Do hackers ever stop here?

Perhaps a new method being employed by one of the Gold Sellers to obtain gold for resale? One of the recent messages on GW splash screen had a recent deletion of accounts associated with gold selling. And there has been many references of private emails for purchasing that gold/zkeys/ectos. If it is a larger outfit they would have the time/computers/manpower and motivation to undertake something like this.

If ANET was making headway, the Gold sellers may be trying to up the ante and just take stuff directly.

For people that have been affected it may not hurt to double check for downadup/conflicker virus, since it is very good at hiding itself.

http://www.guildwarsguru.com/forum/s...php?t=10351098

Key items:
Downadup can mask itself and you may not even know you are infected. Once it infiltrates your system, it will edit your Windows Registry. After this is completed, the worm begins to override your firewall settings, allowing it to download malware from any number of hosts. This malware will only increase the damage to the PC. However, the creators of Downadup have yet to activate the second stage of the worm. Once they do, Downadup will do one of two things:

1). It will retrieve all your confidential files, personal information, passwords (online banking especially), and logins and send them to any numbers of hosts.

2). It will combine your PC into its botnet and attempt to hack (by brute force) anything it is targeted to. This is the fear of the Department of Homeland Security. With the current infection rate, it has the capability of hacking some of the most important data centers in the country if given the chance and enough time.

Stage two testing perhaps? Probably a stretch, but you never know. Would explain not showing up on a scan and the possible use of brute force and retrieving logins(which are sent to any number of sources).

To add to the incident count, my guildy/friend's account was hacked on the 22nd too. What's sickening about this is that I kept my 2000 ecto and 40 armbraces on his account too because we had consolidated money for a 'panda fund'. The hacker walked away with enough items to total well over 6000 ecto. And we found out that while the hacker was on his account, he asked our guild chat to borrow more armbraces for a panda and walked away with an additional armbrace from that. No viruses came up, he doesn't give out account info to anyone, etc., etc. I'm not sure if it was a coincidence that the hacker mentioned the panda since we've been looking for it or if my friend's account was targetted.

I'm not sure what you do after you lose this much money...you can't really start over and earn it back again... *sigh* I'd like to say I do appreciate the special attention anet is giving this, and my only hope is that the guy who stole everyone's money doesn't make a profit off of this.

Editted to add: 3rd party programs were never used, no visiting of forums, virus scan came up clean, no gold buying/selling, and account info was not given out. In fact, the reason we kept all of our panda money on his account and not mine is that I used texmod to map..that's how paranoid we were coming into this.

The specifics of what was stolen: over 2000 ecto, around 50 armbraces, 80k (left 20-30k), a tormented shield, salvaged 2 pairs of chaos gloves, an undedicated mini ghostly, ... I think that's it. The account was given some fruitcakes and 8 or so celerities.

i do understand what this thread is about. these "hackers" got your info. how it is uncertain. you ADULT can blame anet by saying a "hacker" got into anet. highly unlikely since they would know fairly quickly.

Ok so u have the best antivrus . change your password every 30 seconds..yada yada.. if a "hacker" wanted in they would find a way. You or anyone can say i dont give out out info or i dont visit this site etc.. only u really know. keep in mind "hackers" are smart so its a fact there is human error with a loop hole. Sorry i just dont buy the fact that its a "xmas miracle" that people got hacked for no possible reason, if you believe this then i recommend a great movie called "GREMLINS" by steven spielberg.

interesting how people personally attacked anet then when they offer help you act like anet is your best friend.

imo opionion it suks be be on the receiving end of these situations and this thread can go on and on about who is right about how they "hacked" or whatever doesnt solve the issue.

Fact: people got hacked for "whatever" reason
Fact: Anet is looking into it to see how and correct if on anet's end of thing
Fact: this thread has lost most of the ability to become informative info on hey i found this in my email etc.. or look at this Screen shot yada yada yada..
Possible Fact: its become the domino effect of suspisciousness when a few people claimed to be hacked then a whole mess of them claim the same thing. im sure some people got hacked but not as many as this thread suggests.
Fact: Adult please dont "poke the bear"
Fact: Most people dont understand "hackers" or how they work or how they do what the do.. it is appearant that some people in this thread know their computer shit hats off to u

Suggestion: let anet do their job , they have acknowldeged there is a problem.. let them deal with it and with all due respect i suggest to close the thread since its alot of "grasping" and finger pointing and anet has already asked those people to contact them.



