Symantec Uncovers 44 Million Stolen Game Accounts

Andy Chalk

One Flag, One Fleet, One Cat
Nov 12, 2002
45,698
1
0
Symantec Uncovers 44 Million Stolen Game Accounts


Anti-virus company Symantec [http://www.symantec.com] has discovered a server hosting the credentials of 44 million user accounts stolen from at least 18 different online games.

Symantec, best known as the maker of the Norton software line, stumbled on the server while analyzing a user-submitted sample of code. What apparently got the company's attention wasn't the sheer size of the database but the creative way in which it went about validating each account.

"What was interesting about this threat wasn't just the sheer number of stolen accounts, but that the accounts were being validated by a Trojan distributed to compromised computers. Symantec detects this threat as Trojan.Loginck," researcher Eoin Ward wrote on Trojan.Loginck [http://www.symantec.com/connect/blogs/44-million-stolen-gaming-credentials-uncovered]'s creators have done."

"If the Trojan succeeds in its task of logging in, it will update the database with the time it logged in and any user credentials (such as current game level, etc.) before moving to the next user name and password," he continued. "The attackers can then log on to the database and search for the valid user name and password combinations."

The database holds approximately 17GB of "flat file data" from at least 18 different games, including roughly 60,000 Wayi Entertainment [http://na.aiononline.com/] accounts. Determining the value of the data is "extremely difficult," Ward wrote, because each account may have only a single, first-level character "whose only weapon is a rusty old spoon," or multiple high-level characters with maxed-out equipment.

"This particular database server we uncovered seems very much to be the heart of the operation - part of a distributed password checker aimed at Chinese gaming websites," Ward wrote. "The stolen login credentials are not just from particular online games, but also include user login accounts associated with sites that host a variety of online games."

"If you are in possession of a gaming account from one of the websites listed above," he added, "an update of your password would not go amiss."


Permalink
 

Deofuta

New member
Nov 10, 2009
1,099
0
0
Holy crap, that is a dedicated trojan creation group. Of course, what was the plan for all of these stolen accounts? Selling them whole? Or selling items? That is a lot of data to shift through. Nice job by symantec!
 

Jared

The British Paladin
Jul 14, 2009
5,630
0
0
HatsTHat's quite scarilly organised...well bow will happen now it's uncovered...move somewhere else?
 

Delusibeta

Reachin' out...
Mar 7, 2010
2,594
0
0
Distinct lack of Steam accounts noted. Although it may be more efficient to just simply pirate the games, for hacking on online games without fear of VAC, you're going to have to hijack the account. Unless you like the hacked servers, and round we go again with the argument.
 

Flying Dagger

New member
Apr 14, 2009
1,344
0
0
I don't really understand how this works, do you have to download something to get the virus or can it access stuff off the website?

And what is Wayi Entertainment?
 

Earthbound

New member
Aug 13, 2008
414
0
0
Flying Dagger said:
I don't really understand how this works, do you have to download something to get the virus or can it access stuff off the website?

And what is Wayi Entertainment?
Checking Alexa, it's the 66th most visited site in Taiwan and specializes in "web games", though the latter came from a translation. Seems kinda like a Taiwanese Escapist to me, after having it translated.

Edit: Okay, that was a bit off. They're a game publisher. They've recently got the rights to a future MMO called Bounty Hounds Online. They seem to have a bunch of games, actually. Not very well known in the West it seems. They don't even have an article on Wikipedia.
 

Billion Backs

New member
Apr 20, 2010
1,431
0
0
Deofuta said:
Holy crap, that is a dedicated trojan creation group. Of course, what was the plan for all of these stolen accounts? Selling them whole? Or selling items? That is a lot of data to shift through. Nice job by symantec!
Probably gold farming via bots.

I've had my WoW account hijacked once, a long time ago. Of course, I contacted Blizz and managed to get everything back really quick, and whoever hijacked it just sold off everything of my alts and used my main to farm, presumably using a bot... Needless to say, when I got it back I've had a fuckload of things I could sell left over from whoever hijacked my account. I basically got 5K gold out of like a week of not using my account at all, so I didn't even bother asking GMs to return stuff to my alts I never played anymore, I just used the stuff hackers didn't sell in time, and it was glorious.
 

oppp7

New member
Aug 29, 2009
7,045
0
0
I've recently changed my passwords so hopefully I won't get hijacked. So how are they going to return these to the people who owned them?
 

Lord_Panzer

Impractically practical
Feb 6, 2009
1,107
0
0
Question: What game is that image from? Big dude looks like he's wielding The Ultimate Ban-Hammar of Ultimate Destiny, and I must have it.
 

Danpascooch

Zombie Specialist
Apr 16, 2009
5,231
0
0
Spreading the login attempts to multiple IP addresses is freaking brilliant! Not that I support what they're doing, but come on, you gotta applaud the ingenuity of it!

An easy defense to implement against this tactic would be to limit the volume of attempts PER ACCOUNT USERNAME that is being hit with incorrect passwords. in addition to per IP address.
 

Danpascooch

Zombie Specialist
Apr 16, 2009
5,231
0
0
piscian said:
Do you guys need the distributed computing aspect of this explained or are we good? Because that part is fucking badass.
If you want to explain it by all means, I already praised it, but it would be nice to get some details.

What they did was wrong here, but damn if it isn't clever as hell.
 

Danpascooch

Zombie Specialist
Apr 16, 2009
5,231
0
0
Flying Dagger said:
I don't really understand how this works, do you have to download something to get the virus or can it access stuff off the website?

And what is Wayi Entertainment?
You have to download something, but that's not as hard as it sounds, without the proper security (sometimes WITH the proper security) simply clicking "no thanks" on a pop up ad could do it.

Just a reminder people, NEVER click ANYTHING on a popup, even a "no thanks" or "no". Just by clicking the popup you can cause damage, better to close the open browser from Windows, or hit the back button.
 

Jandau

Smug Platypus
Dec 19, 2008
5,034
0
0
Lord_Panzer said:
Question: What game is that image from? Big dude looks like he's wielding The Ultimate Ban-Hammar of Ultimate Destiny, and I must have it.
World of Warcraft - It's Ragnaros, the final boss from the Molten Core raid. And yes, his hammer can be acquired.
 

1deano1

New member
Oct 6, 2008
76
0
0
Jesus Christ... That is a major find by Symantec... Well done to them. Well at least it mainly affects Chinese based gamers rather than European/American gamers.
 

Rayansaki

New member
May 5, 2009
960
0
0
danpascooch said:
Flying Dagger said:
I don't really understand how this works, do you have to download something to get the virus or can it access stuff off the website?

And what is Wayi Entertainment?
You have to download something, but that's not as hard as it sounds, without the proper security (sometimes WITH the proper security) simply clicking "no thanks" on a pop up ad could do it.

Just a reminder people, NEVER click ANYTHING on a popup, even a "no thanks" or "no". Just by clicking the popup you can cause damage, better to close the open browser from Windows, or hit the back button.
This or use opera/firefox. No popups, ever. Fixed. :p