I just caught a hacker...

Man-in-the-middle attack?

But that would mean the login process of GW isn't encrypted! OMG!

Although all the talk about unknown keyloggers and whatnot is very interesting, I think that there's one important point in the conversation that's being ignored: why would anyone waste it on Guild Wars?

If you have the ability to install a currently unknown piece of malicious software, why would you attack a video game instead of bank information or something similarly valuable?

Furthermore, keyloggers are not really invisible, they just run undetected because most people don't continually monitor memory access or file writes. If the keylogger is there, it can be seen because it has to interact with your components - and that means any other program can do the same and catch it in the act.

FileMon would pick up disk writes that the logger makes and any decent firewall would detect and stop access for a keylogger attempting to write back to an attacker's machine. I think it's improbable that anybody would have gone to the trouble to write a special logger/trojan just for Guild Wars attacks and not sold it more widely, in which case it becomes more probable that a more heavily monitored machine gets hit and finds it running.

I think that if there's actually a vulnerability here that's being widely exploited that's not a standard keylogger or trojan, it's most likely in the client.

Here's an interesting thought: when this is finally sorted out, and if it turns out to be an actual attacker of some sort, could anybody who purchases the stolen loot or gold through RMTs be charged as an accomplice to the crime? It would be rather interesting if people buying gold in these sorts of games were exposing themselves to potential federal wire fraud charges or something similarly serious.

Name a GW player thats always going on about hacks ingame and on the PlayNC site etc and you have your answer....got it yet?


bingo!

"People like you"...love it hypo hypo happy hippo!

Anyways, for the rest I agree except the "head-in-the-sand attitude" since doing everything you can for your own security has nothing to do with head-in-the-sand.

I took a break off GW for almost a year and forgot my passwords since they are really hard to remember. Bad luck added my old email account got inactive and deleted. It took me almost a week of communication with Anet to get my accounts back and I had to give them loads of information and repeat them often. All I had was one of my keys and the possible email addresses (3 of them were possible for the accounts). They asked me for the store I purchased the copies at, telefon numbers I gave, addresses, 2 char names per account, email addresses etc etc. A lot of mails had to be written till I got it back so I am convinced that retrieving another person's accounts through the support is unlikely.


Actually Anet does a lot for our security, maybe just not enough for most users.

Things they could add:

- The "Lost password" page on the plaync site asks for your account name, date of birth an an image validation before you can proceed. Some additional info like other sites use it might be handy. Like ZIP Code etc.

- They could tell people to give wrong answers to the security questions but that would kill the purpose I guess. It is still advisable imo.

- They could insist on passwords with upper AND lowercase chars including letters and numbers and get rid of the "has to start with a number" restriction.

Maybe some other things aswell but the mentioned points would only be helpful for people that don't see them as common sense.

Let's see what there is so far.

- No direct communication between clients without the servers interaction.
- Passwords are not stored on your harddrive or loaded into your RAM.
- Your GW account name can differ from the PlayNC account name so you would have to guess two names.
- Your GW pass can differ from your PlayNC pass.
- A constant note on the log-in screen to remind people that it is bad bad bad to give anyone their passwords or buy gold.
- No session-hash on the PlayNC site in the URL
- R4 128 bit encrypted web site.
- PlayNC: SSL certified to differentiate from phishing sites.
- Ingame packets encrypted with strong and likely random key. Enough people tried to find it to speed up the private server creation.
- Private servers are only accessible with valid accounts so far and there is not much to do on them yet.
- 3rd party program policy
- RMT policy which might have saved a lot of accounts by spreading PHEAR!!!11

So what else are they supposed to do? There is no way to hijack your passwords if your comp is clean. The PlayNC site is well protected or at least as safe as any professional site. The servers are well protected. All transactions and interactions between players are monitored. Packets are well encrypted. They just can't reinvite the internet. Imo they have done a lot to ensure that our accounts are safe. Rest is to us.

The only option left would be to bind accounts to certain IPs. That would ban all Internet shops users and dial up users though. Not too many static IPs around.

So instead of just saying that "Anet could do more for our account's safety" give some good examples. They might read and consider them. As for me, I see enough done to feel safe.

