Curse

Wish Swiftdeath · Feb 24, 2009, 01:14 AM // 01:14

Quote:

Originally Posted by Regina Buenaobra

We’re currently investigating this specific series of incidents. The more data we are able to put together, the more information we’ll have to get to the bottom of this, so we would like to get in touch with the players who were affected. This request applies ONLY to players who were affected by this recent incident. Unless you match these criteria below, please go through the support ticketing system:

Your account was affected on February 22 or February 23.
You were able to login (your password was not changed).
You had gold and/or items removed, or items added to your account

It would really help the support team know the following details when you write:

The outpost your character was in when you logged in.
Whether any characters were deleted.
Exactly what was removed and/or what item(s) may have been deposited on the account by someone other than yourself in the last two days.

Any other details of note, no matter how small.

If you believe you were affected by the incident yesterday, please contact [email protected], and provide you real name, account name, and a telephone number (along with the time you could accept a call about this matter and your time zone). Please note that the earliest you can expect a phone call is tomorrow.

Thanks.

awesome, glad anet is looking into it

I pwnd U · Feb 24, 2009, 01:16 AM // 01:16

ANet is going to CALL people? Wow that is pretty cool... usually you have to call them.

garethporlest18 · Feb 24, 2009, 01:34 AM // 01:34

Well I hope you get to the bottom of it Regina, I don't like the idea of people being able to access accounts when those people supposedly didn't make a mistake.

{IceFire} · Feb 24, 2009, 01:42 AM // 01:42

Sent in the email Regina, thanks for the concern

Jensy · Feb 24, 2009, 01:47 AM // 01:47

That's.... more than a bit worrying. But at least they're working on it? O___O

Balkoth · Feb 24, 2009, 02:02 AM // 02:02

Quote:

Originally Posted by Regina Buenaobra

Unless you match these criteria below, please go through the support ticketing system:

If you believe you were affected by the incident yesterday, please contact [email protected], and provide you real name, account name, and a telephone number (along with the time you could accept a call about this matter and your time zone). Please note that the earliest you can expect a phone call is tomorrow.

What if we already filed a ticket? Should we provide another email? or should we continue to addon to the plaync ticket information?
Is there any other advise you can give us in the mean time?
Stay loged on? Don't login? Don't do online bill pay etc?

Regina Buenaobra · Feb 24, 2009, 02:06 AM // 02:06

Quote:

Originally Posted by Balkoth

What if we already filed a ticket? Should we provide another email? or should we continue to addon to the plaync ticket information?
Is there any other advise you can give us in the mean time?
Stay loged on? Don't login? Don't do online bill pay etc?

If your incident fits the criteria, go ahead and email the address above, providing all the information listed. Also include your support incident number as well, so they will be able to cross-reference the information.

Continue to work with PlayNC, and let them know that you have emailed the Support Liaison about this.

Yawgmoth · Feb 24, 2009, 02:09 AM // 02:09

Let's get all the facts together, with the help of all affected users.

Strangely the only reports of those incidents I've seen here in this thread, and none on other forums or wikis.

By the procedure of how the hackings were done it's clear that it has to be a RMT company, it's a massive scale project they're doing in a great hurry.
They're not malicious so don't delete any characters, they only rob, as fast as possible.
They only take top value quickly sellable items or pure currency (gold/zk/e) and always trade some junk back as a mean of preventing automated detection.
They're in great hurry so often miss obviously valuable items.
They don't change passwords - they most likely can't - it may mean this method doesn't allow that, or they would do it for sure, as accounts are more valuable to them than some money.

So some Questions that hacked people should answer, so we get more facts:

Admin Edit: You are asking questions that could compromise someone's account security.

Lyssa Apate · Feb 24, 2009, 02:39 AM // 02:39

I'd just like to add that the same happened to me. (Had to be between Monday 01:00 and 14:00 GMT+1) Someone traded my 75e for a Mini Windrider, nothing else is missing.

Shayne Hawke · Feb 24, 2009, 02:41 AM // 02:41

I've sent an e-mail to the Support Liason per Regina's request. This will hopefully be sorted out soon.

Xun Rama · Feb 24, 2009, 02:43 AM // 02:43

Haven't been hacked, just scanned my Gw.exe here. Mine's completely clean it looks like?

Code:

File:  	 Gw.exe
Status: 	OK
MD5: 	e3446754fbd659170df74dd63ff1506d
Packers detected: 	-
Scanner results 

Scan taken on 24 Feb 2009 02:35:45 (GMT)
A-Squared 	Found nothing
AntiVir 	Found nothing
ArcaVir 	Found nothing
Avast 	Found nothing
AVG Antivirus 	Found nothing
BitDefender 	Found nothing
ClamAV 	Found nothing
CPsecure 	Found nothing
Dr.Web 	Found nothing
F-Prot Antivirus 	Found nothing
F-Secure Anti-Virus 	Found nothing
Ikarus 	Found nothing
Kaspersky Anti-Virus 	Found nothing
NOD32 	Found nothing
Norman Virus Control 	Found nothing
Panda Antivirus 	Found nothing
Sophos Antivirus 	Found nothing
VirusBuster 	Found nothing
VBA32 	Found nothing

iVendetta · Feb 24, 2009, 03:04 AM // 03:04

Stop feeding yourself to the phishers.

Adult · Feb 24, 2009, 04:20 AM // 04:20

Ok. After reading about how everyone, including myself, who have been hacked over the last few days I have come to a conclusion. There is something we all have in common that a hacker could exploit. While we all have all these badass security thingies and un-beatable passwords, none of it matters if i am right.

If we look at this situation holistically...it tells us that the hacker has a very easy way of getting in to all of our accounts... the hacker hacked Anet.

