Toon Hacking/Account Stealing/Keylogging Consolidated Thread

[Starbuck]

If we assume that Basta is telling the truth, then waving your AV program dicks at each other is kind of stupid.

Assuming he is not lying: Non infected computer, original account, no shared passwords... ...stolen account.

More people who have been hacked need to come forward. Be honest. Tell everyone whether you used 3rd party programs or bought plat, its not like anything will be done to you, but at this point, and with the declaration that an account from a non-hacked computer was nabbed... ...we need all the info we can get.

[Splorch]

Well to conclude about my friend from Iraq whose account was hacked, His petition got marked as spam because he could not remember what the hell he put for his secret question. As such his toon and the guild bank was left in ruin, and though he was keeping his account active so that when he got home he'd be ready to go, him and his wife both cancelled their accounts.

The only thing i can honestly say is it couldnt have been a key logger on his computer because for the past 6 months no one has logged in his account. His wife verified that his kids werent allowed to use his account at all, they have their own account to mess with.

Also, he wasnt by any means rich on the server, but he was a crafter who made much of his own gear and his wife spent a lot of her time personally harvesting for rares for plat, not buying it from GM worker or some crap. I also played with his toons through their levels so no, they weren't power levelled. The account was originally his, it wasnt purchased either. Your welcome to pick it apart, but if no one typed his username/password in the pass couple months, then in no way could a keylogger pick it up.

[axuis]

Thank you for contacting customer service for Sony Online Entertainment. GM Spadaccino, at your service!

We're sorry to see you go.

This account was rolled back because you asked us to. Because you logged into xxxxx so many times after your account was hacked, I was unable to simply roll him back; I spent 5 hours going through each line of code tracking down all the items removed from him and restoring them by hand. There is no way to put them back on a character at that point except to dump them in the overflow inventory. The same is true for guild banks, shared banks, and vendor inventory. For each of your characters I had to find the code and then drop them in their inventory. There simply is no other way to do it.

As for why it took us so long to get to your account, there were several hundred comprmised accounts. We get to them in the order they are received and go as fast as we can. I put in 12 hours of overtime working on hacked accounts last week. It is not for lack of effort that it takes so long, merely the fact that it's a complicated process

as you can see soe says hundereds of compromised accounts

soe responce after a week my mates not been able to play his account
so thanks to soe he has to re petion to get his account back in order again thanks to some 1 hacking him

so 1 week later hes got no 2nd account 1st account been total screwed up and a gm saying he spend x amount off over time on it

the guy gets paid ffs its his job we pay them so we dont excpet to not to play through other people hacking

[Sildroni]

Im just wondering if there is a tie in with the official forums, LoN forums, or station.sony.com.

Youve got to use your login name and pwd, even tho the forum handle can be different. With lots of time you could crossreference characternames from sigs - maybe even get a few actual log in names instead of a forum handle.

Everytime I click thru SOEs stuff I get redirected to another part of their web presence, maybe there's a hole there. sure its just speculation, but they did say that the PS3 sites had been compromised (just a little bit tho...).

Maybe it IS them. Grabbing a username/pwd listing from an EQ2 site and then targeting EQ2 players is a helluva lot easier than targeting umpteen thousand PCs and then sifting thru the data looking for people playing EQ2.

[Shaman_Healer]

I've now been hacked twice in 10 days with both my char and guild affected. After waiting 5 days for CS to respond to my updated petition I was told it was the work of plat farmers and that my security must be compromised. Since my petition I've been running the following programs on a daily basis:

- ESET NOD32
- Counterspy v2
- Webroot Spy Sweeper
- Ad-Aware Pro

None have identified or found anything such as trojans or keyloggers and have only shown up low-risk cookies. None of my credit cards/online banking/ emails have been compromised and I have been using Firefox instead of IE.

I have run X-NetStat Pro and the only thing it's thrown up is an IP address which only activates when I start EQ2Map. This is the only 3rd party program I have ever downloaded or used. The IP address is static and is 63.247.72.195. Google doesn't identify it and it doesn't show up when I start up EQ2.exe. Does anyone else who runs EQ2MAP see a connection to this IP address?

I can't believe it is anything but a compromise at SOE themselves or at the very least, it's definitely not a compromise of my own security based on the above information.

[Oswaldor]

Quote:

Originally Posted by Shaman_Healer

I've now been hacked twice in 10 days with both my char and guild affected. After waiting 5 days for CS to respond to my updated petition I was told it was the work of plat farmers and that my security must be compromised. Since my petition I've been running the following programs on a daily basis:

- ESET NOD32
- Counterspy v2
- Webroot Spy Sweeper
- Ad-Aware Pro

None have identified or found anything such as trojans or keyloggers and have only shown up low-risk cookies. None of my credit cards/online banking/ emails have been compromised and I have been using Firefox instead of IE.

