When users visit eBay's website from a Windows PC, the site runs a script that performs a local port scan of the device to detect if any remote support or remote access applications are running.
As reported by BleepingComputer (opens in new tab), many of the ports scanned by the online auction site are used for remote access and remote support tools including Windows Remote Desktop, VNC, TeamViewer and more. Upon further testing, the news outlet discovered that eBay is performing a local port scan of 14 different point when users visit its site.
The scan is conducted by a check.js script on the website that attempts WebSocket connections to a number of ports such as 3389 (Microsoft remote desktop, 5931 (Ammy Admin remote desktop), 6333 (VNC remote connection 7070 (real Audio and Apple QuickTime streaming) and more.
- eBay waives fees for new business sellers
- Google Pay users could be left out of pocket by PayPal fraud bug
- 30 million payment cards listed on fraud marketplace
Oddly enough, the port scans do not occur when a user running Linux visits eBay's website, though the programs being scanned for are all Windows remote access tools.
As it turns out, eBay is conducting port scans of Windows PCs in order to detect if a compromised computer is being used to make fraudulent purchases on the site.
In a blog post (opens in new tab), Dan Nemec explained how he discovered that the script being used for fraud detection is actually from a product called ThreatMetrix which is owned by LexisNexis. While the programs eBay scans for when users visit its site are all legitimate, some of them have previously been used as RATs in phishing campaigns.
Fighting fraud is very important for eBay but at the same time, port scanning is still intrusive for its users. TechRadar Pro reached out to the company for a statement regarding the matter but we did not hear back at the time of writing.
- Also check out our complete list of the best VPN services
Via BleepingComputer (opens in new tab)