6000 ectos? wow thats alot.. just curious how did this hacker know about your "panda" fund and to then ask other members specificaly about that.

just curious..brave lil hacker since most of the other "hackers" came on took what they need and left and never said a word.

Again my "gremlin" theory

Well, I just got off the phone with Gaile Gray. I had sent the email to the support liaison late last night so I must say I'm rather happy with the speed of the response time. She basically went over all the information I had already provided. Right now they are looking for a commonality between guru, wiki, Xunlai, and the game as far as emails and passwords all being the same.

Amongst others, my main question was if they are able to resolve the issue how does replacing the lost items work? She said that the game was built so that it is actually impossible to just create something from scratch. This is in place to prevent someone from breaking in and creating say 2000 stacks of ectos and destroying the games economy. Not a bad policy.

In the end if they are able to locate the account / accounts involved it would be exceedingly difficult to track down all the items missing as they would probably have moved on to other accounts through either RMT companies or legitimate trades with another player. Then there's the question of if my VS was traded to some guy, if they take it from him then he's also left kinda screwed. In the end I shouldn't hold my breath that anything will be returned...Back to farming I guess.

I've posted on guru about a panda, but I believe he's only ever spammed Kamadan a few times over it. Again, we don't know if it's a coincidence (probably not), or if the person took his name from Kamadan chat (wtb panda 5000 ecto) and thought that he would make a good target (and obviously so).

And no, I don't imagine it was brave. What happens if someone figures out it was a hacker? He probably already moved what we had and what he wanted. He took an extra minute, and if someone 'caught' him - he logs out.

What I find more brave (aka stupid) is that he did this Sunday night, double HA point weekend, at like 8pm CST I think. This is an active playing time.

And I feel like I should share this with the community.

Those of us who lost a lot of really hard earned items are already very frustrated and saddened by this that the last thing we need are ignorant accusations from people that we're making up stories.

We're trying to share facts of our experiences for multiple reasons: 1) awareness; (2) to find common links of things we may forget to think of as important details otherwise; (3) for understanding of what might have happened to us.
You don't like it? Don't look at it.

And I never said that 'we were hacked for no reason. In fact, I said that there is good reason to target the hacked account and how we may have even become a target. I'm not saying it can't be a keylogger or brute force; I'm not acting like our account was invincible or that we got hacked 'for no reason.' I'm sharing the facts of what risk factors were and were not involved in this as far as we are aware of them. And again, factors that were not involved were viruses that would be shown by routine virus scan, giving out account info, gold selling/buying, etc.

With Indie's observation: I should clarify what I know of our hacked account. We were playing an hour before, and an hour after. We *may* have still been logged on during that afk time. I can't remember if there was a reported 007 or not but I can update this information later. There is a good chance that there was.

Everyone seems to be missing the key point of nearly all these stories. You were all hacked within minutes to hours of signing onto your game. Some even kicked out of game while playing. Read through all the stories... it's something that keeps being reported. We have only confirmation from 2 people that they had trojans in their system. 1 of them was hacked, 1 wasn't. If the other 15+ people have scanned their systems and have anti-virus scanners in place, which could possibly suggest no keylogger since the only one reported in this thread was an old trojan and would be flagged by a current anti-virus software, then the hackers may have a way of monitoring who is in game. They are hitting active playing accounts regardless.

Nearly everyone of them tells us that they were active and playing when their data was compromised. Make of that what you will. They aren't going mindlessly through and testing hundreds of emails and passwords, they aren't mindlessly going through and sifting through hundreds of inactive accounts. If the majority of people can not find an infection on their system then these hackers are either getting around multiple anti-virus systems or they are monitoring the game/your client somehow. Let it speak for itself.

AVs are not magical. AV company must get hands on sample of new virus/trojan & analyze it to be able to detect it unless author is very stupid. And after that it still takes time for updates to propagate. All that assuming it gets noticed by them.

Besides, it does not necessarily need to be keylogger as people understand it. GW binary can be patched to also send entered password and username to attacker. Common feature of specifically targeted malware.

What is last modification date on hacked peoples gw.exe?

