Symantec Uncovers 44 Million Stolen Game Accounts

 Pages 1 2 NEXT
 

Symantec Uncovers 44 Million Stolen Game Accounts

image

Anti-virus company Symantec has discovered a server hosting the credentials of 44 million user accounts stolen from at least 18 different online games.

Symantec, best known as the maker of the Norton software line, stumbled on the server while analyzing a user-submitted sample of code. What apparently got the company's attention wasn't the sheer size of the database but the creative way in which it went about validating each account.

"What was interesting about this threat wasn't just the sheer number of stolen accounts, but that the accounts were being validated by a Trojan distributed to compromised computers. Symantec detects this threat as Trojan.Loginck," researcher Eoin Ward wrote on Symantec Connect. "By taking advantage of the distributed processing... you can complete the task more quickly and help mitigate the multiple-login failure problems by spreading the task over more IP addresses. This is what Trojan.Loginck's creators have done."

"If the Trojan succeeds in its task of logging in, it will update the database with the time it logged in and any user credentials (such as current game level, etc.) before moving to the next user name and password," he continued. "The attackers can then log on to the database and search for the valid user name and password combinations."

The database holds approximately 17GB of "flat file data" from at least 18 different games, including roughly 60,000 Aion accounts, 210,000 World of Warcraft accounts, two million NCsoft accounts (shared across multiple games like Lineage 2, Guild Wars and City of Heroes) and 16 million Wayi Entertainment accounts. Determining the value of the data is "extremely difficult," Ward wrote, because each account may have only a single, first-level character "whose only weapon is a rusty old spoon," or multiple high-level characters with maxed-out equipment.

"This particular database server we uncovered seems very much to be the heart of the operation - part of a distributed password checker aimed at Chinese gaming websites," Ward wrote. "The stolen login credentials are not just from particular online games, but also include user login accounts associated with sites that host a variety of online games."

"If you are in possession of a gaming account from one of the websites listed above," he added, "an update of your password would not go amiss."

Permalink

Holy crap, that is a dedicated trojan creation group. Of course, what was the plan for all of these stolen accounts? Selling them whole? Or selling items? That is a lot of data to shift through. Nice job by symantec!

HatsTHat's quite scarilly organised...well bow will happen now it's uncovered...move somewhere else?

Distinct lack of Steam accounts noted. Although it may be more efficient to just simply pirate the games, for hacking on online games without fear of VAC, you're going to have to hijack the account. Unless you like the hacked servers, and round we go again with the argument.

image
....Clever girl Trojan

I don't really understand how this works, do you have to download something to get the virus or can it access stuff off the website?

And what is Wayi Entertainment?

Flying Dagger:
I don't really understand how this works, do you have to download something to get the virus or can it access stuff off the website?

And what is Wayi Entertainment?

Checking Alexa, it's the 66th most visited site in Taiwan and specializes in "web games", though the latter came from a translation. Seems kinda like a Taiwanese Escapist to me, after having it translated.

Edit: Okay, that was a bit off. They're a game publisher. They've recently got the rights to a future MMO called Bounty Hounds Online. They seem to have a bunch of games, actually. Not very well known in the West it seems. They don't even have an article on Wikipedia.

Deofuta:
Holy crap, that is a dedicated trojan creation group. Of course, what was the plan for all of these stolen accounts? Selling them whole? Or selling items? That is a lot of data to shift through. Nice job by symantec!

Probably gold farming via bots.

I've had my WoW account hijacked once, a long time ago. Of course, I contacted Blizz and managed to get everything back really quick, and whoever hijacked it just sold off everything of my alts and used my main to farm, presumably using a bot... Needless to say, when I got it back I've had a fuckload of things I could sell left over from whoever hijacked my account. I basically got 5K gold out of like a week of not using my account at all, so I didn't even bother asking GMs to return stuff to my alts I never played anymore, I just used the stuff hackers didn't sell in time, and it was glorious.

Wow.. that is something else..... um... *changes passwords on all accounts*

I've recently changed my passwords so hopefully I won't get hijacked. So how are they going to return these to the people who owned them?

Question: What game is that image from? Big dude looks like he's wielding The Ultimate Ban-Hammar of Ultimate Destiny, and I must have it.

Do you guys need the distributed computing aspect of this explained or are we good? Because that part is fucking badass.

Haha I ope the flaming ban hammer will own them! I hate people that steal !

Lord_Panzer:
Question: What game is that image from? Big dude looks like he's wielding The Ultimate Ban-Hammar of Ultimate Destiny, and I must have it.

