Do hackers ever stop here?

awesome, glad anet is looking into it

ANet is going to CALL people? Wow that is pretty cool... usually you have to call them.

Well I hope you get to the bottom of it Regina, I don't like the idea of people being able to access accounts when those people supposedly didn't make a mistake.

Sent in the email Regina, thanks for the concern

That's.... more than a bit worrying. But at least they're working on it? O___O

What if we already filed a ticket? Should we provide another email? or should we continue to addon to the plaync ticket information?
Is there any other advise you can give us in the mean time?
Stay loged on? Don't login? Don't do online bill pay etc?

If your incident fits the criteria, go ahead and email the address above, providing all the information listed. Also include your support incident number as well, so they will be able to cross-reference the information.

Continue to work with PlayNC, and let them know that you have emailed the Support Liaison about this.

Let's get all the facts together, with the help of all affected users.

Strangely the only reports of those incidents I've seen here in this thread, and none on other forums or wikis.

By the procedure of how the hackings were done it's clear that it has to be a RMT company, it's a massive scale project they're doing in a great hurry.
They're not malicious so don't delete any characters, they only rob, as fast as possible.
They only take top value quickly sellable items or pure currency (gold/zk/e) and always trade some junk back as a mean of preventing automated detection.
They're in great hurry so often miss obviously valuable items.
They don't change passwords - they most likely can't - it may mean this method doesn't allow that, or they would do it for sure, as accounts are more valuable to them than some money.

So some Questions that hacked people should answer, so we get more facts:

Admin Edit: You are asking questions that could compromise someone's account security.

I'd just like to add that the same happened to me. (Had to be between Monday 01:00 and 14:00 GMT+1) Someone traded my 75e for a Mini Windrider, nothing else is missing.

I've sent an e-mail to the Support Liason per Regina's request. This will hopefully be sorted out soon.

Haven't been hacked, just scanned my Gw.exe here. Mine's completely clean it looks like?

Stop feeding yourself to the phishers.

Ok. After reading about how everyone, including myself, who have been hacked over the last few days I have come to a conclusion. There is something we all have in common that a hacker could exploit. While we all have all these badass security thingies and un-beatable passwords, none of it matters if i am right.

If we look at this situation holistically...it tells us that the hacker has a very easy way of getting in to all of our accounts... the hacker hacked Anet.

It makes perfect sense to me. All our account info is there, emails and passwords. They can see when we log off, and there is probably a way to validate what is in the inventories of what ever accounts they look at. Why not go after the super rich? I am guessing they haven't come across those accounts yet...

Anyone see my logic here or am i paranoid?

I believe that ANet would have realized and halted any attempt that was targeting them directly to harm/steal other players' accounts. Someone hacking ANet or Guild Wars would be the easiest explanation for it being the most easily visible common factor. However, that seems like the least likely as well, and they probably would have told us already if there was a security breach made/fixed at their end.

I agree. I would also narrow it down to our web history, I use Opera 9.63 and I'v visited a number of gaming websites (gaming websites would most likely have gaming trojans) in the days leading up to the attack.

Which ones do we have in common? GameTrailers? Aion? NcSoft maybe?

Thought I would hop in and mention that my hacked friend got a call from Gaile Gray herself less than an hour after emailing with what Regina requested, so this is being taken very seriously.

I'm highly skeptical of this, having coded high-level language assembers, as well as multi-threaded OS's. Perhaps the AV scanners finally use dis-assemblers and look for certain signatures, but it's more than simple to add memory/register swaps and use different registers to fool them, as well as simply changing more efficient instruction combinatorics for less efficient ones (or vice versa)... I'm betting adding buttloads of assy (conditional) jumpcodes fool most scanners, but I've not done a lot with detection. An 8k vs 20k vs 60k vs 640k keylogger gives a lot of room for *fudge*... I'm also suspicious of your use of the term "heuristics", having developed them for AI routines, but whatever (I suppose people still consider spam filters to be AI)...
Did I not say *SOMETHING LIKE*? (checking...) "AKIN." As in, similar. How do you think most exploits of servers are found? Usually by sending strings of (more-or-less) random gibberish, and hoping that one of them causes the server to JMP (or fall through) to unexecutable (or out of range, or different range) code.

Who said *YOU* are the one swapping sessions? This may be the result of unintended faulty server-side code. As in, some session variable that should be CONST somehow gets overwritten by unintention, thus setting it to point elsewhere (merits of C++? LOL)...