This gave me a sudden thought - this person was looking in kamadan for a panda, so it's possible someone saw them and knew they had xxx amount of ectos for a panda ---- I had been buying zaishen keys 100k at a time for a couple weeks to turn my plats into something else, so maybe someone saw me looking to buy zaishen keys and figured I might have a whole bunch on my account. The other people who were hacked - have you been looking to buy or sell a high ticket item, especially in kamadan or gtob? Cause maybe the 'hacker' is watching the wtb/wts to target people who look like they have a bunch of stuff to steal? OR maybe if they see you in town with a ghostly/panda/greased lightning or chaos gloves or something, they're targeting that?

Very interesting to note on how seriously ANet are taking this - the promptness and detail of phones calls be made by Gaile and co are an indication (imo) that something very serious has (or still is) transpired. Don't think we have ever experienced anything like this from them.

As for the possible cause, yes there seems to be some kinda correlation between players asking for something in chat in the likes of Kamadan and them then getting targetted. I have 2 friends that have been hit with this - both of them stating that they did hit a high-end trade recently in Kamadan (both for Tormented weapons). Someone earlier mentioned a debugger encounter, makes me wonder if the hackers (if indeed this is a case) of intercepting information. Though I will be very surprised indeed if they can link this back to being able to get UserID and Password from the game. Just my thoughts though

From the GW Wiki

they probally sick of people bitching on here

Yes, excellent point! Very nearly my point:
Wonder if the following is related?

doesnt mean gw got hacked

Doesn't it?

Care to elaborate upon this point my apathetic, astute and articulate young fellow?

-m0r

That update and those notes simply suggest that a crash bug was found and corrected, not that user's accounts were compromised. Absent further evidence, it's illogical to assume the two events are anything more than a coincidence.

its not that bad....i got hacked 1750e when ectos where 6k each 5 toremnted weapons when they were 100k+100e each....and 5 mil in items and cash...i sent emails to support everyday and all i got was automated messages....got nothing back at all...my friends get hacked they lose 100k and they email support and they get their stuff back...support imo sucks

Its posts like this that makes me think most of the people saying they were hacked are just idiots who want to get back at NCSoft/Anet for whatever reason. Its impossible for your friends items to have been replaced, so your obviously attempting to spread false information.
Your computer security is your own responsibility. There's no reason why NCSoft or Anet should replace items you had stolen due to your own stupidity.

im just wondering if theres a way for anet to "restore" deleted characters
coz i know in wow theres been instances where ive had a friend who got hacked
get all his items and characters restored.

I talked with Gaile too, it seems like they're looking at not just the possibility of people having trojans or something on their computers, but also what commonality there might be between using the same passwords for guru/gw/xunlai and maybe selling high end things on guru or spamming them in kamadan (which might make them a target for these people)

Edit- I'm not saying guru had anything to do with it, only that the thieves might be using guru and kamadan etc. to find people who seem to have money or high end items

So sounds like they might be heading in some direction but no firm ideas yet. She seemed genuinely annoyed that people would do this. And yeah, there's no way anybody can get their stuff back, they didn't write the ability into the code for gw1 (but she requested something along those lines for gw2!)

Sounds like the perfect opportunity for ANet to set up a sting. Have an undercover GM set up an account, go into Kamadan, and spam WTB <something really expensive> for <some outrageous amount>.

Sounds like ANet is missing a good business opportunity, as well. When your car is stolen, you have car insurance to get it replaced. When some burglar cleans out your apartment, you have renter's insurance to get your stuff replaced. It doesn't matter if it happened because your security was lax; your losses (or some percentage of them) are made good. Maybe ANet should sell "character insurance". $xx gets you a guarantee of in-game-gold reimbursement for any provable losses due to hacking.

Well at least they did not delete characters this time around. Personally i really wish they would devote a 3 month update period for a character locking feature. Even if i had to pay to get this feature, I would paid a reasonable fee to know my main will make it for gw2. The long period b4 gw2 make me paranoid that I might do something stupid that removes all the work I've done in the HoM

of course hackers never stop. The chance to steal something awesome instead of earn it themselves is just too tempting for some people. simple as that.

My account was accessed by someone too. Logged on couple of days ago, popped onto guild chat, and it said I had been online 5 hours ago which I hadn't. Nothing was taken as I have nothing worth stealing these days.

