Websites Conducting Port Scans

Security researcher Charlie Belmer is reporting that commercial websites such as eBay are conducting port scans of their visitors.

Looking at the list of ports they are scanning, they are looking for VNC services being run on the host, which is the same thing that was reported for bank sites. I marked out the ports and what they are known for (with a few blanks for ones I am unfamiliar with):

  • 5900: VNC
  • 5901: VNC port 2
  • 5902: VNC port 3
  • 5903: VNC port 4
  • 5279:
  • 3389: Windows remote desktop / RDP
  • 5931: Ammy Admin remote desktop
  • 5939:
  • 5944:
  • 5950: WinVNC
  • 6039: X window system
  • 6040: X window system
  • 63333: TrippLite power alert UPS
  • 7070: RealAudio

No one seems to know why:

I could not believe my eyes, but it was quickly reproduced by me (see below for my observation).

I surfed around to several sites, and found one more that does this (the citibank site, see below for my observation)

I further see, at least across ebay.com and citibank.com the same ports, in the same sequence getting scanned. That implies there may be a library in use across both sites that is doing this. (I have not debugged into the matter so far.)

The questions:

  • Is this port scanning “a thing” built into some standard fingerprinting or security library? (if so, which?)
  • Is there a plugin for firefox that can block such behavior? (or can such blocking be added to an existing plugin)?

I’m curious, too.

Tags: ,

Posted on May 27, 2020 at 6:45 AM57 Comments

Comments

Stoff May 27, 2020 7:05 AM

Another possibility is both websites have built in a dependency, that has been compromised, and that dependency is responsible for the port scan. These sites may very well be victims of a supply chain vulnerability and themselves none the wiser, which is also a symptom of an organisation that hasn’t got a handle on their own security.

Ulf May 27, 2020 7:11 AM

That is weird. I’m not seeing it on either citi.com or ebay.com, but I’m accessing them from Germany – maybe it’s a country-specific thing.

Jens May 27, 2020 7:21 AM

@Ulf:
Golem.de reported that those scans don’t happen for users on Linux.
Would that be an explanation for you not seeing any scanning attempts?

Tom C May 27, 2020 7:23 AM

This might be related to something I’ve noticed for some time. I have a phone with a pop-up selfie camera. Every time I open ebay in the browser on that phone, the selfie camera pops up. I assume it takes a photo.

On the one hand, it’s really creepy seeing it do it.

On the other hand, if your phone doesn’t have a pop-up selfie camera, how would you know it was doing this?

Alain May 27, 2020 7:24 AM

Be aware that the port scan is running localy in the browser, not from te server.
Thus it’s running behind the firewall and more dangerous.

This is for me a major problem with the browsers.

noscript is a nice precaution.

me May 27, 2020 7:24 AM

@Ulf same here, from Italy, i took a quick look and seems that they don’t do port scan.
i’d guess that it’s because gdpr: wht is the legal reason to collect such data? none so maybe they don’t do it in europe.

i’m a bit confused about same-origin policy of browsers.
i know that you can do CSRF (cross site request forgery) so that any page you visit can request “an image” located at 127.0.0.1/routerLogin or whatever other port.
but the article i read said they used web sockets, i don’t know if this means that they can read answers.
for example is possible that the bank or whatever entity uses websockets to tunnel the connection/data? i don’t think so otherwise ANY website could tunnel google or facebook traffic and steal logins and do whatever they want.
i think they can only receive a response: connected/failed to connect.
am i right?
also if they request resources from 127.0.0.1 and i’m using ublock origin which shows every request and it’s domain/ip name i should see them there right?

jbmartin6 May 27, 2020 7:32 AM

Important to note, it is scanning the local loopback, not the internet interface, via something in the web browser. i.e. the scan is not coming from ebay owned servers over the Internet. I would have said this was not possible due to the same origin blocks in the browser, unless there is some sort of DNS rebinding going on.

me May 27, 2020 7:33 AM

some more info:
https://medium.com/@stestagg/stealing-secrets-from-developers-using-websockets-254f98d577a0
Try it yourself here:
http://frontend-overflowstack.com/
note that this uses “localhost” domain, and ublock detect it so it can be blocked and it’s blocked with my settings (default deny all javascript and xhr)
i don’t know if it works also with 127.0.0.1 but i think yes, i remember that sometimes i saw ublock reporting ip adresses instead of domain names for some cdn.

scot May 27, 2020 8:33 AM

I have a Citibank credit card, which I had to have replaced recently due to an US$800ish unauthorized card-not-present charge on it. Given that Citibank’s website asked for the full PAN to activate the card (a pretty egregious violation of Payment Card Industry Data Security Standards), I think “they have idiots in charge, and malware embedded in their website” is a perfectly reasonable explanation.