It makes perfect sense to me. All our account info is there, emails and passwords. They can see when we log off, and there is probably a way to validate what is in the inventories of what ever accounts they look at. Why not go after the super rich? I am guessing they haven't come across those accounts yet...

Anyone see my logic here or am i paranoid?

Shayne Hawke · Feb 24, 2009, 04:25 AM // 04:25

Quote:

Originally Posted by Adult

Anyone see my logic here or am i paranoid?

I believe that ANet would have realized and halted any attempt that was targeting them directly to harm/steal other players' accounts. Someone hacking ANet or Guild Wars would be the easiest explanation for it being the most easily visible common factor. However, that seems like the least likely as well, and they probably would have told us already if there was a security breach made/fixed at their end.

Balkoth · Feb 24, 2009, 04:27 AM // 04:27

Quote:

Originally Posted by Shayne Hawke

I believe that ANet would have realized and halted any attempt that was targeting them directly to harm/steal other players' accounts. Someone hacking ANet or Guild Wars would be the easiest explanation for it being the most easily visible common factor. However, that seems like the least likely as well, and they probably would have told us already if there was a security breach made/fixed at their end.

I agree. I would also narrow it down to our web history, I use Opera 9.63 and I'v visited a number of gaming websites (gaming websites would most likely have gaming trojans) in the days leading up to the attack.

Which ones do we have in common? GameTrailers? Aion? NcSoft maybe?

zelgadissan · Feb 24, 2009, 04:33 AM // 04:33

Thought I would hop in and mention that my hacked friend got a call from Gaile Gray herself less than an hour after emailing with what Regina requested, so this is being taken very seriously.

Coney · Feb 24, 2009, 04:39 AM // 04:39

Quote:

Originally Posted by Fril Estelin

The way most AV work make it so that you need significant rewrite to escape heuristics. And I'm not even mentioning SW profiles and behaviour.

I'm highly skeptical of this, having coded high-level language assembers, as well as multi-threaded OS's. Perhaps the AV scanners finally use dis-assemblers and look for certain signatures, but it's more than simple to add memory/register swaps and use different registers to fool them, as well as simply changing more efficient instruction combinatorics for less efficient ones (or vice versa)... I'm betting adding buttloads of assy (conditional) jumpcodes fool most scanners, but I've not done a lot with detection. An 8k vs 20k vs 60k vs 640k keylogger gives a lot of room for *fudge*... I'm also suspicious of your use of the term "heuristics", having developed them for AI routines, but whatever (I suppose people still consider spam filters to be AI)...

Quote:

Originally Posted by Fril Estelin

Where did you learn hacking 101? All modern compilers prevent most buffer overflows, and even if you had one on the GW servers, you wouldn't use it to swap sessions...

Did I not say *SOMETHING LIKE*? (checking...) "AKIN." As in, similar. How do you think most exploits of servers are found? Usually by sending strings of (more-or-less) random gibberish, and hoping that one of them causes the server to JMP (or fall through) to unexecutable (or out of range, or different range) code.

Who said *YOU* are the one swapping sessions? This may be the result of unintended faulty server-side code. As in, some session variable that should be CONST somehow gets overwritten by unintention, thus setting it to point elsewhere (merits of C++? LOL)...

101? Nice, Thx for the flames. You make the bad assumption that the in-house add-hoc compiler used by GW coders is *MODERN* (or complete, consistent, "peer-reviewed", etc). Are you going to jump my ass in this thread (like the other one) based on some technicality? Did I NOT say 2 was unlikely? (checking...) "QUITE A STRETCH." Pls, take the flames to private chat in the future.

Shayne Hawke · Feb 24, 2009, 04:44 AM // 04:44

Quote:

Originally Posted by Balkoth

I agree. I would also narrow it down to our web history, I use Opera 9.63 and I'v visited a number of gaming websites (gaming websites would most likely have gaming trojans) in the days leading up to the attack.

Which ones do we have in common? GameTrailers? Aion? NcSoft maybe?

There are two things that a person would need to quickly, easily, and successfully hack a GW account: a password and an e-mail/account name. You would have to compile a search based on where and when one of those two things was used at some other location than the GW client.

I'm sure that Regina would prefer that we send any such details to where she has directed so that they can be the ones holding the info and not have it posted here publicly on a forum.

One thing I'd like to bring up is that we don't really have any certainty as to when the information to our accounts was compromised. We just know that it was used against us in a short period just recently. This could have been a collection that was in the works for some time now and just suddenly activated.

Coney · Feb 24, 2009, 04:48 AM // 04:48

Quote:

Originally Posted by Jhadur

Do any of the other people getting hacked have their accounts linked to NCSoft?

From what I've read so far, this is a blaring coincidence (until shot down!).

Balkoth · Feb 24, 2009, 04:53 AM // 04:53

Quote:

Originally Posted by Shayne Hawke

There are two things that a person would need to quickly, easily, and successfully hack a GW account: a password and an e-mail/account name. You would have to compile a search based on where and when one of those two things was used at some other location than the GW client.

I'm sure that Regina would prefer that we send any such details to where she has directed so that they can be the ones holding the info and not have it posted here publicly on a forum.

One thing I'd like to bring up is that we don't really have any certainty as to when the information to our accounts was compromised. We just know that it was used against us in a short period just recently. This could have been a collection that was in the works for some time now and just suddenly activated.

I am working under the assumption that my login info was never divulged publicly as an account; not taken from another website. I was thinking along the lines of an infected webpage that spread enough trojans to infect enough computers that some contained mmo accounts that could be stolen. Once you login, it grabs your login packet and sends it to their server. So they could get any account they have prepared their trojan for (gw, wow, eve, steam, whatever they wanted really).
So then, what site was it. And if i am wrong, and it came from a single or mutliple other sites that we all have accounts on we should be able to single out what we have in common.