EDIT:

FUD crypter/keylogger/trojans are available all over the web starting at $10-$XXX PayPal/Paysafecard/Webmoney etc...FUD=Fully UnDetected and tested again all common AVs.

All of them with the option to "destroy" themselves including traces. Just as an example.

More examples?

Even known trojans and keyloggers have undetected stubs that can hide them.

A crypter is harder to find and easier to code. Lots of UD/FUD ones out there if someone is really sick enough to use them. Same goes for downloaders.

And please don't google for them if you have any intentions to use such a tool. You will most likely end up infected. Play the game. It's fun

That's just insulting. I have encountered a number of apps, shopping carts, and online tools that have had vulnerabilities and I've always reported them. The ONLY time I released one to anybody other than the people responsible for fixing the problem was when I released a proof of concept to a U.S. Army engineer who was giving a presentation on computer security in the military and needed a working example to drive the point home.

To accuse the individual you're referring to like that is just ridiculous. That he finds the problems is not proof that he's behind any of the exploits. Just because there are people who know how to find these things - most of us because we work in fields where we have to be careful not to CREATE them - is a very sad statement on the general public's sorry state of computer literacy.

There are kids that are obscesive (spelling?) enough about GW to try it. HOW-TOs and tutorials are available on net. You don't need to be genius to put something working together.

They are far from invisible, true. But most people don't have clue how to look for one as they trust antivirus to protect them. Process can be named confusingly and it can be just another "svchost". Logger does NOT have to write on disk (you need to send info and not store it) and he could call back on port 80 which normal user machine would have enabled for their browser (launch web browser with url that contains found out password, shut it down when ok received. clumsy, but just stupid example)

Anyway, i suggest people also to seek "HijackThis!" software which will give them list of application which could possibly be some form of spyware/keylogger and well as crude (as in, not really working that well) ability to disable that software.

But when people do not download any suspicious things and yet get hacked, where does it come from?

I erased from the wiki the other two links, only left the filefront one, that's the only that doesn't have the "keylogger" thingie.

Good old fashioned hacking. IP farming + some GW client exploit, or something in game exploitable, or even email address farming and brute forcing. Doesn't require downloading, could be any number of things. Could just be a simple website like a GW Auction site, with a corrupt admin who knows a few things, and changed coding to record passwords/emails, and got lucky with a few being the same.

Interesting...

Also, browser exploits. You could follow "harmless" link to site which would exploit vulnerability in browser and install keylogger.

Someone can just post links to your attack-site and hope that people follow them.

You can never be too paranoid.

I downloaded TexMod from the Tomb Raider link, and it's fine, so no need to remove it as people wouldn't have gotten to that link. I'm guessing ReiNaruto has a bad Antivirus. And I'm gonna guess McAfee, because it likes to detect things in files that aren't there.

As I've stated before, my computer is pretty darn clean (especially since it is less than a month old). Norton Antivirus/Internet Security actually ran a detailed sweep of my computer within 24 hours of the attack.

Regarding forums, I have accounts both here at guru and at gwincgamers (which are the only two guildwars related accounts). I don't even have a PlayNC account, and my Xunlai Tournament House account uses a different password. The passwords I use have no relation to my e-mail address or ingame names, so I'm not sure if the "weak" password you're referring to is applicable. The only preventative measure that I can think of that I did not take was changing my password on a regular basis (I had the same password from when I created my account about 3 years ago).

Regarding downloading something from an unknown source or visiting a suspicious website, again...I don't download anything from any odd sources. Heck, I don't even use iTunes or Limewire for that very reason...with my older computers, I had some problems many, many years ago and I learned my lesson. The only websites that I can think of where I could've downloaded an arcane keylogger or a trojan that would not be detected by Norton would be here at guru, gwincgamers, one of the two wikis, or one of the image hosting services (e.g. imageshack) since I visit the sell forum here quite often.

Again, it's easy to be suspicious of the person that got hacked (I know I've been guilty of doing the same when I've seen others' claims), but in this case, I'm not sure how much more I could have done as a reasonable player.

