Vladuz apparent strike on Blujay.com!!!

[The Bar Keep]

Just seen this on PSU thought everyone should know about it.


Click here to read the PSU Thread...

Vladuz posting at Blujay:

Click here to read Thread...

Apparent blujay store that was hacked:

Blujay - Shell_W...

[chiquita]

Did they verify if it is a legit Vladuz hack?
 

[knappschiles]

Something isn't tracking right here.

Whoever is posting as "shell_world" in the BJ thread seems to BE Vladuz in post 3 yet in the first post seems to be a pizzed off user. Very weird.

Just what we all need right now before the holiday buying season.

Carol

[The Bar Keep]

Did they verify if it is a legit Vladuz hack?
 

By the looks of it Vladuz has taken over a store on Blujay.com and used the hacked account to post in the blujay forums. Then Valduz proceeded to register at PSU to announce the hack, where a confused Mod posted this in response:

Followed your link and sorry your BJ store (named shell_world) got hacked today.
Glad you joined our forums here and for alerting the other BJ sellers about this issue.
Hopefully this OP will help other BJ sellers in stopping this problem before it gets out of hand over there.

Thanks for joining the PSU forums.

It is unclear if the account used by Vladuz was a new account setup tonight or an existing account taken over. The posting ID in the blujay thread claiming to be Vladuz shows 102 total posts 2 of which were posted in the thread announcing the hack.


Joe - The Bar keep

[Mojavelyn]

According to the registration for Shell_World... registered:   September 25, 2007 

But ya know what folks... how many times do we have to say... DON'T CLICK ON LINKS!!!!

Just because it says its from PP or Ebay or Whereever.com doesn't mean it is!

A member is attempting to pay .05  on his bill ... had the address wrong.. I get this email... click here to claim your payment...  I wrote back and said... If you want to pay your bill, do it thru the proper channels.  I have yet to see the invoices from PH, so I don't know what they look like. 

So... whats to say that Shell didn't pick up a keylogger or tracking cookie of some kind from a phishing expedition?  Vladuz is supposed to be known for his phishing.

[The Bar Keep]

According to the registration for Shell_World... registered:   September 25, 2007 

But ya know what folks... how many times do we have to say... DON'T CLICK ON LINKS!!!!

Just because it says its from PP or Ebay or Whereever.com doesn't mean it is!

A member is attempting to pay .05  on his bill ... had the address wrong.. I get this email... click here to claim your payment...  I wrote back and said... If you want to pay your bill, do it thru the proper channels.  I have yet to see the invoices from PH, so I don't know what they look like. 

So... whats to say that Shell didn't pick up a keylogger or tracking cookie of some kind from a phishing expedition?  Vladuz is supposed to be known for his phishing.

Quote from the blujay thread:

It's not about building the store again.

I can exploit ANY blujay store now.

Any volunteers to miss the Christmas season here


vladuz

It appears that Vladuz is claiming to have database or some kind of backend access at this time. Phishing emails will typically affect one person and not exploit an entire community such as blujay. There is still no confirmation as of yet from blujay administration and at this point there is only one suspected account.

I have since PM'ed blujay admin in the hopes that he is aware of this incident and is working to resolve the issue.


Joe - The Bar Keep

[knappschiles]

The really weird part of this whole hack of Blujay is the fact that it IS Blujay.

In the past Vladuz' attacks have all been at eBay. It seemed that V had some grudge with eBay (and probably for good reason). That and eBay's always acting "holier than thou" with all their "it's not OUR fault" answers all the time. The fact that eBay can ruin a business at the drop of an undeserved suspension comes to my mind too.

What reason could there be to attack Blujay ?? They aren't even the largest alt site. Since the site is free, it can't be that someone was gouged on fees. And most of us there are there because we needed to get away from eBay, or were forced away.

I just don't get it. Seems more like a copycat than Vladuz.

Carol

[The Bar Keep]

Just a followup as I saw this posted at PSU and beleive everyone should take note and listen to what this poster has said about security at blujay.com:

quote from PSU by LurkeyLou:

BluJay is another site that does not use SSL Encryption. There is no security, folks.

I can scan the information sent back and forth on the server. YOU can scan the information sent back and forth.

It doesn't take a hacker to do this. The tools are out there and the tools are free.

This is a terrible thing to have happened. By all means, check your system for holes and malicious software.

The most important thing sellers can do is STOP USING SITES THAT CAN NOT BE BOTHERED WITH SECURITY AS BASIC AS A FRICKIN' SSL.

http://en.wikipedia.org/w.../Transport_Layer_Security

No. SSL can not and will not stop a talented hacker. But, it will at least put a hurdle down for script kiddies and wanna-be's.

As for the person claiming to be Vladuz, I doubt it. Hackers generally do not use the term "nick name", so that's a little out of context and using that term alone makes the validity of the identity claim suspect.

As Carol and Mo have indicated, common sense doesn't lend to the idea that Vladuz would doink around with BluJay or a single seller. Vladuz likes a challenge and his/her ego wouldn't get a morsel of sustenance by screwing up one seller's store.

And, BTW, eBay is actively trying to find and have Vladuz arrested. A person claiming to be Vladuz and hanging out at PB might not be pleased to have his/her watering holes announced to the WWW in general.

Sellers, you have got to stop using sites that do not offer security. If there is no "s" on the http:// - if your registration and log-in address at the top of your browser does not have https:// THE SITE IS NOT EVEN BASICALLY SECURE.

Look for (and check!) the SSL certificate on the site. If there is no certificate, there is no security. Recently, a site bald-faced lied about having security on the site... off-hand, I don't remember which one, but they lied. Look for the little lock in the bottom right corner of your browser; it should be closed, not hanging open.