101? Nice, Thx for the flames. You make the bad assumption that the in-house add-hoc compiler used by GW coders is *MODERN* (or complete, consistent, "peer-reviewed", etc). Are you going to jump my ass in this thread (like the other one) based on some technicality? Did I NOT say 2 was unlikely? (checking...) "QUITE A STRETCH." Pls, take the flames to private chat in the future.

There are two things that a person would need to quickly, easily, and successfully hack a GW account: a password and an e-mail/account name. You would have to compile a search based on where and when one of those two things was used at some other location than the GW client.

I'm sure that Regina would prefer that we send any such details to where she has directed so that they can be the ones holding the info and not have it posted here publicly on a forum.

One thing I'd like to bring up is that we don't really have any certainty as to when the information to our accounts was compromised. We just know that it was used against us in a short period just recently. This could have been a collection that was in the works for some time now and just suddenly activated.

From what I've read so far, this is a blaring coincidence (until shot down!).

I am working under the assumption that my login info was never divulged publicly as an account; not taken from another website. I was thinking along the lines of an infected webpage that spread enough trojans to infect enough computers that some contained mmo accounts that could be stolen. Once you login, it grabs your login packet and sends it to their server. So they could get any account they have prepared their trojan for (gw, wow, eve, steam, whatever they wanted really).
So then, what site was it. And if i am wrong, and it came from a single or mutliple other sites that we all have accounts on we should be able to single out what we have in common.

Balkoth, you are assuming all the other hacked accounts had trojans such as you. Some people have clearly stated in this thread that their virus scanners came up clean. You could have 2 coincidences that are happening together here.

ok, true. But that would still leave a site in common amongst us that we had accounts on. Wheather that site had some bad banner, or lost its db. its something in common.

A few days ago, someone in GToB asked me to join their party and go into the Isle of the Nameless.

That person repeatedly disconnected+reconnected himself, asked me to use skills, and said he was "debugging" something and told me that it was related to the party window/formation.

Suspicious?
He said something like: [DEBUG] Searching for Agent ID 25 [DEBUG] Searching for Agent ID 26

I haven't noticed anything wrong with my account yet.

There are two things going on:

- people received private messages on guru to buy gold, z-keys and ectos.

- accounts get hacked: hacker is mainly interested in gold, z-keys and ectos it seems.

This might be coincidence.

The hacker(s) might be following this thread too.

We have seen screenshots of emails being sent out trying to phish for account information, we have Regina reporting GW2 beta scam websites and youtube videos to get account information, we have Gaile Gray telling us the number of RMT's scamming and stealing accounts, we have people downloading 3rd party programs, we have people who buy GW gold, we have people who admit to not having secure passwords and somehow all of that is ignored in order to try to prove a connection. Maybe that's harsh, and while I do agree something is going on you have to step back and take in the big picture versus grasping.

You obviously either don't understand the situation or are not willing to listen.

I logged out...30 minutes later I logged back in to find my main account in GTOB not in TOA where I left her (doing vanquishing in that area so I'm 100% sure that's where i left myself)...I checked storage...They STOLE...theft...stealing... took my stuff (got it? ok just making sure)...330+ectos...100k....q9 VS...everlasting tonic...2 zkeys...maybe something else This was done by the hacker logging in as me and trading my items to his account in place of a Grail of Might (which I never use)... So if you bothered to read any of these posts you would find the same thing happened....we are all very protective of our passwords, accounts, names, whatever...logged in in GTOB and found things missing, so please read the posts first before you QQ our QQ...kthxbai

@ Inde: Ofcourse, the chance would be very small.

Changed my mail here as it was linked to my account, replaced it with a new email address, does the old still stay in your list?

Anyway they can prolly track him down fast.

Nope, you change it, it changes it in the db.

Ok thanks for the info!

not that it really matters...and I didn't screen shot it.

sometime around the new FF release 3.0.6 (of course I use no script/adblock plus/adblock filtersetG.updater) I think the release was around & about the last holiday event. anywho... and this has NEVER happened to me with this site...

I was getting a nice pop-up via FF stating this was an attack site. never happened before, and somehow it just magically went away. I never messed with a single setting.
-----------------------------
my GW.exe
http://www.virustotal.com/analisis/4...7871121892faba

This is what should happen - anet made the big announcement about tracking down all the duped armbraces from before (I dont believe they did, but thats another story), so IF they could track those things, then they could track these trades - there will be a common element at the end of these trails.

Unfortunately, we get what we pay for.. no monthly fee = little to no in game monitoring of what actually happens.

Originally Posted by Jhadur
Do any of the other people getting hacked have their accounts linked to NCSoft?
Was it not the NC Soft site that was attacked one time previously when people who had linked their accounts there were the ones attacked??