Its from World Of Warcraft. Some elemental god dude.

Spreading the login attempts to multiple IP addresses is freaking brilliant! Not that I support what they're doing, but come on, you gotta applaud the ingenuity of it!

An easy defense to implement against this tactic would be to limit the volume of attempts PER ACCOUNT USERNAME that is being hit with incorrect passwords. in addition to per IP address.

piscian:
Do you guys need the distributed computing aspect of this explained or are we good? Because that part is fucking badass.

If you want to explain it by all means, I already praised it, but it would be nice to get some details.

What they did was wrong here, but damn if it isn't clever as hell.

Flying Dagger:
I don't really understand how this works, do you have to download something to get the virus or can it access stuff off the website?

And what is Wayi Entertainment?

You have to download something, but that's not as hard as it sounds, without the proper security (sometimes WITH the proper security) simply clicking "no thanks" on a pop up ad could do it.

Just a reminder people, NEVER click ANYTHING on a popup, even a "no thanks" or "no". Just by clicking the popup you can cause damage, better to close the open browser from Windows, or hit the back button.

Lord_Panzer:
Question: What game is that image from? Big dude looks like he's wielding The Ultimate Ban-Hammar of Ultimate Destiny, and I must have it.

World of Warcraft - It's Ragnaros, the final boss from the Molten Core raid. And yes, his hammer can be acquired.

Scary thought. I never expected a dedicated Trojan group to do something like this.

Jesus Christ... That is a major find by Symantec... Well done to them. Well at least it mainly affects Chinese based gamers rather than European/American gamers.

danpascooch:

Flying Dagger:
I don't really understand how this works, do you have to download something to get the virus or can it access stuff off the website?

And what is Wayi Entertainment?

You have to download something, but that's not as hard as it sounds, without the proper security (sometimes WITH the proper security) simply clicking "no thanks" on a pop up ad could do it.

Just a reminder people, NEVER click ANYTHING on a popup, even a "no thanks" or "no". Just by clicking the popup you can cause damage, better to close the open browser from Windows, or hit the back button.

This or use opera/firefox. No popups, ever. Fixed. :P

Charcharo:
Haha I ope the flaming ban hammer will own them! I hate people that steal !

Lord_Panzer:
Question: What game is that image from? Big dude looks like he's wielding The Ultimate Ban-Hammar of Ultimate Destiny, and I must have it.

Its from World Of Warcraft. Some elemental god dude.

It's Ragnaros, the last boss in the vanilla WoW 40 man raid dungeon Molten Core, and yes that ultimate ban hammer is available to players.

Nice work, Symantec. Hopefully they can track these guys down and shut them down quickly, or at least have some police or government agency take the server for evidence.

Belladonnah:

danpascooch:

Flying Dagger:
I don't really understand how this works, do you have to download something to get the virus or can it access stuff off the website?

And what is Wayi Entertainment?

You have to download something, but that's not as hard as it sounds, without the proper security (sometimes WITH the proper security) simply clicking "no thanks" on a pop up ad could do it.

Just a reminder people, NEVER click ANYTHING on a popup, even a "no thanks" or "no". Just by clicking the popup you can cause damage, better to close the open browser from Windows, or hit the back button.

This or use opera/firefox. No popups, ever. Fixed. :P

I don't know of any browser that can block 100% of pop-ups, but I've never used Opera. Maybe it's just freaking brilliant and I had no idea.

But this is an epic find by Symantec. I'm still not clear on exactly how they stumbled upon this from code someone else submitted, but, props to them.

KeyMaster45:

Charcharo:
Haha I ope the flaming ban hammer will own them! I hate people that steal !

Lord_Panzer:
Question: What game is that image from? Big dude looks like he's wielding The Ultimate Ban-Hammar of Ultimate Destiny, and I must have it.

Its from World Of Warcraft. Some elemental god dude.

It's Ragnaros, the last boss in the vanilla WoW 40 man raid dungeon Molten Core, and yes that ultimate ban hammer is available to players.

Is it one of those things where, when you see it up close ('it' being the one you can use) the first thing that springs to mind is "It's only a model"?

So they just try tons of obvious passwords?
:S

Wow. Now thats a virus. Did it ever say how symantec came across this database and how they managed to figure out what was in it? That would be quite interesting. Those figures ae quite impressive as well. Though I do not understand the drastic figure differences between different MMOs perhaps different areas have a preference to different games.

Tharticus:
Scary thought. I never expected a dedicated Trojan group to do something like this.

