 Tell me you're from large systems and I'm here with Xavier Johnson from Enterprise offensive security and Chris Bennett with Huntress labs and we're here to talk about eBay apparently they decided they Without asking our permission started poking at our sockets This is gonna be an interesting discussion I brought people Really smart on here to kind of talk about this so I mean I found the story and a lot of us have already read this eBay's port scanning your system when you load the web page and it's Interesting and we'll get into the technical details, but let's start with what they're looking for which is apparently Unknown whatever 6333 is They're looking for VNC remote desktop arrow admin team viewer in all of its various ports any place control in any desk So it sounds like they're asking for or looking for Are these systems remotely controlled are they having these tools installed and that's kind of interesting that eBay wants that information And I'm trying to figure out why what it will start with Chris. What do you think of that? So I think it's interesting. I mean if Why why only are they looking at these like remote control tools though? Like there's plenty of malware that gets on people's systems and remotely controls them that doesn't use like team viewer or BNC or RDP like Out of all the all the protocols and all the you know ports that you can look for why this like short list of like 15 Yeah, it's I mean to play devil's advocate for a second Maybe eBay is going hey, I see these accounts And they are randomly bidding up things but not buying someone's trying to push up like hiring bots to raise prices on eBay and do Some bidding on but it seems kind of strange because it feels like you could figure that type of pattern behavior I because I can't bid or push a bid up without a registered login to eBay So from a business perspective seems like I could just do that by looking at the account go And hey, there's that Tom Warren sky and he's randomly bidding on things but not buying and he seems to do it in an unusual Pattern, I wonder if that computer's been pwned But maybe that's that next step is is team viewer on it Is it being remotely controlled? Is it part of a farm of them and you're watching traffic patterns across? I don't know And you did some digging a little bit with a burp suite and diving into some of technical details, right Xavier Yeah, I wanted to go dig in of course. Um, I was able to Locate a bit of JavaScript and here I'll share my screen actually and Now I can see you guys. All right, awesome. So long story short We know like the list of ports that they're getting after so I'll figure alright. Let's try and open up burp suite And play around as you can see if you watch my channel. We got some of a demo That's still running here, but long story short. I wanted to get over here into web sockets and see if I can't figure out You know what's happening. So when I go here to eBay and I open up my inspect element. This is what comes up Drag it up here and make it a little bit bigger. You can see not all the time Are they scanning for all of those ports in this instance? They don't scan for 3306 which they're known to scan for they're not scanning for 3389 was missing. Yeah, 3389. That's what it was. Yeah, right there which is Windows RDP, right? So not really sure 100% why that's the case, but As you can see they're scanning all the way up to the 63333 and I don't know Maybe somebody can tell me what that is. I went in search show that and I only got 16 results total So I don't know what that is. How important is that if there's only 16 of them? It must be like some very specific indicator of compromise that they're like trying to figure on Seems to be in like nation-state level stuff or like a BGP, maybe Well, no, maybe let's go. Maybe it's a little step further like you said it's so specific Maybe there's some type of eBay bot tool someone wrote And that's the command the control port for it. That would make sense Especially because we think about they're not trying to write it that the person building is wouldn't be necessarily writing a bot net They would be these are all these systems we Orchestrated we installed we didn't take over someone's account. We installed this so we have a command and control Server and we keep it private it reaches out and does the connections or size some type of tool that runs on local host at that odd port Definitely, um, that's not speculation Now something else is weird too because at first I seen this article and I jumped in I'm like, huh doesn't show a thing Then I realized I'm running Linux. It's examining the browser Headers and going hey that guy runs Linux. Don't even check. So am I Linux machine it doesn't check at all But when you open I open up windows And a VM that I have especially like a clean VM loaded Chrome in it and right away it starts scanning it So it doesn't care if you're logged in or not It doesn't need any login information and are you a logged in right now Xavier? No, no, I'm not logged in at this very moment But what I did notice is that at different points in which they consider it to be important of some type of importance So the first time you load it happens When you go to go log in it happens. I'll be doing again. Oh, yeah So and what I thought is that they every page