Good luck to the guys who got attacked anyway, I hope anet gets to the bottom of this and finds some way to reverse the trades.

I just liked to respond on these two (and give others some insight in password safety).
First of all, the trojans used for gaining access to game accounts do excist.
However, when looking at their characteristics they are nothing compared to a banking trojan like Mebroot.

Second, while it might look hard to generate a MD5 dictionary or bruteforce them it's not that hard in reality.
It's not like we are generating collissions in huge documents.
We are talking about bruteforcing strings with known specifications.
We can safely asume that most of the passwords will be in the [a-Z][0-9] format. We can also assume that the password length is between 6 (if GW does not enforce a minimum of 8) and about 15 with the majority below 10 characters. That limits the list a lot.
Furtermore we can assume that the base of most passwords will be vulnerable against a dictionary attack.
So we take the dictionary and MD5 that one. Then we take that same dictionary and start adding numbers, making sure the total length does not exceed 10 (as start). So we start with '0password' to '99PASSWORD' and 'password0' to 'PASSWORD99'. Generating the MD5's on such lists is trivial.
And I think lists are available already. The same for SHA1.

Now if we were to compute a random string of [a-Z][0-9] things would already be different. Even at 9 characters we would be looking at an astonishing 13.000.000.000.000.000 combinations if I'm not mistaking. Add in an additional 25 uncommon characters and it will be 285.(lots of zero's again).
That's very time consuming to brute force.

So much for theory.
Practice is that people will use passwords that are vulnerable to dictionary attacks most of the time. That's the easiest to remember.
If that password is stored as 'plain MD5' in a database and that database is compromised (that's why you should not reuse passwords for things you care about) it's easy to obtain the real password.

As for people storing encrypted passwords in databases, it's easy to salt the password.
What it does is making each MD5 or SHA1 checksum 'unique'. If the word 'password' is encrypted this would generate a checksum (example, not going to calculate it for real) 'ABCD'. Doing the same with '1password' would generate 'DKFR' while '2password' would generate 'YRFT'. When the salt is long enough it would make the password impossible to obtain. Adding a salt of 3 characters [a-Z][0-9] would make it about 4.000 times harder to crack the password.
Doesn't look like much, but consider the 13.(many zeros) and multiply that one by 4000.
What I've done in the past is just using the UID to salt passwords.
Not on very sensitive information but in general it's good enough.

So much on this. Bottom line, use 'special characters' in your password, don't use important passwords on other places, try to avoid words from the dictionary.

And..... Why don't you write your password down and put it somewhere safe if you can't remember it because it's too complicated (like A^J$sT%P#@). It's not like someone willing to access your GW account will break into your house to obtain your password. Well, I assume you can trust your family....
The same for other important passwords. Just make sure that if someone does break into your house and obtains the list he/she can't do anything with it (so no UID/pass/application combinations).

Anet told me when I was attacked that there is no way that they would be able to return any items taken. Even if they found the person that had done it.
(If they even looked of course)

Yeah, I know that is their standard response . I hope though if it is identified as a concerted attack, that their position might change for you guys (unlikely - but I hope).

I've been somewhat paranoid, as I've been getting a lot of err7s the past few days myself (unusual for me) - got me checking under the bed (so to speak).

If this was the case, then every night i would have to wait to log on.. I am all the time getting my password wrong. 5 or 6 times in a row.

BTW: My husbands account was hit today. 2 characters in GToB.. lost uncustomized torment staff and 400K. In its place he got a fungal wallow.. Oh Goody!

So far, my account is safe.. for the time being...or it was 30 minutes ago. Hes not happy and neither am I...I got him a new staff (aint I sweet)...just hope its still there in the morning. This time he customized it.

Best of luck to us all on hanging on to our stuff. Just like a lot of folks here, he changed password, did all the usual precautions and still got hit.

I've been getting a lot of d/c's and err since the weekend too. It almost never happened before that. It has made me quite nervous about things.

Also, I read the whole string but can't remember if this was mentioned...one commonality in this is it appears everybody has a guru account. At least I haven't seen anywhere else an explosion of complaints about 'I wuz hacked'.

So how can you post "I was attacked" on guru without guru account? No further comments.

My guildie was hacked and he has no guru account and no GWO account etc. He has Ncsoft account though.

Guild Wars needs a logging method of ALL trades... with who, what, and when.

Anet does keep logs of trades as well as chat in game. This is why they want to know the outpost, district, and time when a ticket is submitted. It helps narrow down the search for relevant logs of the incident. The reason no items can be replaced is because it can be easily exploited. Since only a very small number of people have been hacked, its not Guru or NCSoft's web site's security, its the people who were hacked.