eBay

ekmadonna · ‎06-05-2018

Twice 2night I logged out of this account and tried logging into my buying account and got a message from AVG that they aborted my log in because www.ebay.com was Infected with JS:REDIRECTOR-BKG {TRJ}?? Any other AVG users getting this message?

pyrabluestudios · ‎06-06-2018

Ditto, same here.

chris2018z · ‎06-06-2018

Also just got this message after leaving feedback - whats worse is I have OpenDNS Family Security, DD-WRT firewall with custom rules, custom DNS server to stop additional malware sites, Malware filters (Ad Block Plus in Chrome), and just got this message.

eBay any comments? Using avast and running full system deep scan with nothing yet showing.

y0manda · ‎06-06-2018

I am getting this too. Oh well my computer is clean. Guess I wont be buying anything from ebay tonight. Off to Amazon.

berserkerplanet · ‎06-06-2018

eBay support here pretty much operates on Pacific Time business hours. Wouldn't expect anything until morning unless a blue happens to pay attention and wants to respond even though there may be nothing that he/she can do (guessing tech staff is also M-F 9-5)

My 2¢:

I posted a general response on the PS board (I believe) earlier, indicating that evidence so far made it appear it was just another AVG (and Avast?) false positive detection, that that js file was not found to contain anything malicious by any online resources I checked it with, the fact that it IS only AVG (and Avast?) flagging it (neither of which I put much faith in), leads me to believe it is a false positive again this time.

However, I just took a look at ebay.com/rdr/js/s/rrbundle.flat.min.js and now I'm not so sure.

It's what looks like over a thousand (short) lines of pretty much totally obfuscated JavaScript, with what looks like some calls to launch Java application(s) (downloaders?), something referencing FIrebug in Firefox (old standalone version of what is now built in webdeveloper tools in Firefox), and the rest is a horrible mess of obfuscated function calls, url encoded strings, and basically unreadable and indecipherable. The only way to decipher it is to be really good with JavaScript coding and debugging, or to run it and look for results of some variety (good or bad).

Any legitimate eBay code shouldn't look like that though IMO.

I'm not good enough with JavaScript debugging to walk through it in a debugger and figure out what it's doing (and that may be why the Firebug thing in the code - that may be built in code to detect debugging attempts and thwart them), but may take a stab at it.

Don't know at this point. Have not seen that script actually called in my eBay travels, but wouldn't anyway unless I did get redirected or trojaned (no AV running to throw warnings and no other manually set traps set).

Guess I'll take a look and see if I can figure anything out. (I have got to get some listings done, but this is another good procrastination opportunity 🙂

In general, I don't think anyone should panic. Highly doubtful that anything terrible is happening if nothing else out of the hundreds of AV/malware suites is finding anything.

addendum: read more closely all the posts and appears in this thread Avast is also involved.

tatertot2u57 · ‎06-07-2018

well...I just logged on for the first time for today and did not get it again, yet.

FWIW...I understand that Avast bought out AVG and are more or less pretty much the same now.

Ran Mcafee stinger last night, it found nothing but still concerned, naturally, until we hear more.

Not sure how to do all that virus total stuff someone mentioned here.

tatertot2u57 · ‎06-07-2018

berserkerplanet...what's the PS board?

roadking5555 · ‎06-07-2018

@berserkerplanet wrote:
eBay support here pretty much operates on Pacific Time business hours. Wouldn't expect anything until morning unless a blue happens to pay attention and wants to respond even though there may be nothing that he/she can do (guessing tech staff is also M-F 9-5)

My 2¢:

I posted a general response on the PS board (I believe) earlier, indicating that evidence so far made it appear it was just another AVG (and Avast?) false positive detection, that that js file was not found to contain anything malicious by any online resources I checked it with, the fact that it IS only AVG (and Avast?) flagging it (neither of which I put much faith in), leads me to believe it is a false positive again this time.

However, I just took a look at ebay.com/rdr/js/s/rrbundle.flat.min.js and now I'm not so sure.

It's what looks like over a thousand (short) lines of pretty much totally obfuscated JavaScript, with what looks like some calls to launch Java application(s) (downloaders?), something referencing FIrebug in Firefox (old standalone version of what is now built in webdeveloper tools in Firefox), and the rest is a horrible mess of obfuscated function calls, url encoded strings, and basically unreadable and indecipherable. The only way to decipher it is to be really good with JavaScript coding and debugging, or to run it and look for results of some variety (good or bad).

Any legitimate eBay code shouldn't look like that though IMO.

I'm not good enough with JavaScript debugging to walk through it in a debugger and figure out what it's doing (and that may be why the Firebug thing in the code - that may be built in code to detect debugging attempts and thwart them), but may take a stab at it.

Don't know at this point. Have not seen that script actually called in my eBay travels, but wouldn't anyway unless I did get redirected or trojaned (no AV running to throw warnings and no other manually set traps set).

Guess I'll take a look and see if I can figure anything out. (I have got to get some listings done, but this is another good procrastination opportunity 🙂

In general, I don't think anyone should panic. Highly doubtful that anything terrible is happening if nothing else out of the hundreds of AV/malware suites is finding anything.

addendum: read more closely all the posts and appears in this thread Avast is also involved.

