At the end of May 2020, information security experts and journalists at Bleeping Computer discovered that ebay.com was scanning local visitor ports for applications for remote support and remote access. Many of these ports are associated with tools such as Windows Remote Desktop, VNC, TeamViewer, Ammy Admin, and so on. Ebay scans with a script check.js (archival copy)
Information security specialist Dan Nemek has dedicated this strange activity to eBay great stuff, where I examined in detail what is happening. Nemek managed to trace the script used by the auction to the ThreatMetrix product created by LexisNexis and used to detect fraudsters. Although the eBay scanner is essentially looking for well-known and legitimate programs for remote access and administration, in the past some of them were actually used as RATs in phishing campaigns.
That is, the scan, obviously, is carried out in order to detect compromised computers used for fraud on eBay. For example, back in 2016, cybercriminals used TeamViewer to capture other people's cars, empty PayPal accounts, and order goods from eBay and Amazon.
Scanning is done using WebSockets to connect to 127.0.0.1. All 14 scanned ports and related programs are listed in the table below. Journalists at Bleeping Computer were never able to identify the program on port 63333. Based on the identifier “REF”, they assume that this is the control port for tests.
|Remote Desktop Protocol||Rdp||3389|
To find out what other sites can use this script, Bleeping Computer turned to DomainTools information security specialists for help.
The fact is that when sites use ThreatMetrix security scripts, they download them using a user host on online-metrix.net. For example, eBay downloads the ThreatMetrix script from src.ebay-us.com, this is CNAME DNS for h-ebay.online-metrix.net.
DomainTools Helps Publish a list of 387 similar unique hosts on online-metrix.net. Using this list, reporters visited the sites of many large companies and checked whether they were scanning their visitors' computers.
Although not one site from the list reaches eBay in size, many of their resources belong to well-known brands. In particular, it turned out that user computers scan scripts on the sites Citibank, TD Bank, Ameriprise, Chick-fil-A, Lendup, BeachBody, Equifax IQ connect, TIAA-CREF, Sky, GumTree and WePay.
Interestingly, port scans were performed differently each time, depending on the particular site. For example, Citibank, Ameriprise and TIAA-CREF scan computers immediately when they visit the main page of the site. Whereas TD Bank, Chick-fil-A, Lendup, Equifax IQ connect, Sky, GumTree and WePay only scan the ports of those visitors who tried to log in. BeachBody.com, in turn, scans ports only at checkout.
Based on the list of domains obtained, other well-known companies that use the ThreatMetrix script were identified. These are: Netflix, Target, Walmart, ESPN, Lloyd Bank, HSN, Telecharge, Ticketmaster, TripAdvisor, PaySafeCard, and probably even Microsoft. Researchers have not been able to activate the port scan feature on these sites, but it can be used on pages where experts simply haven’t reached.
Representatives of LexisNexis, which reporters asked for comment, have not yet responded to requests from the publication.
Bleeping Computer notes that users who consider port scans to be too intrusive and pose a risk to their privacy can use the uBlock Origin ad blocker in Firefox to block the script.
Unfortunately, during other tests, uBlock was not able to block port scanning in the new Microsoft Edge and Google Chrome, because there the extension does not have sufficient rights to open DNS CNAME records. Journalists also checked the Brave browser, which also allowed port scanning.