2 million NCSoft accounts stolen

you had McAfee before???

I hope that anet takes this to heart and puts back that security layer that ncsoft removed. 'Just because it seems to be working is not a reason to stop using it'.

I've been using AVG Free for years, and also started using Microsoft Security Essentials after getting Windows 7.

Both of them are free and I've never had a problem with viruses or malware.

I also got a free copy of Kapersky bundled with a motherboard, but I havnt botherd installing it since I dont need it. I think it would only be a cut down version or just a 1 year license and then you have to pay, so never bothered using it.

O.M.G.
Such poetic irony.

Good find, my friend.

I've been wondering about the relative risks of changing vs. not changing passwords too. Normally it's a no-brainer, but NCSoft is so incompetent with security that I wouldn't be surprised if it's safer to just leave things alone. What are the risks of NCSoft accidentally sending your confirmation to the wrong person, a hacker listening to NCSoft's site and intercepting your password change, etc., compared to the risks of someone having your current password? Anyone here have enough actual security knowledge to hazard a good guess?

If there is any accuracy to that Symantec report, the threat lies in the fact that the bad guys have somehow obtained about 2 million NCsoft account credentials (NCsoft master, or various NCsoft games, I don't think it made a distinction), presumably by gaining access to NCsoft's servers at some time in the past... not by hacking/keylogging individual users... this means, according to Symantec at least, that old account credentials (username, password etc) are potentially vunerable, and the safest thing to do would be to update your passwords.

Remember of course, this comes from Symantec (aka Norton Internet Bloatware).

Also, they have no idea of how old these 'NCsoft credentials' are, for all we know the 'hackers' could have obtained their data ages ago, and indeed might be the cause of the (relatively) recent huge number of compromised accounts that NCsoft addressed by (among other things) adding the character name to the login credentials for Guild Wars.

If in doubt, check your system thoroughly for virus/spyware... use multiple sources to check, don't rely on just one AV program, if your system is clean with no risk of keyloggers... go update your passwords.

Thank you for proving my point...you wouldn't know if your computer was infected...hence how can you say it worked wonders for you?

Yet...this only got found after getting how many accounts? There is no perfect AV program out there...they will all miss stuff..usually they miss the same stuff

Reading the posts of fellow Guru-members, it´s ok, not to take the message seriously.
Only to the fact that it´s Symantec?

Symantec analyzed data in a discovered botnet. They stumbled upon the account information. It´s not about virus detection software, like norton 360 etc..
Be glad they found the information, that it is made public.

If Symantec discovered 2 million accounts possible to be hacked in the future, it's in my opinion Arenanet/Ncsoft who should be talking with Symantec to investigate whether or not the owners of the 2 million accounts should have an in game message/mail stating that they should change their passwords immediately. This will also give them conclusion to check the computer for malicious software.

Don't shoot the messenger, but the content....

EDIT:
It could be originated by the hacks of several gaming fora using outdated unsecure software, like wordpress, vbulletin etc
Trojan.Loginck
Risk Level 1: Very Low
Discovered: May 20, 2010
Updated: May 20, 2010 1:36:08 PM
Type: Trojan
Systems Affected: Windows 98, Windows 95, Windows XP, Windows Me, Windows Vista, Windows NT, Windows Server 2003, Windows 2000

Trojan.Loginck is a Trojan horse that logs on to gaming websites to check if stolen gaming credentials are valid.
Deatil: This Trojan can arrive on a computer through a variety of methods. As a result the file name of the Trojan will vary from one situation to another.

When the Trojan is executed, it contacts a predetermined server and downloads a list of stored user names and passwords for gaming websites.

Note: The Trojan does not steal these account details. They have likely been gathered by other information-stealing threats.

The Trojan then attempts to log into these gaming websites in order to determine if the account is valid.

Spyware website:
Trojan.Loginck Description
Trojan.Loginck is a dangerous Trojan infection. Trojan.Loginck will corrupt a computer system in a variety of ways, either by a spam email messages, malicious websites or file-sharing networks. The file name of the Trojan may differ from one situation to another. If Trojan.Loginck is executed on the computer system, it will contact a remote server and download a list of stored passwords for online gaming websites. The Trojan infection does not steal these account details. They have likely been collected by other information-stealing threats. The Trojan then will use the infected computer for trying to log into these gaming websites for checking if the account is valid. It is very important that a Trojan such as Trojan.Loginck is automatically detected and safely removed with a spyware removal tool.

Removal instruction:
To remove Trojan.Loginck, you must first stop any Trojan.Loginck processes that are running in your computer's memory. To stop all Trojan.Loginck processes, press CTRL+ALT+DELETE to open the Windows Task Manager. Click on the "Processes" tab, search for Trojan.Loginck, then right-click it and select "End Process" key.