Thanks for sharing your thoughts! AVG updated today 6-7 and I cleaned all cache ect. so far so good. I am on the ESR update channel, but someone else said the update seems to have worked (firefox v60.0.02 ).

not sure if it is solved, we will see.

I think since Avast aquired AVG in 2016, they pretty much have become the same products. They are now one entity, hence why this js redirector is being picked up by both.

Even when it was flagged and the threat was stopped, it still allowed me to log in and everything seemed normal.

I guess we will find out at some point.

rockz1101 · ‎06-07-2018

Thanks d-k for the additional redirect help!

d-k_treasures · ‎06-07-2018

@rockz1101 wrote:
Thanks d-k for the additional redirect help!

You're welcome!

_____________________________
"Nothing is obvious to the oblivious"

auctionpet · ‎06-07-2018

Yup, this is precisely why I couldn't log into ebay yesterday and missed the 20% coupon!

berserkerplanet · ‎06-07-2018

>>well...I just logged on for the first time for today and did not get it again, yet.

It is looking like it was an AVG/Avast false detect issue, based on it appearing to be no longer an issue, the fact that AVG and Avast are a single entity now (didn't know that), and a bit more info I didn't post last night, but will after this. Total lack of any more info or details makes it impossible to say for sure - could have been a silent behind the scenes change in something by eBay, or could have been an overnight update to virus defs by AVG and Avast, which is more likely.

The PS board is the Powerseller Board. Have to be an eBay Powerseller to view it - the only perk? for maintaining PS status remaining.

berserkerplanet · ‎06-07-2018

>>Even when it was flagged and the threat was stopped, it still allowed me to log in and everything seemed normal

More to support theory that it was an AVG/Avast false positive.

I compared* the contents of the ebay.com/rdr/js/s/rrbundle.flat.min.js from yesterday to the contents from this afternoon and they are identical (binary compare) - that means eBay changed or fixed nothing.

Not 100% certain of my methods, as like an idiot, I didn't download it yesterday, but instead copied and pasted the contents from a source view, and there was a weirdness in the text editor I saved it with but I think not a factor.

Obfuscated JavaScript (which this file is very much full of) is often a sign of malicious intent, is a factor considered in AV/malware determinations, and could have contributed to an AVG/Avast false positive flagging.

berserkerplanet · ‎06-07-2018

[Some ramblings from last night I didn't post that sheds a bit of light on what MAY be going on]

ebay.com/rdr/js/s/rrbundle.flat.min.js is a file on eBay servers, and unless there has been a breach and the servers are pwned, it is presumed to be a legitimate eBay file.

Found a few tidbits in that file (picking through human readable bits - no progress setting things up somehow to get the code to deobfuscate itself)

Noted a reference to "roboradar iframe" near the end of the file. Off to google to find out what roboradar is. It appears that it's a bot detection framework that eBay uses on the signin page that watches mouse movements, keystrokes, timings, etc (similar to newest google recaptchas) to transparently determine if a bot is poking at the signin form, a human fumbling around, or the human's password manager entering data.

Unless the the google result, the reference I found, and the filename is an elaborate ruse to deflect suspicion, the little clues sort of make sense.

The JavaScript filename in question is ebay.com/rdr/js/s/rrbundle.flat.min.js - rr for roboradar maybe and in the rdr (for radar?) directory. There are referenced to email, password, forms, there is a lastpass term (lpcurrpass) in there, and people have been reporting that it rears it's head on or around eBay signin events.

Here is the link to the only thing I found about roboradar:
https://www.powtoon.com/online-presentation/gm1KNWXtbHw/roboradarfinal1/?mode=Movie
(68 of 68 engines at Virustotal say that link is clean and I had no issue with it)

An interesting watch, and no clue who made the video or who developed and maintains roboradar.
(presentation poster/author appears to be a non-eBay coder/hacker in india?)

Assuming roboradar is a real thing (and I wouldn't doubt it), it looks like maybe that script might have been obfuscated by eBay (or whoever developed and maintains roboradar) to prevent easy reverse engineering by bot users. Makes some sense.

That brings us back to the simplest explanation that the AVG and Avast detections are a false positive.

Only two possibilities I see:
False positive on a legitimate (but horribly obfuscated) eBay script by AVG and Avast (very possible)
or
The script isn't eBay's, and possibly malicious, which would imply that either eBay servers are compromised to some degree to the point where malicious content can be uploaded/inserted, or if roboradar is maintained by a third party, that that third party, which may have access to eBay servers is compromised. (I'd guess a much lower)

At this point people seem to be saying the issue is resolved. Mentions of Firefox updates? and Avast updates? and nothing rigorous or clear that indicates what caused the problem, but lots of mentions of eBay logins being the place where it triggered which totally fits in with a hypothetical eBay login roboradar bot screening routine running, and that that obfuscated script triggered an AV heuristic false positive.

Too many unknowns. eBay will definitely never admit to a breach if there was one (which I doubt), will likely never admit to roboradar if it really is in place and as I suspect (because people don't like bots watching their behavior and that reveal opens a door to thinking about how much more of that type of thing is done here and elsewhere), and unless someone can post evidence that updating AVG or Avast virus definitions made the alert go away (or even better that someone who didn't update the AV is still seeing the alerts today), we may never know.