Understanding what port scanning is and how the technique has been utilized by an eBay contractor
First off, I need to talk about port scanning technologies to set the context. A great place to get started learning about this issue is this blog post from Avast’s Answers site. Briefly, every Internet application uses a particular network port number to do its business. So-called “well known” ports include 80 for web traffic, 22 for secure shell, and 143 for IMAP-based email communications. A complete list can be found here. If you use a traffic analyzer (also called a sniffer), you can view these communications and get an idea of what applications run on your network.
There are two ways to do these scans. The first and by far most popular method is where someone initiates a scan remotely across an entire IP address range or domain. There are many tools that can do this, one that I have liked for decades is from Steve Gibson called Shield’s Up. It is well worth using, because it is simple, free, and will take just a moment to look at your network router and see what open ports you have. The big limitation is that it only scans the first 1000 numbered ports: that was fine years ago when the Internet was just a gleam in Al Gore’s eye, but now life has gotten more complex. I also suggest using SolarWinds’ Network Device Scanner, which will scan more ports — there are more than 65,000 of them as part of the Internet protocols.
Nemec found, for example, that only Windows PCs would initiate the scans and only when a user was browsing from a specific eBay login page. Of the thousands of named ports, only a couple of dozen are of interest by the eBay scanning scripts. Some of them are:
- 3389 (Microsoft remote desktop)
- 5900 -5903 (VNC remote desktop)
- 6333 (VNC remote desktop)
You can find a more complex list of the other ports from this table from Bleeping Computer. Nemec also found that the scripting code changed its variable names each time it was rerun. That sounds like this script has something to hide.
What is collected from the scan? Nemec found the PC’s user agent or particular browser version and public IP address along with other data which wasn’t immediately obvious. The data seemed to be collected without any specific purpose.
Do you see a pattern here? The scans are looking to see if someone is running a remote control service – perhaps inadvertently. This could be a telltale sign that someone’s PC has been compromised by an attacker, who is trying to copy the user login credentials. Indeed, that is what The Register concluded: The authors say that “the reason for the port scanning script is fraud prevention, seemingly by flagging up machines that may be under remote control by miscreants.”
They came to this conclusion because the data collected from these scans is not going to an eBay-owned domain, but one that looks like one: ebay-us.com. Who owns this domain? It isn’t eBay but ThreatMetrix, an anti-fraud company that was acquired by LexisNexis in 2018.
Now, this sets off all sorts of alarm bells for me. Why would ThreatMetrix purposely use this domain? Let’s say that The Register is correct, and this is being done for anti-fraud reasons. This is just another example of a different type of browser fingerprinting, as mentioned by Chandler Givens in his post here. This is because the scan and the script can identify your PC through these open ports and what else is being run in your browser. If your PC is later identified as the source of a potential identity compromise, eBay could block your traffic until you secure your PC.
But whether it is being used to stop fraud or just be more Big Brotherish, this whole local port scanning thing bugs me. Instead of being transparent about it, ThreatMetrix is trying to hide what they are doing on behalf of their client, eBay. Criminals often use this technique for making their phishing attacks more credible, by using what is called “typo-squatting” domains. You could make the claim that ThreatMetrix needs to be a little bit sneaky so that abuses don’t occur or that criminals don’t leverage their tactics. Too late for that.
So the next question, is this legit or not? This isn’t the first time that ThreatMetrix was caught doing these scans. Back in 2018, they had a Halifax bank as a client and were tracked, again by The Register. That post will bring up a very inconclusive discussion as to the legality of this practice. My take is that LexisNexis probably has a deep legal bench and I doubt that anyone is going to legally stop this practice. It probably is borderline ethical, and probably legal. But then, I am not a lawyer.
I am sure this research will generate all sorts of new investigations into the practice, which is probably a good thing. Consumers should know when their software is tracking them, just as our post on browser fingerprinting says. But should you worry?
First, if you are using Avast’s Anti-Track or some other anti-tracking tool or browser content blocker, then you should block the check.js script explicitly — the one used by ThreatMetrix. Next, if you are concerned with potential IoT security issues, running a local network port scan (using SolarWinds or something equivalent) is a great way to see what else is active across your own network, and could be used to identify potential security issues.