To delete Trojan.Loginck registry keys, open the Windows Registry Editor by clicking on the Windows "Start" button and selecting "Run." Type "regedit" into the box and click "OK." Once the Registry Editor is open, search for the registry key "HKEY_LOCAL_MACHINE\Software\Trojan.Loginck." Right-click this registry key and select "Delete."

Finally, to completely get rid of Trojan.Loginck, you must manually remove other Trojan.Loginck files. These Trojan.Loginck files can be in the form of EXE, DLL, LSP, TOOLBAR, BROWSER HIJACK, and/or BROWSER PLUGIN. For example, Trojan.Loginck might create a file like
%PROGRAM_FILES%\Trojan.Loginck\Trojan.Loginck.exe. Locate and remove these files.

There's something I don't get here...

it took me a few hours to read though every post about the bans, and 5 minutes about this?

Isn't 2 million compromised accounts something more alarming to you people than 3,700 banned people? Where's ArenaNet now?

Look at it like this, because of the lack of responses in this thread, it means its no big deal.

Its pretty safe to say that if the system hasn't been slowed down, taken over, or any kind of personal info has been compromised that they doesn't have a virus, or at least one that's anything to worry about...

If you feel fine then there's no reason to believe that you're sick and you just don't know it yet. Unless, of course, you're a hypochondriac...

This thread is not getting the kind of attention that it should be. I know there's WiK and the account bans and other stuff to keep people distracted, but still, we ought to be paying more attention to something of this magnitude.

People would rather spam "QQ MOAR BOTTURZ LOL DHUUMSDAY" than discuss something important in an intelligent manner, Chthon.

Could someone please translate that article for the computer illiterate.
I get the part about the server, but how they got info I did not understand. Did the virus take info from the user's pc's or did they use the infected computers to search for databases and test passwords?
And yea that's pretty disconcerting. Would definitely be interested to find out what NC has to say about those accounts being new potential thefts or if it was old data from the accounts they worked to fix before.

edit: I went back to the Riverside page just to make sure I didn't miss something.
It might be good to relay that this is a new incident. I thought that it was an old thread that just had a new comment. I know I would have read this much sooner otherwise.

Is everyone too busy attacking one another to notice this? Thanks for posting. Password changed. Again. It sure wold be nice to see a response from NCSoft or ArenaNet about this.

I don't like Norton software either, but that has nothing to do with Symantec's report.

Frankly, login anouncement would be great. Red "Change your password NOW!" popup after login even better.

People usually do not think kind of dange applies to them, so apathy is understandable, even if stupid.

Check this out

Might be worth mentioning (and hopefully reassuring to you):

So, credentials were stolen in some other way (keylogging, phishing, scam).

Nothing new, but if I were you I'd change my password anyway.

Maybe the server just generates random credentials, and all infected systems just test them out. If it's used that way, they DO steal credentials

I wonder if all the WoW emails I have been getting the past few days is part of this theft ring. I don't have a WoW account, but have been told 5 times over the past 3 days I need to first protect my account, then recover my account.

Completely OT, I know, but I can't sit by and watch somebody recommend Nod32.

I can understand the vitriol regarding Symantec, especially where Norton is concerned. However, since the 2009 release of 360, the AV suite has actually been very well-reviewed. I've tried the version that my ISP gives out for free, and I think it's very passable. It's very fast, has great detection rates, and the company has good response times to outbreaks. It's not the best, but they're much better than ESET or Grisoft. The only free AV that's worth any time these days is probably Microsoft's own, unless your ISP offers Norton 360 for free. They're going to have a very tough time cleaning up their reputation of being the Quicktime of antivirus, but the new stuff is doing a good job of it.

I don't think they know, the database contained account info for a variety of games, this info was probably gathered using methods specific to each game - or game-publisher.

The virus (a trojan actually) was used to test the passwords.

Might be time for password change.

Or maybe they'd rather spam, "Waah! I wuz banned becuz I cheated but I'm still going to cry that it's unfair."

The very obvious implication is that the NCSoft site did indeed have several huge vulnerabilities, and that the operators of this botnet exploited one or more of those vulnerabilities to extract 2 million sets of login credentials. Consider the following:

1. 10x more NCSoft account credentials were stolen than WoW account credentials. What's the most likely explanation for that? There are 10x as many NCSoft accounts in existence as there are WoW accounts, so being stolen at the same rate resulted in 10x as many NCSoft accounts being stolen? No, that premise is precisely the opposite of reality. There are more WoW accounts. NCSoft accounts have more monetary value, so they were targeted more by the thieves? Again, the premise is contrary to reality. WoW accounts are worth more cash. NCSoft customers are 10x dumber on average than WoW customers and 10x more likely to fall for phishing? Perhaps, but it seems unlikely. The most logical explanation is that a NCSoft account is 10x easier to steal because they have serious security flaws.