There's a great deal of money to made selling virtual currency, people view gold sellers and farmers as poor suckers slaving away in a sweat shop in some Asian country which I'm sure happens, but stealing is a lot less time consuming with a higher profit margin, and a lot of these groups have ties with various criminal organisations.

The days of hackers being geeks in the basement doing it just to see if they can are long gone for the most part, now it's about cold hard (virtual) cash.

I read about this earlier today. It's indeed some big-ass millions of dollars going around. So many people don't even realize they have been already robbed of their virtual avatars.

Lord_Panzer:

KeyMaster45:

Charcharo:
Haha I ope the flaming ban hammer will own them! I hate people that steal !

Lord_Panzer:
Question: What game is that image from? Big dude looks like he's wielding The Ultimate Ban-Hammar of Ultimate Destiny, and I must have it.

Its from World Of Warcraft. Some elemental god dude.

It's Ragnaros, the last boss in the vanilla WoW 40 man raid dungeon Molten Core, and yes that ultimate ban hammer is available to players.

Is it one of those things where, when you see it up close ('it' being the one you can use) the first thing that springs to mind is "It's only a model"?

Linky about the guy itself: http://www.wowwiki.com/Ragnaros
Linky about the hammer: http://www.wowwiki.com/Sulfuras,_Hand_of_Ragnaros
Raggy, as he's generally known to wow players is the final boss of the first 40 man raid(co op) dungeon. Lorewise he's an Elemental Lieutenant, leader of all fire elementals and a servant of the Old Gods. By today's standards, his 1000k hp and 500 or so dps are pathetically low(about 1% of the power of the current top dog) but he's scheduled for making a repeat appearance in the new expansion...

And yes, he looks badass. Meeting him for the first time in the game without having seen him before is one of the coolest moments in gaming.

Brainst0rm:

Belladonnah:

danpascooch:

Flying Dagger:
I don't really understand how this works, do you have to download something to get the virus or can it access stuff off the website?

And what is Wayi Entertainment?

You have to download something, but that's not as hard as it sounds, without the proper security (sometimes WITH the proper security) simply clicking "no thanks" on a pop up ad could do it.

Just a reminder people, NEVER click ANYTHING on a popup, even a "no thanks" or "no". Just by clicking the popup you can cause damage, better to close the open browser from Windows, or hit the back button.

This or use opera/firefox. No popups, ever. Fixed. :P

I don't know of any browser that can block 100% of pop-ups, but I've never used Opera. Maybe it's just freaking brilliant and I had no idea.

But this is an epic find by Symantec. I'm still not clear on exactly how they stumbled upon this from code someone else submitted, but, props to them.

Opera blocks 100% of them. Firefox doesn't by default, but with 2 addons it does.

Now that is a lot of people hard earn time and effort gettin hacked there! See this is why I copy and paste my password so that there is no way it can be read, the only thing they will get out of me is 'Ctrl V' Mwahaha!

-M

That's sort of scary.

Just as well my WoW account's been inactive for a long time. But could these have some connection to the mysterious emails from people pretending to be Blizzard (that Chrome rather handily told me about them being phishers)?

Belladonnah:

Opera blocks 100% of them. Firefox doesn't by default, but with 2 addons it does.

What are the names of those two plug-ins? I'd really like to know, and I'm sure others would appreciate the info too.

This server can only be destroyed by the mythical (ban) hammer of Thor himself! Or you know, deleting the information and destroying the program.

It's cool that they shut this down but its weird that these apparently professional hackers got caught by the Norton guys.

FBPH:

Belladonnah:

Opera blocks 100% of them. Firefox doesn't by default, but with 2 addons it does.

What are the names of those two plug-ins? I'd really like to know, and I'm sure others would appreciate the info too.

ABP (AdBlock Plus) and Ad Blocker take care of every popup and allow you to block ads or specific frames (in cases of websites which have a side frame with different publicity every time, you can block the frame all together)

https://addons.mozilla.org/en-US/firefox/addon/1865/
https://addons.mozilla.org/en-US/firefox/addon/6826/

(Ad Blocker also blocks publicity in youtube videos)

Its also recommended to have Noscript, it blocks all scripting on every site, and you can just add sites to the white list with a click, but is more bothersome because every time you open a site for the first time you need to add it partially/totally to the while list to see flash/javascript/forms.

 Pages 1 2 NEXT

Reply to Thread

Log in or Register to Comment
Have an account? Login below:
With Facebook:Login With Facebook
or
Username:  
Password:  
  
Not registered? To sign up for an account with The Escapist:
Register With Facebook
Register With Facebook
or
Registered for a free account here