and it doesn't seem like it's on every page And it won't happen more than once on the same page So I've had to utilize containers for in Firefox to actually open up in a different kind of container to continue to test One of the things that I did find though was We did talk about the PNG right me and you Chris But then they also had this JS file that I went ahead and grabbed right and it's really ugly But lucky for me. I like to use duck duck go. No, they don't sponsor me, but they should Because As soon as this thing goes away, I'll show you why if you just go here and type in beautify JS and you Paste in that ugly blob and you go type in and you punch beautify code. It gives you this code nice and beautify and When I went ahead and did and I'm going to take the advice of someone who was on my stream yesterday and make my screen bigger We see yes important we see that they're they're doing something where they're looking at window size They're looking into local storage of some sort They're looking for particular things that they've put in the local storage or putting things into local storage And as I scroll down again, this potentially is pushing something into local storage some type of encoding We know that this is probably little Indian Escaped heck stuff So we keep getting down we got generation of keys and of course this is Pseudo code. I don't know exactly what's happened. I can't read the function names entirely But one of the things that I know for fact that we all know when we see No, I'm gonna scroll down here work with me. It's a pretty long file And when you see it, you'll know it If you're a developer like me you will at least It's in here, I'm sure it is there it is Oh Ariel Ariel black Fonts it's looking for fonts headless browsers I don't think have this kind of stuff loaded. Yeah, because they don't need to they don't actually have to draw a screen So I think that this is maybe a combination of all the things that we're kind of speculating to which is Is it, you know heuristics for anti-fraud? Is it heuristics for anti-botting? Is it user tracking? Is it agent? You know, is it the is it them collecting more data that they may sell to other people? Maybe this is a part of their special sauce where they could predict You know the kinds of sales that they're going to get based on the the kinds of traffic that they see Because I mean, you know, they're not there's nightbot still work. I'll be honest. We see nightbots. They work Yeah Right, I shouldn't be punished for running, you know, RDP. I shouldn't know. No That definitely looks like host fingerprinting though. Yes Oh a lot of that stuff that they were doing especially with like trying to figure out what fonts you have loaded all that I wonder if trying to determine these ports are Something separate or if they're also some something in there with their like, you know, host fingerprinting identification type stuff Which explains or maybe maybe it doesn't explain but it may hint to why you had to keep Reopening the site in different containers because it may have already decided like oh this fingerprint matches I don't need to re-scan right like I've already scanned this host or something It's a really interesting way to do host fingerprinting too because if you're listening to the responses on those sockets They usually give back some type of response that response would be very unique to your computer So that's a beacon Yeah, well think about how I how clearly identify let's say I have RDP running is bound a local host The header information my computer is going to return on that web socket call could be like nailed at that's Tom Right. There's that security string because the RDP if I'm not thinking about default Just uses a self-signed cert that is signed by the window system You can't get much more unique than that and going that's Tom every time we hits a site We have nailed and identified him That's it boy wouldn't that be an interesting trend, right? But like then my question becomes how are they using this data? Are they storing it properly? Do they sell it? Because this is still data that we know that they're collecting. We have proof that they're at least Putting something into my browser taking something from my browser Looking at my browser making a determination setting a flag into a database somewhere. What if I was European? What if I want that out of the database is this even known into the pool? This is no longer a cookie. That's how they used to fingerprint people There's some interesting other Potential security aspects with this like not necessarily with these but with this technique in general I think it was like Six months ago eight months ago a bunch of people were really up in arms that zoom on max zoom had like a local Client that would listen on a specific port and the way that zoom when you would go to when you'd go to zoom on your Mac The way it would trigger the desktop application to open up is it would actually connect to that port and send you commands And people realize this and they were like, oh my gosh, you can like execute stuff You can run you just turn on you can just turn it on. Yeah, you can turn it on for anybody right like even if they didn't like to have a zoom account anymore, so But there's there's stuff beyond just like oh is this port on the