Except that the person Malice Black is referring to has used the hacks he's created for his own personal gain in the past (pre expoit taking tomes, mini mallyx to pre). He has also been involved in several recent exploits in the game, only coming forward after its publicly posted here on what is occurring.

We already know theres been cases of players interacting with the client in a way that it wasnt intended and in one case it did allow a user to crash the clients of everyone in that area (I think that was back in October 07) IE using a program or exploit to interact with other players clients.
Is it so impossible that something similar could be that case again?

Norton Antivirus doesn't protect against GW "hacks".

You can have every single anti-virus application running, but it will do nothing at all to stop the means through which the hackers attack GW.

No player interaction involved. It crashed the instance with an invalid packet. Nothing aimed at a specific player.
Example:
If Aliens destroy the world with a badass pew pew laser beam the planet would be lost and though they did not target you, you would be royally f***ed.

doesn't matter anyhow. if the truth gets known it'll get deleted, right?

And who is going to play GW2 if you delete all the players?

this isn't about the game per say, my previous post, is about posts, pertaining to what might very well be the reason certain 'hacks' are even floating around. only a few people have access to the info needed to create this sort of garbage. even fewer would waste the time.

Well, by "head-in-the-sand" I mean that assuming you are safe because you use all reasonable precautions, is unwise in my opinion. (see turbousa's post). You are ignoring the possibility of novel attacks or methods, or insider information.

Who, me? I did make suggestions...
OK, they were in the form of questions, but you get the idea.

How about you just make you password alphanumeric, not godjecdoc or some lame pw. GoD3jEcDoC286, if a hacker really wants what you got he will get you no matter what, Just make it harder for him to.

1. More QQ. People have capslock on and try it x times to come here realizing that the first sentence they try to write looks like this:
"MY ACCOUNT GOT HACKED". Now realizing that they had caps on they start a new thread to QQ. "Why isn't it possible to reset the delay???????? I HAVE IMPORTANT TRADE/GVG/AB/POLYMOCK TOURNAMENT/INGAME MARRIAGE".

2. Forming groups in HA/TA/GvG.
"Rerolling. Brb in 60mins. Char is flagged as delete delayed"
or my favorite assuming you need yet another password to flag them (not goin to mention that a keylogger will have that one aswell...doh...i did it):
"OMG I LOST MY PASS TO UNFLAG MY CHARRRRR:RESET??" QQ!

3. I agree on 3.

idk, but from the sound of it this hacking attempt was a lot more complex and insidious than the usual "keylogger" user slip up of security. I mean the OP clearly stated he's done little if anything out of the ordinary to put him at risk, didn't use textmod even. That and the fact that he was allowed a reconnect attempt, I don't think he would be given that chance to reconnect if somone else was already on his account (in the sense that the hacker had his password before his disconnect from AB).

People have modified their clients to affect others in the past, it seems entirely likely that something similar is afoot here. It makes sense actually, forcing a disconnect but then allowing a reconnect attempt, if you could track the reconnect attempts I have no doubt you'd be able to get somone's account info. Think about it, reconnect attempts require no ID verification, no re-entering of passwords, all that information is likely auto encoded in the reconnect attempt.

idk maybe I'm jumping at shadows but to me it seems likely the reconnect system is being exploited in some fashion here.

I got that same keylogger a week or so back.

My computer was new, I'd installed all the protection on it I possibly could...then bam, a few days with my new comp and I get that.

I attributed it to the fact I'd been on IE and followed a link to a games site that HP (the company I bought the machine from) lead me to. I had no reason to believe it was dodgy, given the fact it was part of a program that HP had put on my computer. Hadn't downloaded anything dodgy, and certainly hadn't downloaded texmod.

Suffice it to say, I reformatted after getting the virus, and will not ever again open IE for anything.

I did have an incident on the none official wiki the other day, when I clicked on a skill icon to see the skill description my Firefox No Script thingy told me the link had cross site xml scripting on or something. I've read that that's a bad thing, so I'm so glad No Script didn't allow me onto the page.

Gotta be so careful where you browse, and scan every single day.

