eBay

Sounds like a new variant of what was happening recently with what I BELIEVE were false positive detections by AVG and Avast due to eBay use of heavily obfuscated anti-bot signin scripts that trigger the false detects. This time it's rriframe.flat.min.js triggering the detect instead of rrbundle.flat.min.js (both are present and HEAVILY obfuscated which is something AV suites trigger on as suspicious behavior).

Read my posts in this thread: https://community.ebay.com/t5/Selling/Are-AVG-Users-getting-notice-of-REDIRECTOR-BKG-Trojan-Virus-Fr...

Did your Norton AV update virus definitions or program files overnight just before the problem started?

If so, that can indicate one of two things: Norton discovered something in the wild and is flagging on it, or Norton changed something in the heuristics/definitions that causes the false detect of non-specific threats.

I believe the latter is more likely. It happens all the time.

Here is the text of another post of mine from the PS forum:

in reply to xxxxxxxxx 06-06-2018 03:55:12 PM
berserkerplanet

Observation: in all the threads on the boards recently about this issue where the poster
provides any details, it is only AVG and Avast doing this - and both have a long history 
of false positives. 

Haven't seen anything about any of the 100+ other virus/malware suites* detecting that
or anything on eBay.

*Windows Defender, McAfee, Symantec, Sophos, Kaspersky, ESET, Avira, BitDefender, 
F-Secure, Comodo, F-Prot,... or in browser site blacklisting in Firefox and others 
(via Google Safebrowsing?)

VirusTotal.com isn't what it used to be (many big names no longer there), and because of 
possible login issues, difficult to say if results of URL scans are valid, but it shows 68
out of 68 "no detection" for the URL ( https://www.ebay.com/rdr/js/s/rrbundle.flat.min.js )
in the AVG screenshot in post 5 or any other URL I threw at it (signin.ebay.com, 
https://www.ebay.com/sh/ovw, whatever)

If someone runs into a detection by AVG or Avast or whatever virus suite, try scanning 
the URLS at VirusTotal (either the one the virus suite is specifically warning, or the 
URL for the link clicked that causes the warning) and see if anything at VirusTotal agrees 
with your AVG or Avast.

Can also try using Google Safebrowsing directly to see what Google thinks:
 https://www.google.com/safebrowsing/diagnostic?site=WEBSITE_URL
 where you replace WEBSITE_URL with your suspect URL
ie:
https://www.google.com/safebrowsing/diagnostic?
site=https://www.ebay.com/rdr/js/s/rrbundle.flat.min....
or
 https://www.google.com/safebrowsing/diagnostic?site=https://signin.ebay.com
 
(note that Google scans may not be real-time or even close - I'm guessing they don't scan
assumed secure sites like eBay or Bank of America as often, and focus their efforts on 
the other more risky sites - likely those that pop up in a lot current popular searches)
 
or check it directly here: https://transparencyreport.google.com/safe-browsing/search
 
Also:
 https://www.urlvoid.com/
 https://sitecheck.sucuri.net

Recap/Summary:

I believe these are all false detects of obfuscated JavaScript files eBay is using as part of an anti-bot login protection framework called "RoboRadar". The AV suites are freaking out over the obfuscated nature of the files (they score that as generally suspicious behavior), throw up their own variety of a generic trojan warning, and block access to it. Nothing else detects anything wrong with the JS files, which reinforces that belief.

It is possible to use Adblock, AdblockPlus, etc to block those JS files and prevent the AV warnings without any collateral damage (not being able to log in or any security issues) with a general rule of the form:   ebay.com/rdr/*$domain=signin.ebay.com

beserkerplanet :  Thanks so much for your detailed reply! I really appreciate it!

There is much here to research and investigate and learn.  Though I worked as a programmer for 20+ years between 1985 - 2006, there is much here that is new to me. It all is interesting, and in a way, reassuring. At this point (and I have a good ways to go in my research) I think your initial tentative conclusion, that this is probably a false alarm, is probably true.  I did do a complete Norton system scan earlier in the day, and I am sure Norton changed some things.

I am still wondering why I am not getting any warnings/blocks when I use my Chrome browser. I have checked and the so-called suspicious file is not on machine, at least not using standard MS search techniques. If you happen to pass by this post again, and could offer some insights on why Chrome seems ok, but Edge does not (according to Norton Anti-Virus software) I would again greatly appreciate it.

Either way, thanks so much for your insightful, helpful comments!

Phil Gennuso

beserkerplanet:

Thanks so much for your postings. I really appreciate it!

There is alot here to review and research. I did work as a programmer for over twenty years, 1985-2006, but much of what you said is new to me. 

I tend to agree with your assessment - that this is probably a false warning, due to the reasons you brought up, but I will do further due diligence.

One issue that still puzzles me is that I don't have this problem when I use Chrome, only when I use Edge, the MS browser.  If you happen to pass by this board again and can offer some insight that would be very much appreciated.