local host open So it I Don't know what they're doing with the data. It is interesting. I'm sure they're gonna claim It's for fraud and we're just trying to gather a bunch of stuff. Yeah, their PR team is busy writing right now. I'm sure It's interesting too because of the pivot ability you have to be able to scan other ports on your network for example, you know, this is looking at local hosts and things bound to your computer but almost every default consumer router one nine two one six eight one one admin admin or In netgear's case forever was admin with no password was the login So, you know, and then you just take a little JavaScript you go ahead and execute a you change the DNS you start It's it's a scary thing to have the web sockets so wide open I mean, they're powerful and great from a developer standpoint They're scary on the other point on the standpoint of security and I think something that you'd brought up Chris earlier Was what if you're someone who's a developer and you have like my sequel tied to this because you have some pseudo production data that you dumped in to do some application testing and Accidentally this scanning discovered it and you weren't thinking well, it's only bound to my local computer So I didn't bother putting a password on my sequel. I didn't bother, you know, locking it down So I'm just doing development right here on my computer. So wow, it opens up an entire new problem Yeah, it's super common. I mean even right now like, you know, since I do a lot of web development I've got I've got a Rails server listening locally on port 3000 and they could just connect to that potentially Start pulling the pages seeing what's there and like I was saying earlier a lot of developers They don't want to hassle with authentication and two-factor all that kind of stuff when they're like developing So in a lot of cases the application will just oh if it is a local development environment bypass authentication, right? So then then the question really becomes What like IP can they steal by like harvesting those pages? What potential customer data is in there because you have a production database dump or any of that kind of stuff? that really starts to You really have to consider like what what have I opened myself up to just by browsing to a website. I Think the kind of big picture solution is Firefox and Chrome alike as much as we love all the web RTC and everything the thing that's gonna have to be done Is maybe like I mean they're willing to ask us all day if we want to accept cookies They're willing to ask us all day if we're willing to accept, you know Notifications, which I think are a horrible idea that you know that little stupid Hey, this is a site. We like to send you a million notifications popping up. No But the same question should be asked before web RTC like hey before something connects locally to a socket here But of course, I don't know what all that would break because so many applications kind of work in a similar manner like that to Give it that, you know, I'm gonna say almost Desktop application feel that you get from some really well advanced Browser applications. I'm it's so nice seeing how nice things work in a browser, but it's also Becomes the new scary, you know what I mean? I mean, I just did this I just ran a speed test and guess what speed tests used to you know Do their speed test web sockets and they're throwing huge blobs over and I'm like, huh Okay, right like but they're not doing anything extremely You know fingerprinty like going to a whole bunch of different ports They're doing it all on just port 8080, but still they're putting a bunch of traffic They're reflecting traffic from elsewhere into my machine over my you know, my my my life Yeah well, it's interesting because like the The line is now blurred from a desktop application and just a website I visit right like I don't install Shady stuff that comes from shady places, right? Because I don't want that running on my local computer being able to touch my files being able to touch other stuff on my network But like now because similar types of behaviors are possible through just me like clicking a link and Sights I mean obviously they still can't get to my files and stuff But they can like potentially reach out and touch stuff in my you know in my land That line is blurred now. Do I really have to start considering like oh, I don't know if I can visit that website because Yeah, or running something like you block origin and blocking any website requests. That's an advanced feature I believe you can turn on it. I don't think that's a default feature. Am I correct? I don't use you black origin right now. I am actually vulnerable to this type of fingerprinting for sure It sucks. Like it's like, you know, I use Firefox That's about as far as I can go, you know, I use I use a block plus But in reality, I'm not running away from any three letter agency so beyond blocking A few trackers I'm I'm fairly open to these advanced fingerprinting kind of things and I'd like to not be so I've been looking into this and it looks like right now You can block you block origin with the with a rule. That's just star dollar sign web socket Oh, I have no idea how it works because I don't rent it But I need to apparently if you want to you know, make some exceptions like