New variant hides ‘elaborate’ eBay fraud

Security experts have warned web users to guard against a newly intercepted mutant of the Feebs trojan that attempts to dupe eBay users with an "elaborate" fraud.

Aladdin, the security firm that identified the new variant as JS.Feebs, noted that when the malware is executed by an unwitting recipient, it displays fake loading screens that look like several popular search engines. This is followed by a false error message stating that there was no available connection. The scripts do this to mask their own activities that sometimes include disabling the system's antivirus and other security-related products as well as executing other malicious code.

JS.Feebs usually arrives by email, but it could also exist in websites that would infect visitors upon access, Aladdin warned.

The mutant initiates an "elaborate fraud" attack similar to phishing. Unlike classic phishing, no phishing email or a link to be clicked exists. Rather, the script modifies the HOSTS file found on the compromised target PC.

This file, when modified, can override the default DNS servers, thus allowing users' internet browsers to receive one address and lead to another, leading users to a spoofed site when they try to access eBay. When personal information is entered, the user will be taken to the actual eBay website, completely unaware that the sensitive information just entered was, in fact, stolen. All this time, the eBay web address appears normally, days or even weeks after the original infection took place.

Although the propagation of this new variant may be slow, its infection impact is high, according to Aladdin, as it steals personal information pertaining to regularly used sites.

"We see this new fraud attempt as an illustration of the growing presence of dangerous phishing scams," said Shimon Gruper, vice president of technologies for the Aladdin eSafe Business Unit. "Although web attacks are more difficult to measure than email-related attacks, we expect this JS.Feebs variant to have a significant impact for infected users, as their browser no longer indicates they are visiting a phishing site," he said. "Thus, users are even more likely to provide their personal data, which then lands in the wrong hands."

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.