05/27 Update: Not just eBay as it turns out. I had the title changed from "eBay scans..." to "Websites scan..." Thanks moderator! "When visiting the eBay.com site, a script will run that performs a local port scan of your computer to detect remote support and remote management applications." https://www.bleepingcomputer.com/news/security/ebay-port-scans-visitors-computers-for-remote-access-programs/ Sure does! AdGuard rule works: ||src.ebay-us.com/fp/check.js$domain=signin.ebay.com
eBay users spot the online auction house port-scanning their PCs. Um... is that OK? May 26, 2020 https://www.theregister.co.uk/2020/05/26/ebay_port_scans_your_pc/
Websites Conducting Port Scans - Schneier on Security https://www.schneier.com/blog/archives/2020/05/websites_conduc.html There's a bunch of relevant links within the article and the comments.
I think eBay got the message as I'm not seeing the local port websocket scans as of today. I did verify CitiBank and I use citiretailservices.citibankonline.com where the scans occur even after I login and they reoccur for every page I navigate to like recent activity, profile, make payment (!) and finally the logged out confirmation page. The AdGuard rule ||citibankonline.com/fp/check.js$domain=citibankonline.com does the trick. But it seems check.js is the common denominator. I do see it in several of the handful of websites I've visited so far where the scans are not active. This kind of stuff is way over my pay grade and I use AdGuard's built in "block" feature. I'm wondering if a rule blocking check.js itself, even if I could figure that out, if that wouldn't break other things. "check.js" looks pretty generic.
List of well-known web sites that port scan their visitors May 30, 2020 https://www.bleepingcomputer.com/ne...nown-web-sites-that-port-scan-their-visitors/
uBlock Origin for Chrome now blocks port scans on most sites https://www.bleepingcomputer.com/ne...r-chrome-now-blocks-port-scans-on-most-sites/
Thanks for the heads up on that. I verified the blocking works with EasyPrivacy in AdGuard's Firefox extension where their own privacy filter, AdGuard Tracking Protection, does not. Tested CitiBank and Ameriprise. Both filters dated June 8. As I reported in #6 for eBay, it seems Chick-fil-A and ESPN have dumped the scheme as well. Wish I had time to test some more. Cheers.
AdGuard Tracking Protection filter is not the same as the EasyPrivacy filter. In order to find EP filter in AdGuard for Windows 7.4.2, go to --> Settings / Ad Blocker / Installed filters / + Add a filter , which will load available filters, and you can select EasyPrivacy.
For the time being I'm going to run a sized Developer Tools window next to Firefox while visiting financial, commerce and personal services websites as long as I'm depending on EasyPrivacy at this point in time, until hopefully a more comprehensive solution is developed. Unlikely, I believe, in that this hasn't generated as much excitement as the long-running persistent outrage over the CCleaner phone home atrocity. [/SARC] Note that sites can evoke the port scanning not on the home page, but when the user logs into their account. The tool is opened by hitting F12. (No doubt, Chrome has a similar feature.) Enabling the WS (websocket) filter in the toolbar keeps things simple. With a properly configured blocking solution, some as discussed here, the window will be blank and the status will read "No requests."
New Behave! extension warns of website port scans, local attacks https://www.bleepingcomputer.com/ne...on-warns-of-website-port-scans-local-attacks/
I just caught that BC post in my RSS client. Thanks for posting it up, Minimalist. Just got done installing it in Firefox 77.0.1. I removed EasyPrivacy to give it a whirl and Behave! works as advertised. I like that it can be toggled off and on from within the icon's panel, Prefs. That's where one finds "Reset monitor data" to clear the data and remove icon's red flag as it doesn't reset itself when leaving the offending site. EasyPrivacy added again for Behave! to warn about sites that haven't yet been or won't/can't be added to the list. I can't find where the debug log gets written to. Don't have the time to scour its github site right now...
EasyPrivacy is having difficulty in keeping up as of late. I hope someone is working on a method to whack this ********.
Google joins in on the fun. On the port 81, no less. This occurred while searching on an actress in Fear the Walking Dead if I thought I recognized her from The Walking Dead. (She was.) If I was actually searching for porn, I would not be using the browser setup wherein this occurred... Don't open nitrovideo at work or in polite company or in a family environment.