Even if you're willing to join a site that is not secure - and I've joined plenty - do not bring your customers to such a site.

Now Thank you Mo for confirming the SSL on www.plunderhere.com as all sellers need their financial information protected when selling online. Just to let everyone know as I did confirm this to be the case, there is NO SSL on blujay at this time. I also did a check on a similar site, eCRATER.com and to my astonishment there is NO SSL certificate on that site either.

I do have empty stores on both blujay and eCRATER and have since removed all information pertaining to my payments. On eCRATER all I had to do was delete my account, no harm no foul. On blujay it seems as if you can't just dump your account but you can turn off most things.

[Mojavelyn]

Joe, he could say anything like that to put fear in people. Because thats what he or whoever this might be (Vladuz or copycat) will feed on that fear.

[robertjohnston]

I think we as store owners should all be concerned about protecting customers data. If we are selling on line no matter if it's our own store or auction venue it should be ssl protected. I wonder how many of our own members with stores have purchased certificates. 

[knappschiles]

About this SSL thing  -- neither site, Blujay or eCrater, keeps any credit card info or even has any payment info where WE pay them anything. The only info they keep is your PP email addy or your Google checkout info. Our customers "pay" thru these other outlets which I hope are secure.

So where is the need for SSL ?? Tell me please, maybe I'm dense.

I can see both of those sites should have SSL for the "sign-in" for the members, but other than that why ??

As far as my personal site is concerned, NO I don't have SSL there either. I don't take any CC info or other payment info at my site. It's all done thru PP or GC. I don't store/collect any info at my site. The orders all come to me thru GC or PP.  So same question -- why would I need SSL ??

Carol

[Mojavelyn]

About this SSL thing  -- neither site, Blujay or eCrater, keeps any credit card info or even has any payment info where WE pay them anything. The only info they keep is your PP email addy or your Google checkout info. Our customers "pay" thru these other outlets which I hope are secure.

So where is the need for SSL ?? Tell me please, maybe I'm dense.

I can see both of those sites should have SSL for the "sign-in" for the members, but other than that why ??

As far as my personal site is concerned, NO I don't have SSL there either. I don't take any CC info or other payment info at my site. It's all done thru PP or GC. I don't store/collect any info at my site. The orders all come to me thru GC or PP.  So same question -- why would I need SSL ??

Carol

Plunderhere does not store credit card data either... and there is a secure link to pay directly via paypal for site fees and banner ads...

But also the frustration that site owners have when TOS says no personal data in listings... then people come back and say your site isn't safe.

[The Tavern Wench]

About this SSL thing  -- neither site, Blujay or eCrater, keeps any credit card info or even has any payment info where WE pay them anything. The only info they keep is your PP email addy or your Google checkout info. Our customers "pay" thru these other outlets which I hope are secure.

So where is the need for SSL ?? Tell me please, maybe I'm dense.

I can see both of those sites should have SSL for the "sign-in" for the members, but other than that why ??

They keep your PP email address which is your username on PayPal.  They have your Google checkout info which is your personal identifying Merchant account info.  Both of which lead back to your banking and credit card info.  I assume they also have your regular email address, name, home address, telephone number and a password.

So if someone hacks into the site they can see everything.  They essentially have ALL of the basic info to steal your identity and/or hack into your PayPal or Google account.  Surprisingly, most people also use the same or a similar password for all of those accounts too despite being warned otherwise.

So in my opinion it needs SSL.

As far as my personal site is concerned, NO I don't have SSL there either. I don't take any CC info or other payment info at my site. It's all done thru PP or GC. I don't store/collect any info at my site. The orders all come to me thru GC or PP.  So same question -- why would I need SSL ??

Carol

If you don't have any PART of the transaction occuring onsite, then it's mostly a matter of customer confidence.  However, if you collect ANY information whatsoever (even if it's just an email address), then your site needs to be encrypted, otherwise it can be seen or intercepted.  Just the act of clicking the buy now button sends information over the internet.


As Bob said:

I think we as store owners should all be concerned about protecting customers data. If we are selling on line no matter if it's our own store or auction venue it should be ssl protected.

   Better safe than sorry as my Grandma always said.


As a side note... SSL is not expensive and can be bought for as little as $16.00 a year.

[knappschiles]

I understand the part for BJ and eC, yes they have our payment info. I do get that part.

For my own site, I collect NOTHING. There isn't a log-in or anything.

It's all done thru Mal's cart which I thought was httpS, but I just checked and it isn't. But I'm not sure how much Mal's collects either as the payment stuff then goes to GC or PP depending on the cart. I know for the GC cart, Mal's doesn't even store the order (it's part of the Google agreement). For the PP orders Mal's does save an "order" and an email.

Carol

[teelabooks]

The really weird part of this whole hack of Blujay is the fact that it IS Blujay.

In the past Vladuz' attacks have all been at eBay. It seemed that V had some grudge with eBay (and probably for good reason). That and eBay's always acting "holier than thou" with all their "it's not OUR fault" answers all the time. The fact that eBay can ruin a business at the drop of an undeserved suspension comes to my mind too.

What reason could there be to attack Blujay ?? They aren't even the largest alt site. Since the site is free, it can't be that someone was gouged on fees. And most of us there are there because we needed to get away from eBay, or were forced away.

I just don't get it. Seems more like a copycat than Vladuz.

Carol

I agree. It isn't Vladuz. I think it is some young person, who clearly lacks maturity.
I doubt any money will be stolen. It sort of like a kid who steals a car to joy ride.
The car isn't sold for parts, it was just stolen for kicks.