had access to a handful of customer service representative accounts. He said there is no evidence that Vladuz has ever had access to customer databases. "

Full Story:

http://www.auctionbytes.com/cab/abn/y07/m02/i23/s01


OP's note: AHAHAHAHA, um, ya think he's good? Hmmm... DUH!

Quote: › no evidence that Vladuz has ever had access to customer databases. "

What a bunch of BS that line is.

If anyone followed the T&S thread about all the hacked listings over the weekend and into this week, a whole lot of them were "signed" with his name in very small characters at the bottom of the added part of the listing. Usually it was his name backwards - Zudalv.

I don't think he was actually trying to rip off buyers as much as he is trying to "show-up" eBay's lack of proper security. He made the hacked listings too easy to spot and too obviously a hack to be a good "scam" attempt.

Carol

Here's what worries me about this situation...

I don't think vladuz really cares so much about whether he/she makes any money from ebay auctions BUT that doesn't mean he/she won't sell the hack to as many other wannabe scammers as he/she hears from. I think vladuz wants to get ebaY scared *and* get respect and money from fellow scammers or black hat hackers.

I fear for people who have signed up for ebaY and PayPal and still have their credit card info and or bank account info on file. They're vulnerable to anybody who either gives vladuz money for the hack or figures it out on their own. Potentially that's a HUGE number of people worldwide. This is the mother of all online shopping trainwrecks waiting to happen.

I have *called* everyone I know over the last 2 days (when I first heard about this story) from current sellers down to people who bought something on ebaY once or twice but haven't been there in ages much less done any transactions. I have warned them to watch their account activity (ebaY emails, PayPal emails, credit card and bank statements like hawks).

Several of them who are mostly buyers asked me if I thought they should close their PayPal accounts. I replied that I didn't think that would be a bad idea, especially if they have any significant amount of credit available to them or significant sums of money in the attached checking/savings accounts. I suggested that for those sellers who are going to be dumb enough to insist on payment by PayPal only that my friends who are buyers only go to the mall/grocery store/bank, get one of those preloaded credit cards and use only that with their PayPal account. This is what I do and as a potential victim, the fraudsters can only make off with the balance of my preloaded credit card (which right now is less than $5)

But I don't have any advice for sellers since PayPal makes them have a bank account...any of you have any ideas on how you could protect yourselves???

Maybe in protest we all ought to dump our PayPal accounts? I just don't know what will get ebaY motivated short of legal action, civil and or criminal.

vdovault - welcome to PSU!!!

I also agree that there is much great risk here than ebaY is sharing. If a hacker has gained access to CS accounts (employee), then obviously he has access to customer accounts....what moron would believe the 2 to be segregated, therefore disallowing the employee(s) to actually support the customers....oh yeah - the CS there doesn't really answer our questions - duh....

In seriousness tho - when I've had issues with either PP or ebaY, whomever I've reached has immediately been able to gain access to my account - even when I could not.

There's much more to this story - no doubt. The questions is will it ever come out?

2BOYSandTOYS wrote (View Post): › There's much more to this story - no doubt. The questions is will it ever come out?

It will if a lot of us who have been working our tails off to get this out there have anything to do with it, my friend... This is a big one... If the major media doesn't pick up on this, eBay is paying off the world, hahaha...

ebaY needs to hire 'external' specialists to examine and prepare a statement IMO. All the efforts of the 'general public' and sellers won't do the same for the 'public' as a legit. company that specializes in fixing gaping security holes. I know - worked for one ---- and if ebaY truly desires to try and 'exploit' Paypal as a true financial institution, they'll have to do this - sooner would be better than later....

Go get 'em girl, go get 'em!!

Is it just my sheltered life or is this not hitting the media other than a few little web news sites?
It would seem to me, if this was making big news, stock prices should drop like a rock? Instead it has just hit $40.00 a share!

I have submitted the article link to Drudge Report. We'll see what they do with it.

There's a few articles here that could do with some 'diggs':

http://digg.com/security/Hacker_Vladuz_Posts_as_Pink_on_ebay_Trust_Safety_Forum
http://digg.com/tech_news/Mysterious_Vladuz_again_hacks_eBay_employee_servers_2
http://digg.com/security/The_eBay_Hacker_Vladuz_Appears_Again

The Good News: Slashdot.org is now discussing this

http://it.slashdot.org/it/07/02/23/2113238.shtml

The Bad News: ebaY is siccing it's legal department on non ebaY sites discussing vladuz

http://www.auctionguild.com/generic150.html

The Better News: I am getting the word out to all my PayPal and ebaY using friends urging them to cancel their accounts. No accounts = no more money for ebaY.

I am also looking into contacting the Electronic Frontier Foundation eff.org to discuss ebaY's attempts to gag worldwide discussion of their security hole (when what they should be doing is fixing it already d*mnit!)

Sort of related to this ebaY has been hacked discussion (I can't tell from the video whether this is also vladuz's handiwork)

http://www.news.iwantcollectibles.com/ebay-hackers.shtml