Milen May 27, 2020 9:28 AM

I’d imagine that is all done for the ‘benefit’ of the users. Someone, somewhere decided that running such applications indicates a compromised machine (which is the case only in some instances).

To be fair, running a remote sharing software and accessing your bank account at the same machine does not strike me as a particularly good practise.

Clive Robinson May 27, 2020 10:10 AM

@ ALL,

This only happens because your browser downloads code –javascript in this case– from the website and runs it with the permissions your browser has…

And people wonder why I suggest that running with Javascript turned off and not using HTML5 browsers…

The first rule of security is,

    Do not let anything untrusted in to your systems.

For some reason web developers think this rule does not apply to them and their code…

Then some nasty minded individual comes along with their “malware” to abuse peoples systems…

Heed the lesson folks, and try to be safe out there.

David May 27, 2020 10:14 AM

A compromised website detecting banking clients with VNC active would be handy for grabbing login credentials

Ulf May 27, 2020 10:34 AM

@Jens:
I guess it could be, I’m on OS X. Wouldn’t make sense to look up Windows RDP or WinVNC ports on either.

Wael May 27, 2020 10:39 AM

I’m curious, too.

Likely a Device fingerprinting SDK that helps fraud detection.

Gunter Königsmann May 27, 2020 11:39 AM

According to https://www.heise.de/forum/heise-online/Kommentare/Ebay-begruesst-einige-Nutzer-mit-heimlichem-Portscan/Wurde-2015-von-ThreadMatrix-fuer-Bankwebseiten-entwickelt/thread-6379090/ that remote control detector was written by ThreadMatrix in order to improve the security of banks: If your computer might be remote-controlled and does do strange things that is one more red flag.

In Germany they seem to scan only windows PCs and to scan them only once, according to the heise article that comment answers to.

Mr. H May 27, 2020 12:16 PM

If you have implemented certain hardening measures (geo-location disabled, browser and OS obfuscation so it shows Firefox 67 or 68 when they try to “see” who you are, or using a VPN), eBay is implementing their own payment system to break away from PayPal so it would make sense (TO ME) that they’d want to know more about you. They too, have to worry about the bad actors (or is this some new PCI DSS requirement?). It would be interesting to hear from the “inside/industry” what the real reason is unless it’s proprietary and confidential so the bad actors have to work harder to get around it. You have to understand that cybersecurity researchers, analysts, white-hat folks, have almost identical knowledge/skills to the black-hat folks (but different intentions/convictions when it comes to ethics) so it happens quite frequently that I myself am a target of extreme scrutiny when online because some sites that I use, they have obligations to collect as much data as they can about a customer using a Credit Card on their site, to try and figure out the impossible – is someone else using my Credit Card? It’s a constant battle between how much data do they really need in order to verify that I am who I say I am, versus are they trying to collect as much as they possibly can in order to “market” it (sell it) because it’s worth something to somebody what my eating, dressing, hobby, etc. habits are, right?

Mr. H May 27, 2020 2:48 PM

@war59312

I know I shouldn’t say this but I think that every now and then, everyone needs a good laugh. So here it goes: Tell it to your Congressman/Congresswoman.
There’s always a chance (although a VERY slim one) that he/she hasn’t been bought and paid for by the corporate world. You’re welcome. LOL.

Wael May 27, 2020 3:00 PM

Correct! ThreatMetrics®

Cpell chequer got me!
It’s: ThreatMetrix®. Happens almost every time I correct someone’s spelling!

Wael May 27, 2020 4:29 PM

@Clive Robinson, …

Javascript turned off and not using HTML5 browsers

JavaScript is pure evil. I’m aware of efforts to mitigate its weaknesses. No telling how long it’ll take. Its also not a secret that some OS / Platform providers actively hinder device fingerprinting, especially on mobile devices.

Do not let anything untrusted in to your systems.

I don’t trust myself! Now what?

JonKnowsNothing May 27, 2020 5:06 PM

@Wael @Clive

re:

Do not let anything untrusted in to your systems.