Mystica, why dismiss ideas so quickly? Versus thinking how you'd take the basic idea and make it practical? What I posted were just shortened summaries of full ideas posted elsewhere - not the full, more "practical" versions.

Actually, as it is, that sounds like an excellent fix for idiots who use caps lock.

I think normal people either use caps lock very rarely, or by accident. After one or two failed attempts, a normal person would check they didn't have caps lock on by accident.

The "full" idea for lockout/delay would be something like... One failed attempt only adds small or no delay, and if you have caps lock on, the client could detect this and warn you. Each subsequent failure adds increasing delays. This would not inconvenience people, unless they regularly need 5 or more attempts before they get into GW (unlikely)... but would make brute force attacks unfeasible.

Beyond a certain number, they might go as far as blocking the IP address or the account for a period, maybe even requiring email re-activation or something.

All these could be optional extra security choices that you could enable, or not.

Again, the "full" version is something like: making a character permanently undeletable, or having delayed deletion would be optional per character.

Obviously, you wouldn't enable it on a PvP character that you will re-roll again and again. But you might choose to enable it on your main PvE title-hunter character, so that even if someone accessed your account and stole your goodies... you'd at least still have a character with titles, skills, HoM intact etc.

Delayed deletion would be optional again... by selecting it, you could re-roll a character, but deletion would be delayed - long enough that you could report a stolen account and have it returned. Deletion could be cancelled at any time before the delay is over.

If you didn't want those features, you just wouldn't use them.

But most do. Constantly sending traffic out rather than just every now and then when a good chunk of data is collected would be particularly suspicious.

That's not how client applications work. Port 80 is traditionally reserved for an HTTP server. The browser, as a user application, would not generally try to use ANY ports below 1024. It COULD masquerade as something like VNC by binding to 5800, or pretend it's AIM on 5190, but anyone who would be able to discover this would know if they're running those things or not.

Aha... I did not know that part of it, my bad.

Anyway, it would be interesting to have access to some of the machines of the people who lost accounts. If this really is an attack against a vulnerability in the client, which it may or may not be, the only thing that's going to help expose it in the short term is if anyone has unaltered firewall logs, disk access logs, etc.

Although, frankly, I'm still leaning toward keylogger or trojan.

The Guild Wars client already has this in use, incorrect logins increases the delay the person needs to wait to login.

Really? The few times I've mistyped my password several times in a row, I've never noticed any delay. Well, if that's true, is it built into the client, or the server? If it's in the client, you could meddle with things to bypass the delay and make as many brute force attempts per second as the server can handle.

OH SNAP!!!!!!!!! Hax in guildwiki just from viewing skill pages? Awesome, that's one of the few sites I do allow scripting on in any form :/. Hope my pitiful storage is still there, but hope my characters are there most of all.

gratz on save the stuff...

but you get trash only.. maybe he looking for a everlasting tonic...

seems it would have been more practical to just take the keys, but he took the time to open the chest. you sure it wasnt your little brother?

After testing it, it might be the server after all. With a few incorrect passwords you get the first response in the image above, then eventually the 2nd, which pops up more and more with incorrect logins.

Wrong, sir. I'm not using McAfee, I'm using the av that my university bought for its staff. And, it started crying in pain when the file from Tomb raider finished its download.

Nope...no one else I know has (or would even remotely want) access to my account.

Yeah, I found it odd as well that he took the time to open the chest 47 times instead of just opening a trade with his other account. Maybe he didn't realize that the keys were worth a ton at the moment, and was just hoping for an everlasting tonic.

Whast the name of the anti-virus that picked it up?

also The more I read the more it's starting to sound like a disgruntled A.net worked and an inside job.

you have this on your account and someone just wanted to use your keys!?

http://www.guildwarsguru.com/forum/s...57&postcount=7

certainly someone is just messin with you.

Yeah...I guess they didn't have a chance to check the material storage tab in my storage.

Norton never picked up anything. I ran another scan last night after the attack, and made sure my definitions were updated, and nothing appeared.

The same reconnect system that was used in the ARMBRACE exploit?

Strange coincident. LOL

Slash Owned.
On both sides.