Google Detects Malware Infection On eBay Solutions Provider Auctiva.com
eBay solutions provider Auctiva.com suffered a malware attack during the weekend. As a result, the website has been tagged as malicious in Google. The warning “this site may harm your computer” most likely affected hundreds of thousands of customers and their eBay auctions.
Goole Safe Browsing Diagnostic page for www.auctiva.com shows:
What is the current listing status for www.auctiva.com?
This site is not currently listed as suspicious.
Part of this site was listed for suspicious activity 2 time(s) over the past 90 days.
What happened when Google visited this site?
Of the 129 pages we tested on the site over the past 90 days, 40 page(s) resulted in malicious software being downloaded and installed without user consent. The last time Google visited this site was on 2009-02-23, and the last time suspicious content was found on this site was on 2009-02-23.
Malicious software includes 44 scripting exploit(s), 21 trojan(s). Successful infection resulted in an average of 11 new processes on the target machine.
Malicious software is hosted on 2 domain(s), including auctlva.com/, luckffxi.com/.
1 domain(s) appear to be functioning as intermediaries for distributing malware to visitors of this site, including me9x.cn/.
This site was hosted on 1 network(s) including AS174 (COGENT).
Has this site acted as an intermediary resulting in further distribution of malware?
Over the past 90 days, www.auctiva.com appeared to function as an intermediary for the infection of 1 site(s) including octiva.com/.
Following the complaints of users who started receiving antivirus software warnings appearing upon visiting Auctiva.com, the company took measures to ensure the transparency of the clean-up process which they finalized yesterday.
According to Auctiva’s update log, the engineering team is still investigating this situation but, at this point, it appears the reason these virus alert warnings started showing up is because some of their machines were injected with malware originating in China. The malware has also hit a number of other high profile websites over the past 6 months. The affected machines are no longer available so it is currently safe to navigate the Auctiva website. According to Kevin K. from community.auctiva.com forums, some auctiva.com webservers to be raken offline due to additional monitoring.
Users who visited the site between Thursday evening and Saturday afternoon at about 2 PM PT, should take precautionary measures, as explained on Auctiva website to ensure that the computers are not infected:
1. Clear your browser cache, delete ALL temporary internet files, and restart your browser.
2. If using a Windows machine, make sure you are updated with all the current Microsoft updates and patches.
3. Make sure you are running some reputable antivirus software (AVG is available for free at http://free.avg.com and is known to catch this malware)
4. Use the Firefox browser if possible, as it has been shown to be less susceptible to this sort of malware than Internet Explorer.
According to Dancho Danchev post on ZDNet, Auctiva.com appears to have been embedded with malware on the 18th of February, several days ahead of the company’s announcement according to affected users. The exploits serving URLs, luckffxi .com and auctlva .com — both domains parked at the same IP 67.229.127.42 — are typical exploits serving sites courtesy of Chinese attackers which despite the fact that several Russian web malware exploitation kits are already localized to Chinese, continue using the same descriptive file structure for the client-side exploits in a manual fashion. For instance luckffxi .com/flash.htm, luckffxi .com/14.htm, luckffxi .com/office.htm, luckffxi .com/real.htm.
More on CyberInsecure:
Posts
February 24th, 2009 at 5:33 pm
On Thursday, February 19, we discovered the presence of malware on some of the Auctiva servers. This caused Google to flag Auctiva as a dangerous site. Our Systems Engineers identified the location of the malware and immediately began working to isolate the infected servers and take them offline.
During this process, the site was running on fewer servers and you may have experienced some delays. As of Sunday night, Google rescanned Auctiva.com and determined the site to once again be safe.
However, out of an abundance of caution, we temporarily took Auctiva.com offline while we worked to correct security vulnerabilities and eliminate the possibility of further infection. We resolved to only bring the site back online once we were confident we could provide the same high level of safety and security for our customers that we have for the past 10 years.
In the early morning hours of Tuesday the 24th, we brought Auctiva.com back online with a reduced number of servers, and are in the process of adding more to our network to improve site speed.
During the period the site was offline, Auctiva Checkout, and our users’ scheduled listings, images, templates and scrolling galleries remained available in eBay listings.
As a company, we strived to handle this issue in a candid, responsive and responsible manner. Updates have been available throughout the course of this issue at community.auctiva.com and this user forum is where we will continue to inform our users with future news/updates
Similar attacks have been made on other large Web sites in recent months. Other targets have included:
* CBS
* Monster.com
Auctiva takes the issue of security very seriously. We temporarily took the site offline while we worked to correct security vulnerabilities and eliminate the possibility of further infection.
Auctiva is a 10-year old software company comprising several Web sites and products. With more than 80 employees and hundreds of thousands of registered users, Auctiva remains a trusted eBay partner posting millions of eBay listings every month.
Robert Green – Auctiva Product Manager