Maybe we should label this: DomCumm260

short for:
  Dominic Cummings took a 260 mile drive to test his eye sight.
pronounced
  Dummkopf Two Sixty

note: 90 + 180 = 270 ; 270 – 10 = 260

ht tps://en.wiktionary.org/wiki/Dummkopf

ht tps://en.wikipedia.org/wiki/Dominic_Cummings
ht tps://en.wikipedia.org/wiki/Dominic_Cummings#COVID-19_pandemic
(url fractured to prevent autorun)

Clive Robinson May 27, 2020 5:11 PM

@ Wael,

I don’t trust myself! Now what?

That depends on why you don’t trust yourself? For many people it’s the “fear of making a mistake” for others it’s that and the “fear of not knowing enough”.

Today there is little or nothing you can do about “not knowing enough”, it’s a fact of life. It’s a state that all experts iregardless of if they have “depth or breadth” suffer from, because humans are neither omnipotent or omnipresent. Get used to it because there is darn little you can do about it[1].

The fear of “making a mistake” can and has been solved long ago. In part it’s training, but mainly it’s “Drills and checklists”.

Put simply, for every task, you come up with a list of steps which you follow, just as aircraft pilots do. Provided the check list is right and it’s followed correctly then the result should be trustworthy.

Beyond that I can not realy say, because if you do not trust yourself for other reasons, then it’s not security advice you need.

[1] Yes I know there are things that can be done about it and we’ve had those discussions in the past over the implications of C-v-P. But the simple fact is for what ever reason the industry does not want to go that way… Seciroty os still very very low on the list of priorities and various vested interests do not want that changing.

Wael May 27, 2020 7:20 PM

@JonKnowsNothing,

note: 90 + 180 = 270 ; 270 – 10 = 260

Haven’t slept in quite some time and the skull is running on neuron fumes. Decipher!

@Clive Robinson,

It’s a state that all experts …

“Knowledge is like climbing a mountain; the higher you reach, the more you can see and appreciate.” — unknown… I thought either Keats or Shakespeare said something similar, but I can’t find it.

iregardless of if they have “depth or breadth” suffer from

Reminds me of @Buck. I wonder where the buck he went! Hopefully he’s not coughing with high fever. I guess he ain’t bluffin’ … now how to validate with his PGP???

RealFakeNews May 28, 2020 12:57 AM

Browsers, and the internet in general, can’t be trusted. Act accordingly.

I’m sure I read around here somewhere about this port scanning before?

Skipper May 28, 2020 3:00 AM

‘check.js’ appears to run a port scan, check for installed fonts, userAgent, device, version info, ect. Once it has collected this info, it creates a hash which appears to be sent back. This hash remains the same among different instances but not different browsers or devices. Uninstalling a font also changes the hash.

After looking at the ebay website from different devices and browsers, it appears that this is a fingerprinting method the get around incognito mode or clearing cookies. Not sure of the legality here because i cant port scan ebay but they can port scan me? Mitigation seems to be disabling JavaScript entirely or adding ‘check.js’ to your adblocker of choice. Multiple people have attributed this to ThreatMetrix but i have not directly linked them.

Skipper May 28, 2020 3:05 AM

‘check.js’ appears to run a port scan, check for installed fonts, userAgent, device, version info, ect. Once it has collected this info, it creates a hash which appears to be sent back. This hash remains the same among different instances but not different browsers or devices. Uninstalling a font also changes the hash.

After looking at the ebay website from different devices and browsers, it appears that this is a fingerprinting method the get around incognito mode or clearing cookies. Not sure of the legality here because i cant port scan ebay but they can port scan me? Mitigation seems to be disabling JavaScript entirely or adding ‘check.js’ to your adblocker of choice. Multiple people have attributed this to ThreatMetrix but i have not directly linked them. As a side note, this isnt new. About 4 years ago i saw something similar with Facebook running port scans but the javascript was very different. This Ebay one is much larger. The facebook script linked directly back to ThreatMetrix.

Clive Robinson May 28, 2020 3:12 AM

@ Wael,

Reminds me of…

Steven Fry noted that irregardless is a double negative word that the British would never use, except to amuse those in it’s country of origin…

Apparently according to references in the country of origin it is some kind of miracle word. Because, it came from a place that did not exist at the time[1],

    “irregardless was first acknowledged in 1912 by the Wentworth American Dialect Dictionary as originating from western Indiana, though the word was in use in South Carolina before Indiana became a territory.”

Some have traced it’s usage in print back to the 18th Century.

[1] Of course the place existed in the reality of the world, but then who ever accused the US Gov of living in reality, especiallt when you realise the US Gov have changed their datum atleast three times… 😉

Mike S May 28, 2020 4:46 AM

Lots of people talking about how awful JavaScript is and how to mitigate this, but lets think about why for a moment.

