When visiting the eBay.com site, a script will run that performs a local port scan of your computer to detect remote support and remote access applications.
Many of these ports are related to remote access/remote support tools such as the Windows Remote Desktop, VNC, TeamViewer, Ammy Admin, and more.
After learning about this, BleepingComputer conducted a test and can confirm that eBay.com is indeed performing a local port scan of 14 different ports when visiting the site.
This scan is being conducted by a check.js script [archived] on eBay.com that attempts to connect to the following ports:
The fourteen different ports that are scanned and their associated programs and eBay reference string is listed below.
| Program | Ebay Name | Port |
|---|---|---|
| Unknown | REF | 63333 |
| VNC | VNC | 5900 |
| VNC | VNC | 5901 |
| VNC | VNC | 5902 |
| VNC | VNC | 5903 |
| Remote Desktop Protocol | RDP | 3389 |
| Aeroadmin | ARO | 5950 |
| Ammyy Admin | AMY | 5931 |
| TeamViewer | TV0 | 5939 |
| TeamViewer | TV1 | 6039 |
| TeamViewer | TV2 | 5944 |
| TeamViewer | TV2 | 6040 |
| Anyplace Control | APC | 5279 |
| AnyDesk | ANY | 7070 |
BleepingComputer has not been able to identify the targeted program on port 63333. If you recognize it, please let us know.
The script performs these scans using WebSockets to connect to 127.0.0.1, which is the local computer, on the specified port.
According to Nullsweep, who first reported on the port scans, they do not occur when browsing the site with Linux.
Once they tested in Windows, though, the port scans occurred.
This makes sense as the programs being scanned for are all Windows remote access tools.
Likely done to detect hacked computers
We first heard about eBay's port scanning script from Jack Rhysider of DarkNetDiaries, and it was theorized that it was being done for ad delivery, fingerprinting, or fraud protection.
As the port scan is only looking for Windows remote access programs, it is most likely being done to check for compromised computers used to make fraudulent eBay purchases.
In 2016, reports were flooding in that people's computers were being taken over through TeamViewer and used to make fraudulent purchases on eBay.
As many eBay users use cookies to automatically login to the site, the attackers were able to remote control the computer and access eBay to make purchases.
It got so bad that one person created a spreadsheet to keep track of all the reported attacks. As you can see, many of them reference eBay.
The script being used for fraud detection is further confirmed by Dan Nemec's great write-up, where he traced it to a fraud detection product owned by LexisNexis called ThreatMetrix.
As part of ThreatMetrix's description, they discuss how they detect and protect sites from Remote Access Trojans (RATs).
"Malware protection helps businesses mitigate the risk by being protected from Man-In-The-Browser (MITB), Remote Access Trojan (RAT), high velocity/frequency bot attacks to low-and- slow attacks mimicking legitimate customer behavior, ransomware, key logging attempts, etc," ThreatMetrix's product page explains.
While the scanned for programs are all legitimate, some of them have been used as RATs in phishing campaigns.
Regardless of the reasons, port scans like this are still intrusive and not something that many users would want to happen when visiting a site.
When we reached out to eBay for statement we were told:
"Our customers’ privacy and data remains a top priority. We are committed to creating an experience on our sites and services that is safe, secure, and trustworthy."
Update 5/25/20 12:01 AM EST: Updated article with correct attribution.
Update 5/25/20 12:28 PM EST: Updated article with further info from Dan Nemec's blog post about the port scans.
Update 5/25/20 01:25 PM EST: Added ebay's statement.
Comments
EmanuelJacobsson - 4 years ago
All sites should do this
Mr.Tom - 4 years ago
"All sites should do this"
I don't think so. That would be very intrusive to have random people poking at your computer.
the_cyber_god - 4 years ago
Ebay is using anti-fraud mechanisms to detect back connects commonly abused by hackers. They are trying to cut down on fraud.
fadi-sheikh - 4 years ago
Didn't find check.js on MacOS
jhspyhard - 4 years ago
I am pretty sure :63333 is used as the standard local port forwarding port for an SSH tunnel. If you were to detect that port open, you could tell there is a tunnel open from that machine to somewhere else.
If I had to guess, REF probably stands for Reflection.
The postgresql docs talk about it, but this is only the first source I found talking about it, there are others. https://www.postgresql.org/docs/12/ssh-tunnels.html
Himiko - 4 years ago
Hi, in some countries port scans are illegal however you can ask the consumer/get policy accepted to run a quick port scan that can cut down open connections from 400 to 50 - in some cases. If Ebay doesn’t abuse it it can be used for their own protection so there will be no random customer machines poses a threat to the website. On that port... there can be anything including BITS.
SleepyDude - 4 years ago
This scan is very dubious and proves nothing!
Running a scan for the local machine 127.0.0.1 can show many open ports because its a local scan not from the outside, I can have RDP enabled on my machine for local Administration what is the problem of that? those ports are not open for the outside on the router and even for local connections if only certain IP's are allowed to access the local scan will show the port as open because the machine can connect to itself...
Most users connect to the internet behind a modem/router and not directly, so usually those ports must be explicit open...
cfbcfbcfb - 4 years ago
I don't remember giving ebay permission to scan my computer for its configuration, nor do I remember giving sites reason to evaluate my system for ad blockers or the position of my mouse so they can pop something up when I go to close the page.
So those sites lose their javascript privileges. If they don't work like that, I find another source.
SebiF - 4 years ago
If I were them, I would use REF as a reference whether my port scan actually works. If REF, a very unusual port, says it's open, and many other ports also seem open, I can argue that my scan doesn't work reliably on this PC for whatever reason.
Total-Khaos - 4 years ago
Why is this news? The source of this information was reported back in 2017 already...
https://forum.ultravnc.net/viewtopic.php?f=7&t=33509
JNavas - 4 years ago
Outrageous and probably illegal here in California
it's likely a violation of California Penal Code 502(c), the California Consumer Privacy Act, and the federal Computer Fraud and Abuse Act. (eBay is located here in California.)
Unless and until eBay stops such abusive behavior, I won't use eBay, and will advise others to do the same.
mti2935 - 4 years ago
This is only possible because same origin policy does not apply to websockets connections. See https://blog.securityevaluators.com/websockets-not-bound-by-cors-does-this-mean-2e7819374acc. Maybe it's time to re-think whether same-origin policy should apply to websockets.