Toon Hacking/Account Stealing/Keylogging Consolidated Thread

[Shaman_Healer]

Quote:

Originally Posted by Oswaldor

Did you change your password / email / any user settings between the accounts getting compromised?
Also is your Windows system a fully patched one?

Password was firstly changed by myself once the first 24 hours was up and I could use the option in station.sony.com. When I contacted CS via phone they changed my password again. I then logged onto my account and changed it to something never used before as a password. SOE suspended my account while they looked into the char and did the roll-back and they set a temp password. I had access to my account for 5 days prior to the second attack on my account and had changed my password twice in that time. During this time I was running all the programs as mentioned above on a daily basis.

As for Windows, yes it is fully up-to-date, automatic updates run daily.

Quote:

Originally Posted by bmg2

It's been mentioned before, but if anyone's ever logged into your account from a pc other than your own, you're at risk even if your pc is clean. Just something to keep in mind.

I have never logged into my account from another pc, not even my fiance's who plays EQ2 and has thankfully not been effected like me.

[Oswaldor]

Quote:

Originally Posted by Unsound

I appreciate your kind comments Oswaldor. And while your assertions could be very viable, they are no more viable than the problem being ie related. And I dare you to say firefox is not sexier than ie.

I don't really consider sexy a factor when evaluating browsers, it is something I solely use when evaluating hookers and young women with a daddy complex.

[nhdjoseywales]

Quote:

Originally Posted by Shaman_Healer

I've now been hacked twice in 10 days with both my char and guild affected. After waiting 5 days for CS to respond to my updated petition I was told it was the work of plat farmers and that my security must be compromised. Since my petition I've been running the following programs on a daily basis:

- ESET NOD32
- Counterspy v2
- Webroot Spy Sweeper
- Ad-Aware Pro

None have identified or found anything such as trojans or keyloggers and have only shown up low-risk cookies. None of my credit cards/online banking/ emails have been compromised and I have been using Firefox instead of IE.

I have run X-NetStat Pro and the only thing it's thrown up is an IP address which only activates when I start EQ2Map. This is the only 3rd party program I have ever downloaded or used. The IP address is static and is 63.247.72.195. Google doesn't identify it and it doesn't show up when I start up EQ2.exe. Does anyone else who runs EQ2MAP see a connection to this IP address?

I can't believe it is anything but a compromise at SOE themselves or at the very least, it's definitely not a compromise of my own security based on the above information.

Humor me and download the trial version of Sophos and run that. The programs you ran are really more antispyware programs and could be missing some viruses. Sophos comes out with 90+ percent of definitions before anyone else so if its a new variant its probably the best chance of finding it. Despite petgroups insistance that Webroot is the most awesome thing on the planet, i have to confess any program that will show you an infection and not clean it until you give them money is just fucking bullshit, they obviously care more about your 40 bucks than about security.

I still think it could be an infection or maybe even a past phishing venture that paid off. I have seen some really good phishing and drive by install attempts, including ones that opened up the most convincing microsoft update notice telling me to install the latest malicious software tool. I am just wondering if maybe some people got duped into going to a fake sony site and re-entering their secret question or something like that. Does anyone recall getting unsolicited email from soe of this nature?

[Oswaldor]

So to recap we have 4 compromised folks posting - correct me if I am wrong (I am counting axuis' friend as one, though I silently believe that it is axuis herself).

Just 1 had a trojan/virus/keylogger which was the Zlob. This one has not been connected with the attack that SOE blames.

The other 3 had clean systems;

Shaman_healer was compromised twice with all the bells and whistles running to protect the machine. The trojan in question has 1 report of deleting itself - however shaman_healers experience denounces that as a possibility.

From the little analysis I did, then the trojan doesn't target EQ2 specifically (nor LOTRO as reported by medias who apparently don't care to check the validity of their sources), but instead seems to just target IE password fields.

There are hundreds of compromised accounts according to one over-worked GM (ie. probably 25% of the entire EQ2 playing population) - causing stress among the support folks at SOE.

SOE reported, as MonkeyBob stated that some PS3 accounts were compromised (official statement from SCEA: PlayStation.com ). Though SCEA and Sony Station are two different entities it still raises some eyebrows in lieu of the date and the many hundred compromised station accounts.