People falling for fake tech support sites might give a scammer remote access to their computer. If they have a password manager that doesn’t ask for a password every time, this could be an easy way to steal money.

myliit May 28, 2020 6:58 AM

A useful site to help determine how unique you, or your browser are:

https://panopticlick.eff.org

Possible two browser partial workaround:

1 browser no javascript
2 browser with javascript

Anybody know why you have to turn off Fingerprinting Protection to watch https://www.DemocracyNow.org [`1] when using Brave’s browser, or you get:

Error loading player:
undefined is not an object (evaluating ‘h.getImageData(0,0,1,1).data’)

[1] It starts shortly?

JonKnowsNothing May 28, 2020 10:09 AM

@Wael
re:

note: 90 + 180 = 270 ; 270 – 10 = 260
Haven’t slept in quite some time and the skull is running on neuron fumes. Decipher!

 
      90 = right angle
      180 = 2 right angles or a straight angle
      270 = 3/4 of a circle

He traveled 260 miles – not quite 3/4 of a circle.

Sorry, it was rather oblique.

Angles smaller than a right angle (less than 90°) are called acute angles 
An angle equal to 1/4 turn (90° or π/2 radians) is called a right angle
An angle equal to 1/2 turn (180° or π radians) is called a straight angle
Angles larger than a straight angle but less than 1 turn (between 180° and 360°) are called reflex angles.
Angles that are not right angles or a multiple of a right angle are called oblique angles

ht tps://en.wikipedia.org/wiki/Angle
(url fractured to prevent autorun)

R Hilbert May 28, 2020 10:49 AM

@Clive Robinson et al.

<i”And people wonder why I suggest that running with Javascript turned off and not using HTML5 browsers…”

I disable JavaScript in browsers and have done so for years. There are many reasons:

  1. Speed, it’s amazing how much faster browsing is without JavaScript, why wouldn’t most people want to run this way if they knew about how great the improvement in speed is?
  2. Many fewer ads!
  3. Removing JS kills most of the tracking. Panopticlick, https://panopticlick.eff.org, as mentioned elsewhere within these comments says tracking security is good when JavaScript is turned off (try it yourself).
  4. Page display jerkiness and response latency is reduced very significantly when JS is disabled. I use a toggle JS on/off add-on in my browser, if JavaScript is accidentally left ‘on’, then even without obvious JS effects appearing on-screen, I ‘feel’ within a split second that JS is ‘on’ because the page presentation just isn’t smooth. In fact my response is automatic – hit the ‘deselect JS’ icon and then ‘page refresh’ in one operation.

I cannot understand why users have put up for so long with the huge amount of overhead JavaScript produces on their machines and not have complained about it on mass. That this JS problem is now so bad and that so few computer-literate people actually talk about it, you’d reckon there was a conspiracy of silence at work.

Nevertheless, I have to turn on JavaScript for about 3% of sites I actually visit or they wouldn’t work (note: the percentage of sites I attempt to visit that require JS ‘on’ to function is somewhat higher but I back out of most of them (the web has plenty of ‘compliant’ alternatives).

This port-scanning matter raises a question that I have been asking for ages. Why haven’t some bright sparks invented alternative JavaScript engines that we could just plug into browsers—JS engines that would allow us to tailor or modify various responses to servers’ query to our own liking?

For example, in this case, if the user didn’t want his/her ports scanned then JS could be set to respond “Scan done – no servers found” irrespective of the actual condition of the ports. Time and space permitting, I could list dozens of parameters that could be spoofed or randomized to fool web servers into ‘cooperating’ with us users (not vice-versa as it is now).

Whilst some may think doing this is cheating or it’s dishonest, the fact is that we users are engaged in a privacy war and we’re grossly overwhelmed by superior forces who’ve essentially unlimited money to throw at out meager defenses. As I see it, it’ll be a long while before legislation is introduced or there’s an international treaty that protects us users by limiting the behavior of websites. Essentially, we’ve no alternative if we’re to keep even a modicum of our privacy.

I’d most welcome a discussion on this.

Matt May 28, 2020 12:41 PM

They use CNAMEs to point to the online-metrix.net domain.

In this particular case it is used by a great many sites, you can use inurl: to dork some results.

uBlock Origin, if CNAME checking is enabled, will already block this behavior, but there’s discussion on improving it as hostnames pointing to IANA reserved ranges plus other addresses than localhost aren’t really mitigated fully except through domains blocked right now hosting these scripts.