I think the same thing happened to me, too. When I logged onto one of my characters yesterday, somehow it was in GtoB. Even though I was in my GH before I log out. Note that I do know it is well and possible to get a "transfer" for your GH to GtoB if you log out in your GH and log in later. But I was watching the screen the entire time and no such "transfers"(the picture of GtoB will show, but it didn't) happened. Luckly none of my stuff was taken and my good, old 5k gold is still in the vault. But man, these hacks must be desperate, hard times for them too, eh?

So can you prove that everyone that was hacked was due to their "own stupidity"

Ok, let's consider two things here, Inde.

First of all, the stories could be similar for those users because the attacker decided to break into the account at an active playtime. Not everyone looks at their last login time when they access the game again. But it's very obvious when you are kicked out of the game for no good reason.
If I would go hacking GW I would do it at a time that's convenient for me.
When hacking a company or robbing a place it's best to wait till everyone is gone. But there will always be people playing GW, could be that the ones erroring out are just collateral damage.

Besides that, it was HA weekend and MAT, on Friday-evening my router somehow disconnected from the internet (resulting in a 007) and I had several moments of severe lag or disconnects during the weekend.
There could be a relation between the disconnects and the hacks, but this could also have other causes.

Second, let's assume the attacker monitors the game or the client.
This means that they must have compromised either the local system (most probably a troyan) or they have compromised a piece of infrastructure at one of A-net's datacenters. Otherwise routing mechanisms on the internet would make it hard to target an active session and break into it.

A compromise at A-net's side would probably have caused many more people reporting loss of items. Or that did happen but those people ain't active on guru.

It could be targeted attacks on active connections, but it's not one of the usual suspects.
Pulling an active connection from the internet isn't something just the average guy is able to do. And requires monitoring a certain infrastructure point on the internet. I would target

Now there is one more option I didn't consider yet.
Man in the middle with a compromised HOSTS file.
This way all traffic could be rerouted through the systems of an attacker who could be able to take over the connection without A-net even noticing.
And the user would get problems connecting when the route is cut.
Dunno how many AV companies scan that file.

The last resort option is the option no-one wants to know but everyone is somewhat aware of.

So based on the information I have atm I'd either expect compromise of the client or people who have reused or submitted their login credentials somewhere else.
It's the most obvious cause given the information we have and general knowledge of hacking.

This is the option I thought was most probable given the nature of the problems stated here. Very troubling is someone found such an opportunity, but unless he's some serious hacker, Anet should find him (or them, RMT is probable).

I'll reply to your other post by PM when I get the time.

Spybot checks the hosts file if I'm not mistaken. Anyway that's what I was thinking too. The hacker sniffs, intercepts packages after which he can take on the identity of the user while Anet and the client aren't aware of it. The user gets a disconnect ofcourse, but that happened to all of us in the past at some point. So the user is not aware he's being hacked.

@Fril and Gun,

MitM could be an option but still it would most likely indicate a problem on client side.
It's not possible to just sniff traffic and take over the connection without compromising some vital parts of the internet (main routers etc). Else, because of the routing infrastructure, it would be more a gamble.
So an attacker should gain control of the initial connection and relay traffic from the client to his/her own computers. From there just forward the traffic to the real A-net servers. At a certain time cut the connection and reconnect from the hackers computer.
I'm not sure how the GW client handles this, but there seems to be state-control in it.
I know that when 'friends' disconnects and I do a reconnect later at some times this functions normal and some times it will ask for credentials again.

I'm not sure how login credentials are send from the client to the GW infrastructure.
If plain it's vulnerable to MitM. If not, only taking over a working connection works.

In all cases MitM is a rather sophisticated attack and hard to pull off.
And in almost all cases requires some action from the user.

Speaking of "disconnect before the hack" issue. I'm not totally sure but I think that you will get disconnect message if someone else tries to log into your account while you're still ingame.

Looking for things these incidences have in common might be a futile effort if the hackers have been harvesting user credentials for an extended period of time before acting on them. If the exposure that gave them the info happened some weeks or even months ago, looking for the avenue through which it happened is too late now.

If I were an account stealing RTM parasite, I'd sit on stolen account info until I had a whole bunch of it, then plunder them all in as little time as I could and sell the spoils before a ANet could stop me. Money in the bank, they could ban me for all I'd care.

It's my belief this is how these things go. Account hacks don't happen en masse because of a sudden exploit, they happen that way because it's convenient for the account thief.