for speed test You have to you have to figure that out Because apparently speed test will stop working if you block I think my favorite part is There's apparently when you block origin why search this there's an entire write-up because of Pornhub's bypassing ad blockers by using WebSock is to push ads I like that was the first article that came up So companies have already figured out that this is a way to get ads pushed around There's an it's articles from a couple years ago So I don't know if they're still doing it probably a way to stuff cookies and all types of stuff WebSock, it's a super cool and then they will so much really great stuff And like real-time abilities. Can we do ransomware over it? Soon right like is this the next drive-by download where it's just like drive-by command and control basically Something happens where I'm hitting the debug port on your local host from a piece of Java script You're not far from it because if you look at this from a flaw some of the flaws that have been The flaw in RDP. So if they exploited it via that flaw in RDP, which they can push The well ping and death they can get that the crash if you have RDP turned on they have WebSock It's they push that flawed command I mean you did it properly by not exposing RDP over to direct internet But technically now you have to expose it through WebSock It's and if it answers and it was just a crap well-crafted string when they did that that caused RDP to crash Which later turned into the compromise that was later fixed kind of The question becomes what does it take to get WebSock? It's to actually you know be fired off on a web page. It's a piece of Java script from what I can tell Yeah, yeah, it's real you know a stored a stored cross-site script becomes not only you know potentially cooking stealing or You know fishing for user credentials, but now also potentially actually Compromising services that are running in your business enterprise that have the ability to cough up those those nice hashes and tokens that we can Spread all over the network log into a place as local admin Log into a place that has domain admin continue to replay these hashes next thing you know because you just went to a website You didn't click anything you got ransomed and Kind of I'm I'm saying right like tin foil here tin foil, but somebody somewhere can do it Yeah, maybe So I think I think to wrap it up the conclusion here is where if we err and say eBay's doing something nice They're just trying to keep me from overpaying for something. I want to buy This well, that's like the the with the PR is certainly going to spin it as I don't think you eBay Specifically is a nefarious actor in this they're just trying to probably do some fingerprinting for their own reasons Maybe the hour worst case selling some data Possibly I looked up some stats on eBay something like two billion transactions a day overall it in users some incredible number So they have user data like none other So it's probably easier ways to get this kind of data, right? Like there's probably other I'm interested to see what the marketplace looks like for this type of Like this type of need the active dropping of it of running Linux was a weird twist Like they just like we yeah, you're running Linux. There's so few of you. We don't care So yeah, well to keep an eye on it see if eBay has some PR release about it But I really appreciate you guys joining me and helping and break this down a little bit for sure We're not gonna solve the mystery, but at least we can raise some awareness of it When more information comes out, we'll get back together, you know talk about it like is that what they say Because this is trending I think this is still trending on Twitter eBay is getting a lot of questions and not saying anything Here's the other side of it did eBay discover it one of the news dropped Mage cart 2.0 See, but they would have a responsibility to get rid of it. Yeah, I would hope that by now This would be egregious this would definitely I this would be the biggest class action ever. Oh, I don't know Equifax Yeah, I'm pretty sure that hole was gaping for quite the time Even after so yeah, so there's there's still a lot of speculation Maybe we'll see if there's some more news to break on this. We'll go keep an eye on it If we can find out something more but Hey, like I said, thanks for joining me guys. It's much appreciated. Thanks. Of course. Thank you And thank you for making it to the end of the video if you like this video Please give it a thumbs up if you'd like to see more content from the channel hit the subscribe button and hit the bell icon If you like YouTube to notify you when new videos come out If you'd like to hire us head over to Lawrence systems calm fill out our contact page and let us know what we can help you with And what projects you'd like us to work together on if you want to carry on the discussion head over to forums Lawrence systems calm where we can carry on the discussion about this video other videos or other tech topics in general even suggestions for new videos They're accepted right there on our forums, which are free Also, if you like to help the channel out in other ways head over to our affiliate page We have a lot of great tech offers for you and once again, thanks for watching and see you next time