While there is a blocklist for local IP addresses, to prevent 3rd parties hitting them, further development is being planned:

https://github.com/uBlockOrigin/uBlock-issues/issues/1070

Sandra May 28, 2020 3:55 PM

I bet it is to protect you from Indian scammers, where they get the victim to install TeamViewer or another VNC software, so they can buy or steal money from the back account.

I bet if you access ebay over TeamView/VNC from your own machine, it will deny you access.

An example of such scam can be seen here https://www.youtube.com/watch?v=X1LLFQ0TTeU

Hristo May 29, 2020 6:11 AM

As someone with tangential connection to the fraud prevention industry, I wouldn’t jump easily to conclusions here. Detecting and preventing fraud is hard and doing it automatically even more so. There are multitude of conflicting requirements. The more information you have, the more confident you can be that it is indeed the legitimate account owner making a particular operation. But you cannot gather this information openly and with the user’s permission since that exposes your methods and makes the detection scheme vulnerable, which negates its purpose. This forces the anti-fraud industry to adopt the same covert data gathering and exfiltration mechanisms that malware authors use. In the end, it is a constant arms race between fraudsters and fraud detectors and every such technique has a limited lifetime before it gets discovered and rendered useless.

It may not be the best solution, and perhaps the problem with fraud should be fought at a different level, e.g., with changes to the legal framework in which payments and merchants operate, but until then, one has no other choice than to look for engineering solutions. The question of what happens with the gathered data should be the subject of strict regulations. And the truth is, the average user doesn’t care that much about their privacy as long as it affords them the convenience of doing things online without being constantly pestered and delayed by identity checks.

Clive Robinson May 29, 2020 6:49 AM

@ Hristo,

Detecting and preventing fraud is hard and doing it automatically even more so.

Actually it’s not it’s actually fairly easy and has been discussed on this blog several times. It was a solved problem in the 1990’s but nobody wanted to do what was required.

Detecting and preventing fraud is only difficult if the systems are so substandard they should not be used.

But the quick and easy solution is “If you don’t use the Internet for any financial transactions, nor dors anyone else then fraud can not happen”. It’s as always the stupidity of Banks, Financial Houses, the Credit Card Industry and online selling that is at fault… But as always they “blaim the victim” be it the customer or the merchant…

It won’t change untill the banks and Financial houses become legaly liable for every cent, with no ability to claim back from the customers or merchants. And you can almost guarenty that things will become secure within days of such legislation getting inked.

Jesse Thompson May 29, 2020 5:01 PM

@Clive Robinson, @Hristo

But the quick and easy solution is “If you don’t use the Internet for any financial transactions, nor does anyone else then fraud can not happen”.

So just to be clear, are you suggesting that in the 1980s and earlier prior to any human beings using the Internet for financial transactions, that fraud did not exist?

I will grant that fraud may be easier to perform on the Internet, virtually everything is easier to perform on the internet. Fraud is easier to perform while either the attacker and/or the victim are breathing oxygen, too. Seriously, try telling somebody on the phone your credit card number without functioning lungs. But I’m not going to recommend asphyxiation as a fraud deterrent.

Clive Robinson May 30, 2020 2:28 AM

@ Jesse Thompson,

So just to be clear, are you suggesting that in the 1980s and earlier prior to any human beings using the Internet for financial transactions, that fraud did not exist?

No because all communications systems have been used for fraud even before we had wired communications like the telegraph.

The actual lesson if you will is,

    As system implementers we don’t learn from history. Where as attackers do.

Thus until we do the best thing to do is not engage in what is known from history to be a very unsafe practice.

But then the flip side of the coin if you like, the counter argument is,

    If we don’t do such stupidly risky things then technology would not develop and improve.

What we have unfortunatly done by alowing the likes of banks etc to “externalise the risk” onto the users of their poorly designed and implemented systems is effrctively stop the “flip side” from happening. Because the banks have no incentive to improve their systems.

I would argue that putting not just the risk but the cost of that risk back on the banks would have a benificial effect fairly quickly.

I’ll let others make their own choices about doing “financial transactions on the Internet”. But my choice is not to do so.

c1ue May 30, 2020 10:58 AM

User ID seems unlikely. Even if cookies can’t be used – the easiest way – it is simple to use the same methods as AmIUnique.org to fingerprint a user.
The security bit seems more likely – but of course, the legality is in question.