Station's own website is holed and it has two open vulnerabilities,

1 - one serious XSS: http://www.station.sony.com/casualProduct.vm?Id=002%3C/div%3E%3Cscript%3Ealert('Hi!!')%3C/script%3E

2 - the password reset feature where you can make educated guesses on the issued key and force someone to 'get a new password'. Ask if you need more info on this - or challenge me to force a password reset for you!!..(no I would not actually do it as it would be illegal.. well maybe not)

I don't, but then again I am not an authority, see the user's being compromised as the number 1 vector for these attacks.
The open XSS could easily be used to grab the 'remember me' cookies (whether they can used is another matter) and of course could be used to make a very believable fake login site (among just a few of the slew of possible attack vectors that XSS is used for).
The password reset vulnerability, although not useable to compromise accounts unless said account's associated email addie was compromised too, is an indicator that those folks writing the Sony Station website do not have a security mindset.

Sony holds the answers but their ventures in security and how they 'implement' it is questionable to say the least (though the announcement by SCEA is a positive move).

[Petgroup]

Quote:

Originally Posted by nhdjoseywales

Humor me and download the trial version of Sophos and run that. The programs you ran are really more antispyware programs and could be missing some viruses. Sophos comes out with 90+ percent of definitions before anyone else so if its a new variant its probably the best chance of finding it. Despite petgroups insistance that Webroot is the most awesome thing on the planet, i have to confess any program that will show you an infection and not clean it until you give them money is just fucking bullshit, they obviously care more about your 40 bucks than about security.

Right from the friggin link I have give out countless times.

Most Award-winning and Effective Combined AntiVirus and AntiSpyware Product

Webroot's antivirus detection is powered by Sophos®, known globally as a pioneer and industry leader in the fight against viruses. This leading technology has been awarded the Virus Bulletin 100 Award 39 times. No other major antivirus provider has done better!* Webroot Spy Sweeper is the industry leader in antispyware protection and the most award winning. Our technology has been proven by independent testing to find and remove 40% more spies than any other antispyware software.



Click Me nhdjoseywales

[nhdjoseywales]

Quote:

Originally Posted by Petgroup

Right from the friggin link I have give out countless times.

Most Award-winning and Effective Combined AntiVirus and AntiSpyware Product

Webroot's antivirus detection is powered by Sophos®, known globally as a pioneer and industry leader in the fight against viruses. This leading technology has been awarded the Virus Bulletin 100 Award 39 times. No other major antivirus provider has done better!* Webroot Spy Sweeper is the industry leader in antispyware protection and the most award winning. Our technology has been proven by independent testing to find and remove 40% more spies than any other antispyware software.



Click Me nhdjoseywales

sophos still offers a fully functional free trial, where your powered by sophos product requires a noob to pay to clean their box, im not feelin the ownage

[Petgroup]

Quote:

Originally Posted by nhdjoseywales

sophos still offers a fully functional free trial, where your powered by sophos product requires a noob to pay to clean their box, im not feelin the ownage

How much does Sophos cost after the trial is over? I know the answer, I just wanna hear you say it.

Now let everyone here know what they do when the trials over because I'm sure they wanna spend that much $ to prevent something from happening when I provided them with a more than reasonable and SAME product solution.

[nhdjoseywales]

Quote:

Originally Posted by Petgroup

How much does Sophos cost after the trial is over? I know the answer, I just wanna hear you say it.

Now let everyone here know what they do when the trials over because I'm sure they wanna spend that much $ to prevent something from happening when I provided them with a more than reasonable and SAME product solution.

the cost after the trial is not relevant, the fact remains it will clean the infected pc for free. after you run it as a cleaner you can use AVG for free. avg is a great antivirus, but i know sophos is faster on the definitions and why i use it as a cleaner.

many of these people have a normal virus solution, we are just asking them to run a preferred additional scanner so what they have been doing is fine after the trial is over if it doesnt find anything

[Petgroup]

Quote:

Originally Posted by nhdjoseywales

the cost after the trial is not relevant, the fact remains it will clean the infected pc for free. after you run it as a cleaner you can use AVG for free. avg is a great antivirus, but i know sophos is faster on the definitions and why i use it as a cleaner.

many of these people have a normal virus solution, we are just asking them to run a preferred additional scanner so what they have been doing is fine after the trial is over if it doesnt find anything

So your solution is this:

Download Sophos to effectively get rid of stuff then put on a "lesser" quality AVG afterwards?

You really are an idiot.

Edit: Since you danced around my question, Sophos is $200 if you guys wanna buy it since its business class oriented or for $40 you get Webroot that uses Sophos. Tough choice.

[nhdjoseywales]

Quote:

Originally Posted by Petgroup

So your solution is this:

Download Sophos to effectively get rid of stuff then put on a "lesser" quality AVG afterwards?

You really are an idiot.

if you really believe in the magic antivirus program that always finds everything, you are the idiot.

not everyone has an extra 50 bucks to spend on antivirus software, so a totally free solution is bad?