How did the breach happen?
The eBay statement says that only a small number of employee log-in credentials were hijacked. This is typical of spear-phishing - an attack in which the attacker targets a specific employee (or a group of employees) with crafted email messages, which include links or attachments that when followed or opened exploit a vulnerability and install a malware on the machine, said Dinnar. "Usually, such malware is capable of collecting stored passwords (for example, those stored in browsers or elsewhere on the machine) and recording keystrokes, then sending them back to the attacker. The attackers could select this group of employee by collecting information on the employee roles in eBay and assembling a list of specific employees to target based on, for example, information available from social networks."
"The important aspect here is that this group of employees had access to information that the organisation considers sensitive, i.e. they had access privileges to this information," he added. "The fact that the credentials of these privileged account resided on the employees machines and that these privileges were tied to their personal accounts is a vulnerability well known to many organisations today."
According to Dinnar, the leading recommendation to address this vulnerability includes two steps - embracing "least-privileged" approach (specifically, separating the standard user account used for daily activities from the privileged account used for more sensitive activities and limiting the privileges of the standard account) and employing controls that prevent the sensitive passwords from residing or being used from the potentially vulnerable endpoints (for example, by employing jump servers that authenticate the user and establish the privileged session without the privileged password ever reaching the endpoint).