eBay and PayPal victim of DNS hijack attack
Last weekend, eBay and PayPal UK were the victim of a DNS hijack. This is where a visitor to a website is redirected to another location whilst surfing the web.
In the case of the eBay and PayPal hijack, it was the work off the Syrian Electronic Army and visitors were redirected to a page that included a fruity message for the United States Government. You can find the message and lots of more technical details of the attack here
A PayPal spokesperson said: “We were not hacked. For under 60 minutes, a very small subset of people visiting a few marketing web pages of PayPal France, UK and India websites were being redirected. There was no access to any consumer data whatsoever and no accounts were ever in any danger of being compromised. The situation was swiftly resolved and PayPal’s service was not affected. We take the security and privacy of our customers very seriously and are conducting a forensic investigation into this situation.”
Whilst it seems fairly harmless, it’s a worrying situation that eBay/PayPal could be a victim of this sort of attack. Indeed, as some pundits online have noted, it could have been much worse if the hijackers had a more malicious purpose in mind.
I saw eBay pages last night that certainly were not hacked by the SEA. Whilst browsing for mobiles I came across a couple of items that used item-images of women in revealing clothing. Naturally I clicked to see the full listing and within a second the page forwarded me to a fairly legit looking eBay log in page from a Russian domain; a fairly obvious phishing attempt.
This feels like the kind of hack I’d see in the 90s, others would perhaps not have chosen to look at the domain name and would have simply re-entered their log in details at which point their accounts would then be compromised.
This appeared to be a hack via code injected into the body of the listing as opposed to a more complicated DNS attack. I have no idea how eBay could have let this happened in this day and age.
The page has now been removed but I’m curious as to whether other people saw this last night.