David Australia May 31, 2020 11:46 PM

to contribute a data point

National Australia Bank internet banking began informing customers in late 2019 it would fingerprint log in, IP and other, ‘to keep you safe’

i know someone that uses it with Firefox and upon login they regularly get a pop up saying the site wants to use HTLM5 to canvas data do you agree yes/no

Joe June 1, 2020 2:52 AM

A few people have suggested disabling Javascript.
Get real. Most websites that actually do something (as distinct from showing you fixed text and pictures) require Javascript. That discussion was held a long time ago, and is settled. Today’s web requires Javascript.

Making Javascript implementations secure is a different and worthwhile subject. The appropriate forum is the Ecma standardisation process.

JonKnowsNothing June 1, 2020 3:07 AM

@Joe
re:

A few people have suggested disabling Javascript.
Get real. Most websites that actually do something … that require Javascript.

Reality is: Websites that insist on using JavaScript are insecure by definition. Insisting that everyone else needs set their systems into an insecure-mode so they can access data or information from an insecure host is unrealistic.

If however, you are able to pull a rabbit out of the hat and make JavaScript secure I am sure many would appreciate it.

Until then.. NO.

Robert June 1, 2020 8:56 AM

@JonKnowsNothing You asking the world to ignore the insurmountable economic forces in favor of viewing dynamic data.

The options boil down to:

  • A custom app for every permutation of hardware and operating system for every site or business that displays stock tickers, active orders, firewall alerts, and other forms dynamic data.
  • A set of tools that are far more platform agnostic and easily repurposable to the specific dynamic data you have. HTML, JS, and CSS.

Economics says one will exist. We are better off with enough diversity to provide competition between browser vendors versus every John Doe programmer and his family getting told to write a native app for every permutation.

JonKnowsNothing June 1, 2020 11:13 AM

@Robert
re:

@JonKnowsNothing You asking the world to ignore the insurmountable economic forces in favor of viewing dynamic data.

Not So. Not at all.

Read

Joe: Making JavaScript implementations secure is a different and worthwhile subject.

Making JavaScript secure, making systems secure, making data secure, making the delivery chain secure is all about the Economics of Security.

Currently the Economics of Security fall on the low-to-zero side of the money balance. Expecting people to keep tipping the balance lower as they pile up insecurity on insecurity on insecurity is Economic Myopia (definition of Neoliberal Policy).

It only works until it doesn’t. And it isn’t looking that healthy.

Personally, as far as wanting flashing emojis and high jacked pictures delivering up-to-the-moment malware, I don’t think so.

ht tps://www.theguardian.com/society/2020/may/15/malicious-tweets-targeting-epilepsy-charity-trigger-seizures

least 200 seemingly coordinated messages [malicious tweets] were sent

ht tps://arstechnica.com/information-technology/2020/05/an-advanced-and-unconventional-hack-is-targeting-industrial-firms/

  1. phishing email
  2. malicious script
  3. shell executable
  4. unauthorized image download from legit site
  5. steganographed image
  6. multiple rounds of encryption
  7. pwnd system

(url fractured to prevent autorun)

mariechen June 3, 2020 3:12 AM

does setting firefox network.websocket.max-connections 0 fix problem? test + share your results.

Daniel Aleksandersen June 8, 2020 11:42 PM

I took a stab at solving this issue. You can use a Proxy Auto-Conf (PAC) file — at least in Firefox — to block access to localhost and all of its common address notations. I wrote about the solution on my blog if anyone’s interested in keeping websites out of their devices.

An interesting aside: Microsoft Edge — the old EdgeHTML version — used to block access to localhost by default. You could unblock it and it would warn you that it would make your device less secure. The new Chromium version no longer comes with this security feature.

TheNorthRemembers June 15, 2020 6:09 AM

As others have mentioned, it’s likely ThreatMetrix or a similar product. We used to run it at a financial services company where I was in infosec.

It’s used to develop a risk profile of the connecting machine to build a risk assessment regarding if the machine was compromised. We didn’t do much beyond building the risk assessment and seeing if we had an account take over situation but it could also be integrated to prompt for additional credentials, reauthenticate the MFA token or in my time there, prompt for additional knowledge based questions. This was well before GDPR but it had geo-location as one of the risk factors so it would be trivial to disable components that did more in depth scanning.

Jerry Lerman July 17, 2020 5:58 PM

The Firefox Extension, Behave!, will flag these, although not yet blocking them. It goes nuts on citi.com. I wish I could block it.

Leave a comment

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.