At the end of May 2020, information security experts and journalists at Bleeping Computer discovered that ebay.com was scanning local ports of visitors in search of applications for remote support and remote access. Many of these ports were associated with tools such as Windows Remote Desktop, VNC, TeamViewer, Ammy Admin, and so on.
As it turned out, the auction used the ThreatMetrix script created by LexisNexis and used to detect fraudsters. Although eBay is essentially looking for well-known and legitimate programs for remote access and administration, in the past some of them were actually used as RATs in phishing campaigns.
Scanning is done using WebSockets to connect to 127.0.0.1. All 14 scanned ports and related programs are listed in the table below. Journalists at Bleeping Computer could not identify the program on port 63333. Based on the identifier “REF”, they assume that this is the control port for tests.
|Remote Desktop Protocol||Rdp||3389|
Further study of the problem showed that the sites of such large companies as Citibank, TD Bank, Ameriprise, Chick-fil-A, Lendup, BeachBody, Equifax IQ connect, TIAA-CREF, Sky, GumTree and WePay demonstrate similar behavior.
Although scanning is done for legitimate reasons, many rightfully considered such behavior to be too intrusive and violating confidentiality. It was proposed to deal with this, in particular, through the uBlock Origin blocker.
Now now Bleeping computer writes that an expert at MindedSecurity created Behave browser extension!, which will warn users about such activity. The tool is already available for Chrome and Firefox, the developer plans to release versions for Edge and Safari.
Head of MindedSecurity and extension developer Stefano Di Paola talks about Behave! was born as a conceptual experiment to identify various abuses from web pages. The developer promises that if users show interest in his brainchild, it will continue to grow and develop, and ultimately can turn into a full-fledged project aimed at raising awareness.
“For example, local port scans, cross-protocol attacks, DNS re-bindings are all very old attacks that are still possible, and it’s very difficult for browser vendors to fix them because they abuse the basic functions of the web ecosystem,” says Stefano Di Paola .
Currently Behave! monitors scripts that try to access the IP addresses of the following blocks:
- IPv4 Loopback Addresses 127.0.0.1/8
- IPv6 Loopback Addresses :: 1/128
- Private IPv4 Networks 10.0.0.0/8 – 172.16.0.0/12 – 192.168.0.0/16
- Unique local IPv6 addresses fc00 :: / 7
In case of detection of suspicious activity, the extension icon will display a red indicator, when clicked, the activity performed by the site will be displayed. Also, the extension can display notifications in the browser when it detects violations.
It should be noted that while there is a small bug in the extension, which can lead to false positives and warnings about DNS re-binding. Di Paola claims that he has already fixed the error and expects Google to approve the new version.
In the near future, the expert of MindedSecurity plans to add whitelists to web pages and hostnames that can perform local connections, as well as the ability to detect code that performs suspicious actions.