uBlock Origin ad blocker now blocks port scans on most sites
A recent update to an ad block filter list now allows the uBlock Origin extension to block most of the known sites that perform port scans of your local Windows computer.
A few weeks ago, we reported that eBay is using fraud detection scripts that port scan a visitor’s computer for Windows remote access programs.
In a followup article, we showed how eleven other sites were port scanning their visitors after cybersecurity intelligence firm DomainTools shared a list of domains utilizing the fraud detection scripts
These port scans are being conducted by the LexisNexis’ ThreatMetrix product and will use WebSockets to port scan the computer for specific ports on the 127.0.0.1 (localhost) address.
The ports being scanned and the associated remote access programs are listed below.
| Program | Ebay Name | Port |
|---|---|---|
| Unknown | REF | 63333 |
| VNC | VNC | 5900 |
| VNC | VNC | 5901 |
| VNC | VNC | 5902 |
| VNC | VNC | 5903 |
| Remote Desktop Protocol | RDP | 3389 |
| Aeroadmin | ARO | 5950 |
| Ammyy Admin | AMY | 5931 |
| TeamViewer | TV0 | 5939 |
| TeamViewer | TV1 | 6039 |
| TeamViewer | TV2 | 5944 |
| TeamViewer | TV2 | 6040 |
| Anyplace Control | APC | 5279 |
| AnyDesk | ANY | 7070 |
At the time of our previous reporting, we tested uBlock Origin on a Windows Chrome desktop client, and it was not able to block the port scans from the sites we tested.
uBlock Origin now blocks port scans on most sites
After reporting on this last weekend, readers started commenting that uBlock Origin for Chrome was able to block the port scans on eBay.
BleepingComputer reached out to Raymond Hill, the uBlock Origin developer, to see if he made any changes related to the port scans.
“I didn’t change anything in uBO related to this specific issue. So it could be that filter lists had filters added to them, or the sites themselves decided to uncloak ThreatMetrix’s server,” Hill told BleepingComputer via email.
Hill suggested I use uBlock Origin’s built-in logger to look for rules blocking the port scan scripts.
eBay had initially been port scanning a visitor from the home page and other pages on the site. They have now moved the port scanning feature to the checkout pages.
Using the logger on the eBay checkout page, we saw that the EasyPrivacy filter list was blocking the port scan script located at src.ebay-us.com/fp/check.js.
Looking through the various commits for the EasyPrivacy list, we can see that a recently added rule blocks the port scanning script on eBay.
After looking at the other sites, the port scan scripts were already being blocked by a filter targeting the script /fp/tags.js?, which was being used to launch the port scanning script.
With eBay’s new filter, the EasyPrivacy ad block filter list now blocks the scripts on eBay (port scan moved to the checkout pages), Ameriprise, Citi, TD Bank, Lendup, BeachBody, Equifax IQ Connect, and Sky.
Rules have not been added for TIAA.org, Chick-Fil-A, Gumtree, or WePay, and those sites are still port scanning visitors even if you are using the uBlock Origin extension.
BleepingComputer had reached out to EasyList with questions, but never received a response.
0 Comments