eBay port scans visitors' computers for remote access programs

eBay port scans visitors’ computers for remote access programs

When visiting the eBay.com site, a script will run that performs a local port scan of your computer to detect remote support and remote access applications.

Many of these ports are related to remote access/remote support tools such as the Remote Desktop, VNC, TeamViewer, Ammy Admin, and more.

After learning about this, BleepingComputer conducted a test and can confirm that eBay.com is indeed performing a local port scan of 14 different ports when visiting the site.

eBay.com script performing a port scan

This scan is being conducted by a check.js script [archived] on eBay.com that attempts to connect to the following ports:

Ports being scanned
Ports being scanned

The fourteen different ports that are scanned and their associated programs and eBay reference string is listed below.

Program Ebay Name Port
Unknown REF 63333
VNC VNC 5900
VNC VNC 5901
VNC VNC 5902
VNC VNC 5903
Remote Desktop Protocol 3389
Aeroadmin ARO 5950
Ammyy Admin AMY 5931
TeamViewer TV0 5939
TeamViewer TV1 6039
TeamViewer TV2 5944
TeamViewer TV2 6040
Anyplace Control APC 5279
AnyDesk ANY 7070

BleepingComputer has not been able to identify the targeted program on port 63333. If you recognize it, please let us know.

The script performs these scans using WebSockets to connect to 127.0.0.1, which is the local computer, on the specified port.

Script to use websockets to perform local port scans
Script to use websockets to perform local port scans

According to Nullsweep, who first reported on the port scans, they do not occur when browsing the site with Linux.

Once they tested in Windows, though, the port scans occurred.

This makes sense as the programs being scanned for are all Windows remote access tools.

 

Likely done to detect hacked computers

As the port scan is only looking for remote access programs, it is most likely being done to check for compromised computers used to make fraudulent eBay purchases.

In 2016, reports were flooding in that people’s computers were being taken over through TeamViewer and used to make fraudulent purchases on eBay.

As many eBay users use cookies to automatically login to the site, the attackers were able to remote control the computer and access eBay to make purchases.

It got so bad that one person created a spreadsheet to keep track of all the reported attacks. As you can see, many of them reference eBay.

These port scans are still intrusive and not something that many users would want to happen when visiting a site.

BleepingComputer has contacted eBay about this port scan but has not heard back at this time.

Source: https://www.bleepingcomputer.com/news/security/ebay-port-scans-visitors-computers-for-remote-access-programs/

Leave a Reply