2. How often do you log into your NCSoft account? Probably not very often. You could have a keylogger on your system for months and it would never pick up your NCSoft password because you never type in your NCSoft password. Ergo, it's unlikely that they keylogged 2 million NCSoft passwords.

3. While there were phishing attempts for the NCSoft password reported on Guru, none that had the sort of volume you'd expect from something that would net 2 million suckers. Unless the phishing was targeted in a way that largely avoided people who post on Guru, we should have seen a lot more reports of attempted phishing than we did. Ergo, it's unlikely that they phished 2 million NCSoft passwords.

thank you
Did you know that thank you is not nine chars? I mention this only because I couldn't just post a thank you. Had to add additional characters. All done.

I know!

All I wanted to say is that the newly discovered trojan isn't the actual danger: the actual danger is probably found elsewhere (hello NCSoft, how's your website?)

So there's really nothing new to report.

Well, there is the fact that we have independent confirmation of stolen NCSoft accounts and a figure attached to it. 2 million accounts is a rather significant figure.

Now, this is worth concern. 3,700 banned players QQing is irrelevant. This is a big deal. NCSoft has routinely failed at security, and that doesn't seem to be changing.

I for one believe that this should be the point of public outcry. Legitimate players stand to lose their accounts daily because of this, and in far greater numbers than 3,700. This is a major issue, and major steps need to be taken immediately to fix this situation. I would highly recommend the route Blizzard has taken with the authenticator program, as that has been wildly successful.

2 million infected computers is a very small slice of the overall world wide population of online gamers.

About a year ago I knew something was up when you see more and more accounts being hacked over different games. I think the hackers are ahead of the curve on security. Security can only be reactive. I like authenticators. At least its a physical device with a less chance of being corrupted.

Though I'm sure its only a matter of time before some one figures out a way to hack those as well.

You really can't hack something that has no connection to the outside world. You can intercept the data being sent by the user as a middle man and attempt to decrypt it, but those are very complex and more trouble to pull off then they are worth. Those type of hacks can also result in prison time.

Authenticators, on the whole, are the most secure method of account security on the planet, period.

The reason that players aren't deeming this "newsworthy" is that we already knew that NCSoft had security issues. As of right now, the existence of this database is less of a concern than you might think.

Symantec is claiming that:
- somebody is running a botnet
- said botnet tests prospective credentials in online games
- the botnet's dictionary is from another source, probably bulletin boards

This is basically the scenario I proposed in December, except that I posited the use of brute force using the password reset function (a botnet could have snagged many accounts per day this way).

The obvious explanation for the observation that NCSoft accounts were disproportionately compromised is that the botnet was applying brute force to the NCSoft website. The entry mechanism could have been the login bug that some players claimed to have discovered on January 1 (but ANet vehemently denied), or it could have been the reset mechanism. Since those problems were almost certainly unique to NCSoft, it would explain why Blizzard's accounts were less likely to be compromised.

Either way, those issues have been fixed. I've verified that the password reset loopholes have been closed using some less valuable accounts, and the cessation of the rash of hacks conclusively suggests that any means of directly accessing another user's NCSoft account has been removed. Further, the attack mechanism strongly implies this. The thieves are targeting NCSoft accounts in the same way that they would target Blizzard or anyone else. The moral of the story is: don't use your GW access credentials for anything else, and for the time being you should be fine.

Authenticators would be great, and I sincerely hope that they implement them for GW2. I approve of anything that increases the costs of hacking accounts by six orders of magnitude.

Not trying to start any flaming here.. just a simple question as I have no idea what this is all about or what it is doing... but is it at all possible that any of this issue could have caused some false positives for any of the 3,700 account bans?

thats kinda a scary thought that lots of the people banned could argue that it was stolen by someone else o.o

No, not really, if your account was compromised and used to bot by a third party (say an RMT network steals your account and puts it to work botting gold) then Anet/NCsoft support would have a very hard time not noticing the IP difference from where you normally log in and play to where the compromised account is botting from.

This is the original article:

http://www.symantec.com/connect/blog...ials-uncovered

NCSoft's website wasn't compromised, these 2 million accounts are from other means, such as hacking fansite forum databases, phishing, and keylogging. NCSoft likely has more total subs than Blizzard, which may be why there is more accounts. Also, a PlayNC account can have more than one game linked to it. Lineage 1, Lineage 2, Aion, Guild Wars, and City of Heroes are all very popular MMO's right now, and have been for a while.

NCSoft's account security is more than fine, really all people need is a username and password, and their account security will be as good as it gets. Even a random password of length 5 can't be guessed in anyone's lifetime.