I have run X-NetStat Pro and the only thing it's thrown up is an IP address which only activates when I start EQ2Map. This is the only 3rd party program I have ever downloaded or used. The IP address is static and is 63.247.72.195. Google doesn't identify it and it doesn't show up when I start up EQ2.exe. Does anyone else who runs EQ2MAP see a connection to this IP address?

I can't believe it is anything but a compromise at SOE themselves or at the very least, it's definitely not a compromise of my own security based on the above information.

The address points to eq2interface.com, which should be valid as they distribute the EQ2Map program - it is most likely the updater connection. I wouldn't worry about this.

Did you change your password / email / any user settings between the accounts getting compromised?
Also is your Windows system a fully patched one?

The recent trojan, which SOE blames has been known to delete itself.

- and YES more compromised people (in the context of compromised EQ2 accounts ) need to step up and give some information.

[bmg2]

It's been mentioned before, but if anyone's ever logged into your account from a pc other than your own, you're at risk even if your pc is clean. Just something to keep in mind.

[Oswaldor]

Quote:

Originally Posted by Sildroni

Im just wondering if there is a tie in with the official forums, LoN forums, or station.sony.com.

Youve got to use your login name and pwd, even tho the forum handle can be different. With lots of time you could crossreference characternames from sigs - maybe even get a few actual log in names instead of a forum handle.

Everytime I click thru SOEs stuff I get redirected to another part of their web presence, maybe there's a hole there. sure its just speculation, but they did say that the PS3 sites had been compromised (just a little bit tho...).

Would be a good idea to gather some statistics here as in:

If you got compromised; have your changed your station handle to something other than the username?

Quote:

Maybe it IS them. Grabbing a username/pwd listing from an EQ2 site and then targeting EQ2 players is a helluva lot easier than targeting umpteen thousand PCs and then sifting thru the data looking for people playing EQ2.

- and would make more sense, considering how few people play the game, but be careful as this is pure speculation, and could generate unneeded FUD into the discussion (must like poster idiots Unsound & Arch0n with their useless ramblings).
It would be more 'fun' to blame SOE, but it is highly unlikely and there is simply not enough information out to even make a semi-educated guess.

[Unsound]

I appreciate your kind comments Oswaldor. And while your assertions could be very viable, they are no more viable than the problem being ie related. And I dare you to say firefox is not sexier than ie.

[Oswaldor]

Quote:

Originally Posted by Unsound

This is only happening in ie, through the active x exploits right? Or the majority of them?

No and no. Read the thread.

Quote:

Stop using ie people. Its a scourge....and firefox is so much sexier.

Ahh great another, enlighten individual able to give out proper advice on IT security.

Quote:

It might go to cache for some reason, but someone correct me if I'm wrong, since its an activex, it pretty damn harmless sitting in cache unless you get all activex on its ass. And that ain't gonna happen if your using firefox and not randomly clicking buttons because you think they are shiny and pretty.

You are wrong. Firefox silently ignores ActiveX, there is no ActiveX cache and I don't believe anyone can get all ActiveX on their arses. ActiveX, as stated before before, is a core technology in Windows and was implemented in its earlier versions long before there was anything called Internet Explorer.

First a little info on ActiveX in IE:

Mozilla-based browsers use the Netscape plugin system instead of IE's CAB based OLE (ie. ActiveX) components.
The Netscape plugin system runs in the access system as the browser, and thus have limited access to the system (it can't write files etc.. ), whereas the IE system gives the component full control over a system - though still with process limitations of the user account that IE is running as (and only if the user allowed 'safe for scripting' components on their system - this mechanism has been circumvented and is the actual IE ActiveX vulnerability).

Without ActiveX functionality in IE, the internet we know today would not have happend yet. It has been, and still is, the driving factor for many many companies to get their applications on their intranets and thus drive the need for interconneted applications.
The plugin based system of Netscape and later Mozilla based browsers did not (and do not) have the neccessary functionality to cary that load.
So if IE is indeed a scourge, it is a good one (IMHO), as long as it is used properly. I have still, to hear about any big security 0-day issues hitting IE.

The trojan discussed as the possible cause of the many compromised EQ2 accounts, uses several exploits to hit a system, but just one IE (the activex exploit of 2006 I think - it has been linked previously in the thread), the rest hit other controls from 3rd party vendors - QuickTime among them.

So yes, if the trojan discussed was in fact the agent used to compromise the accounts, you would have been safe if you had used FireFox, but alas had everybody just used Mozialla based browsers we would probably be arguing on a BBS somewhere over the lame EQ2 MUD game.

Funny to note that you would also have been safe if you have just used common sense as in:

1) Patch your system, both the Microsoft bits, but also anyother software bits (Write Microsoft and ask them to create an update system that other vendors can use to distribute security updates through).

2) You have used safe computing - ie. you don't log on as an administrator, you don't disable the UAC warnings in Vista and you educate yourself on basic computer understanding - it is not really that hard and much more rewarding than reading useless stuff on internet forums.

- but that is only if the trojan was the agent. More and more evidence points the blame elsewhere.