One simple solution I have seen MMO's take to prevent loss of character due to hackers is simply put a 7 day waiting period on character deletion. For PVE characters only I would see no reason to do this for PVP characters since we all switch them around according to what our guild/team needs. Put PVE characters in "timeout" for 7 days at which point at anytime during those 7 days you can cancel deletion. Because I am with everyone else losing cash/items would irritate me but it just means more farming. Losing my ranger or warrior that was created 44 months ago would prolly make me /ragequit and uninstall.

Ok this is part of the email I sent to supportliaison which explains what happened to me a bit better
Now I've been looking at whats been posted on here. My Guru account uses a different email and password,so does my Ncsoft account and I dont have a Wiki account.Like I said my login name is an old email address that hasn't been used for about 2 years now.

Now, Xunlai House.I made an account there when it first started,logged in a couple of times and never used it since.I just thought I'd try it but dam, what was my email and password for it! So Thought I'd try my GW details and oh dear it worked This is the only place where I have used the same login details.Yes I know I shouldn't have but at the time I didn't know about peoples accounts being compromised and had completely forgotten about the Xunlai House.

exactly the same thing happened to me, all i had were some elite tomes, 20 gold weapons(all customised though ) and like 3k in storage :P.

yes this is true... you get logged out.. i cant believe people still trying to figure this out and point fingers everywhere at anet, other people, this and that.. it's like being on the freeway and it's stop and go traffic.. to only find out its a silly car accident and everyone stops to see blood.. its like beating a dead horse. let anet deal with it.

[QUOTE=
Now, Xunlai House. This is the only place where I have used the same login details.[/QUOTE]

Do any of the other affected player have the same login/pword in Xunlai house? Alot of people have multiple/old accounts also.....

I'll vouch for Inde on this. Had this issue before on Guru, just had an admin wipe my PMs and the problem was sorted.

First of all...

I would appreciate it, that some kind of assurance is given to us players by ArenaNet that the infrastucture of Guild Wars and all connection to other company parts (NCSoft) are thrustworthy.

Due to to SOX 404 i would like to have extra insurrance by a trusted thirth party to start an audit against the confidentiality, integrity and availability of the different systems (server, databases, application, network and middleware).
The report can give us players some assurance that at ArenaNet's all posible has been done to mitigate the risks of comprimisation of our accounts. I also know that IT is in scope of the audit reports for the financial results review by those auditors. What is their statement? If their is no audit report then i think this could also result in legal problems for Arenanet because they don't make transparant that they take security meassures serious. I mean taking preventive security meassures befor and not after occurance.

Also i want to mention the opportunity of implementing a challenge/respons system with a token just like Blizzard has implemented for those people who want more assurance that there hard work and labour in the game is extra protected. The level of security meassures should be increased by the value increasing over time. That means, to be answering another post, you by a car with a basic security level. You by all kind of nice expensive stuff resulting in the fact that the insurrance agencies wanting to add a higher alarm system. This is also the case with Guild Wars. I would like to pay for a challenge response system to know i am saver. It's like a life insurrance. To bad this is not implemented but investigated (see one of my posts on gaile gray's talk page on wiki).

*court is in session *
Lawyer for the people of GW: Your honor.. my clients are suing ANET for loss of ectos...

Keep smoking whatever it is that makes you happy i guess.

when i log into gw i see all the time security precautions they advise you dont give out info.. change password..etc.. Anet gives info about the number of people busted for gold scams etc.. i mean what do u want anet to do hold your hand on every site or everytime u change your password? how would u know what anet takes serious? do u work for them?

Security measures increased for increased level of play? life insurance for gw players? i tohught that life insurance crossed the line when j-lo had insurance taken out on her ass..but this...now im QQ in stiches..lol..wets self

Anet u could make alot of money selling in game life insurance.. if gieco has the gecko what mini would anet use for the "life insurance" campaign?

my vote would be a unicorn with a baskin robbins ice cream signature on the side.

I guess I will not assume it is just GW that has the problem? Or that they have an issue at all. From the action taken from A-net they are taken this very seriously and are probably reviewing the logs with a fine tooth comb. Fast response and individual contact is impressive. The easily could have took the e-mail support route.

One question I have is- If someone where to get your e-mail address how long would a hack program take on a 6 – 7 digit password

P.S. I also worry these hackers are using innocent Hacked Mules to transfer goods further hiding there existence. Three way trades worry me.

Because when a Ban Stick starts smacking people it takes the Military Approach “Guilty until you prove your innocence”