There are companies out there that do nothing but steal accounts all day long, month after month. When Oct 2009 - Dec 2009 came around and there was an increase in NCSoft (Aion and Guild Wars mostly) accounts being hacked, I did some research. Here is what I came up with over Christmas Break 2009, in a single weekend, in my spare time:

I acquired a total of 200,000+++ database accounts from various Aion and Guild Wars fansites. After writing some text parsers and other various tools to sort and consolidate them into one giant ass file, I had 185,000 e-mails with matching MD5 hashes and Salts in a format hashcat liked.

I then set out and downloaded some simple dictionaries, the two best ones were milw0rm's and Argon's List ver2. I made another text script to consolidate and remove duplicate words from the dictionaries, and once again, form a giant ass dictionary. I can't remember how many words there were, but it was something like 40 million.

So here we go, I have a Quad Core at 4.4GHz, 1680MHz memory at CAS 6, and a 4GHz QPI bus, and it took almost exactly 5 hours to dictionary attack all 185,000 accounts.

Now before I give you the stats, I want to explain to you my theory that I wrote down before I set out to do all this. My theory that was that 1% of fansite users are dumb enough to use the same email and password as their game accounts.

Boy was I wrong.

-185,000 forum/gamesite accounts (email and hash+salt)
-54,366 used easily guessed passwords (md5 cracked) (29.4%)
-Of those 54k, 10,873 were the same email/passwords as used on NCSoft accounts (20%)

In several hours over the course of a weekend, in my spare time, I gained access into 10,900 NCSoft accounts purely based on the stupidity of people using the same email/passwords on various fansites as their NCSoft account.

Most of these same fansite databases were hacked in Oct 2009 by the companies I explained above (the ones who steal accounts 24/7 as a full time business), resulting in an increase of NCSoft accounts being hacked in Nov 2009.

Essentially, the rumors that NCSoft was compromised were a direct result of that French (?) fansite and it's 200,000 users being compromised.



Some of you might question how I had the time to log into all those accounts! Well I didn't! I emailed those 54,366 to an NCSoft database guy who ran a script to match my potential accounts against actual accounts, to see how many matched. That's where the 10,900 number comes from. So I didn't actually log into anyone's account. But if I were a mean person, and I wasn't just doing all this out of shear curiosity, then I would have sold that list of 54,366 to that company I mentioned above for... probably $1 per account.

So let this be a lesson to you all, don't be one of the 20% of morons out there that use the same password on public fansites and your game account. You will get hacked eventually, and all the A/V firewall spybuster software in the world wont protect you from being a dummy.

In my original post I made a summary of the data. I actually did two different tests using just milw0rm's dictionary of 84k words (Test #1) and then a second test using a larger dictionary (40m words). The 10,900 was never confirmed, but it can be assumed it would be fairly accurate. The 6,400 from 32k accounts was confirmed.

1st Test:
32,000 recovers
6,400 (20%) were confirmed NCSoft accounts

2nd Test using 40 million word dic:
54,366 recovers
20% of that would be 10,873 (unconfirmed) NCSoft

Note: Some of you might wonder why NCSoft would cooperate with me (Brett) on the accounts. I have proven to be a pretty trustworthy guy in the community, and I am also under legal obligation, so the data was always safe. This experiment was all done in the name of science! Now we have a pretty solid statistic on how many dummies out there use the same weak passwords on public sites as well as their important private accounts.

Related to this paragraph somewhat - could this be why we've been seeing more "payment fraud" bans on NCSoft accounts with the Guild Wars accounts being untouched?

Wow. That's an epic illustration of how important it is to use unique logins and (strong) passwords for everything that matters to you... and also the shocking percentage of idiots who aren't doing that.

Wait - how exactly did you acquire NCSoft accounts? Are you an owner/employee of these sites who's normal work involves access to these accounts? I find it hard to believe that a company would just pass off it's userbase details to someone - even salted MD5 hashes are weak given a long enough attack, as you demonstrated.

Wow, nice research there (seriously, no sarcasm intended)

The same way children without money acquire candy from a store.

Brett,

The dispute has always been over volume. I believe what you're saying. However, I believe that your hypothesized vector of attack has always been assumed to be present among the more sophisticated.

Claiming that your method is causal basically requires believing that the attackers were dumb before (July? October?) but suddenly got smart. By contrast, believing in NCSoft vulnerabilities requires believing that the hackers were smart to begin with but got smarter after reviewing the condition of the site, and altered the vector of attack as a result.

The math associated with brute forcing birthday password resets using botnets is just too attractive to a professional hacker. Especially given that we now know that botnets are being used.

In short, I accept the contention that what you describe is part of the explanation, but reject ANet's contention that it constitutes the full explanation. Too many educated people aware of good security practices got hacked for me to believe that this was a simple case of BBS hacking and social engineering. The explanation just doesn't fit the data.

Just to be sure, does this mean you emailed a list of 50k sets of login info that you thought might work to a NCSoft employee. And then, he e-mailed you back and told you 10k were valid?