Either way, thanks again so much for your thoughts! I would love to take a course on Udemy with you as the creator on this subject! If you ever decide to do so, or publish an ebook on this subject, please let me know.

Phil Gennuso

Hi all I have the same problem only with the edge broswer.  Starting on 6-18-18 No problems on Chrome or Firefox or Opera   My guess it is on ebays end as usual they are always working on things and when ever they work on one thing something else gets broke, never fails sorry for the inconvenience

best-deals-fast-ship:

Hi, thanks so much for your comments.

I called Ebay yesterday when this started for me, they said they haven't heard anything, so this confirms the problem. I think the gentleman, beserkerplanet, has a great analysis, and I will use his comments to do some research on my own.

I will let you know if I find anything else out.

Phil Gennuso

Yeah well just remember this every other place I logged into with a password works perfect when I sign in with microsoft edge, try it for yourself and you will see it is ebay.  The proof is on the pudding.  

>>Thanks so much for your postings. I really appreciate it!

You are very welcome.

You wouldn't find the file on your machine - Norton blocked it.

As to why no warning using Chrome: only reason I can think of is that it isn't called when Chrome is used.

My guess is that eBay isn't dishing up the Roboradar stuff when it detects Chrome browser (via passed browser  user-agent) for whatever arcane reasons (really makes no sense to exclude Chrome since Roboradar is an anti-bot framework)

Anyway, the next step would be to determine if that is the case. I do not  (and will never) use Chrome, so no help here. If you can figure out how to get a look at the page components loading in Chrome (maybe with any built in web developer tools - network console?) you can see if anything pertaining to  Roboradar is loading when you visit  https://signin.ebay.com  with Chrome.

I could also use Adblock Plus to look at what loaded (and Adblock in Chrome could do same I believe.) Things like Smartsniff, Fiddler2, NetworkActivityMon, Wireshark, and other external to the browser packet sniffers are mostly useless since this is HTTPS encrypted traffic.

I use HttpFox in Firefox 31 (an old addon in an old Firefox version - my preference) to look at HTTP traffic in/out of the browser.

Here is a cropped* view of the browser window with HttpFox open in bottom of window showing the calls made:

*cropped because my screen is 1920x1080, a full image is way too big to post here, and posting it reduced size makes it unreadable.

All the stuff loaded from https://www.ebay.com/rdr/... is the Roboradar stuff.

>>

Yes, I am having the same experience. Every other site seems to work fine when I sign in. No problems. So it looks like it is unique to Ebay. Evidently Ebay tries to download alot of javascript files which Norton Antivirus may have trouble figuring out. That is what I think it is. But I am learning so much with this experience and will have to keep researching. I was very busy today, did not get a chance to call Ebay, hopefully I can tomorrow. Edge is still giving me the same problems.

Thanks for all your information. Let me know if anything else turns up.

I will keep things current with this stream.

Phil

I will never use Norton again - too many problems with it - I have been on Eset now for 3 yrs so much better and also Malwarebites & now /Premium which didnt have a conflict with Norton which I did before. I also have Adblock which is a vast improvement but doesnt block all ads nor the cookie agreement pop ups.  I am not a techie so dont know the correct terminology but I may have had two separate issue/ events. But I have to believe that when you go on an unstable page of Ebay there is a risk, at at min, my computer cant easily read a format that is missing key components. I have been reporting a lot of weaknesses and errors to both the pc platform and the mobile - Each has many errors/ incorrect defaults which may or may not be deliberate. It feels to me there are many oversights and the left foot isnt talking to the right foot. When I was asked regarding what version of Ebay app I had due to inability to list and page advancement being clipped & shut down I had the most current version AHEAD of the version the rep said they had & I needed !! That says a lot... Both issues have since been cleared up on my pages but I really feel Ebay needs to be more transparent sharing  schedule repairs on the announcement board, just like any bank or other large company that does on their website. Since this is one of the largest 24 hr global interactive website with shopping cart there needs to be more attention given to the seriousness of site failure , site functionability vis a vis sellers entering into a contract & paying for a service & reasonable expectation and communication of same.  Common sense tells you it saves a lot of time for everyone  and for years I have been recommending a tech prob reporting area on site for users where you submit an issue and it could be processed much faster ! When rep said it existed it is only for certain things but not for tech which is frankly more important ! Not rocket science - many other websites have it - they are making it much more complicated than it needs to be - remove 50% of unnecessary stuff on the site, archive old posts, lighten the load and I guarantee  site would run much better !

Thanks again for your expert advice. As of 6/20 Norton does not appear to be blocking this file, rriframe.flat.min[1].js. I used Edge, signed in, no pop up from Norton. When I checked my hard drive, sure enough, this file was sitting in a temporary directory. I just deleted it without any event.

I have trouble tickets submitted to Ebay and I will try to contact Norton to get any further information but I think your original hypothesis is probably right.

Phil