PlayNoEvil - Game Security, IT Security, and Secure Game Design Services - Contact Us at ceo@secureplay.com - IT Security and Privacy

Botnet Server found with 44 Million Game Credentials

ceo@secureplay.com (SecurePlay) — Fri, 28 May 2010 05:25:00 -0700

Just change your passwords.

Symantec found a server which appears to be a key part of a botnet which has harvested 44 million user names and passwords for online games:

World of Warcraft - 210.000
Aion - 60,000
PlayNC - 2 million (NCSoft's site-wide account)
Wayi Entertainment - 16 million

Symantec focused on an interesting feature of the botnet - it was used as an illicit cloud computing service to validate the quality of the stolen account information using a trojan program called Trojan.Loginck.

Ah, the Internet and its glorious features.

It was unclear how all of these identities were collected, probably via phishing or purchase.

Needless to say, this did represent a substantial dollar value in stolen accounts... millions and millions of dollars.

"44 Million Stolen Game Accounts Uncovered?", http://www.markeedragon.com/content.php/720-44-Million-Stolen-Game-Accounts-

E. Ward (2010), "44 Million Stolen Gaming Credentials Uncovered", http://www.symantec.com/connect/blogs/44-million-stolen-gaming-credentials-uncovered

Malware installed on Bank of America ATM Machines

ceo@secureplay.com (SecurePlay) — Tue, 13 Apr 2010 05:38:00 -0700

An employee of Bank of America in North Carolina was charged with installing malware on ATM machines. The software, apparently modified from some malware in Eastern Europe, allowed him to make undetected withdrawals from the affected machines over a seven month period (the withdrawals did not leave a transaction record).

The software, was first found in Russia and the Ukraine, captured PIN and card information from the magnetic strip as well as allowing undetected withdrawals. 16 versions have been found so far and affect ATMs from NCR and Diebold.

Bank of America found the data internally. Potentially, because the records did not balance (a more sophisticated attacker would make sure that the money came out of legitimate customers accounts ... $100 for you, $20 for me, so that the ATM would balance).

Maybe in ATM Hack 2.0

K. Zetter (2010), "Bank of America Employee Charged With Planting Malware on ATMs", http://www.wired.com/threatlevel/2010/04/bank-of-america-hack

via

" Bank Employee Plants Malware on ATMs", http://yro.slashdot.org/story/10/04/09/1240213/Bank-Employee-Plants-Malware-on-ATMs

Forging Public Key Certificates - Why trust a Certificate Authority

ceo@secureplay.com (SecurePlay) — Tue, 30 Mar 2010 05:58:00 -0700

Public key cryptography. Magic. You'd think it was some sort of magic bullet the way a lot of people talk about it.

The real problem with public key cryptography is that anyone can do it.

If you know the math, you can communicate. "Securely", yes, but with no idea who you are talking to.

In order to make public key cryptography useful, you need a system to associate keys with trustworthy (or, at least known) individual.

Welcome to Public Key Infrastructures, and, at their apex, Certificate Authorities.

Certificate authorities simply sign keys for others and associate a person (or organization) with a key.

So far, so good until someone undermines the certificate authority... since a certificate authority can associate any identity with any key, they can take all the "security" out of cryptography.

Apparently governments do this.

Not really surprising.

But, considering how many certificate authorities are out there and how many people work for them, how difficult do you really think it is for a criminal or company, or hacker, or government or anyone to get a public key that says they are who they want to be.

"Government Could Forge SSL Certificates", http://yro.slashdot.org/story/10/03/26/1334254/Government-Could-Forge-SSL-Certificates

Got a High Score? Get Hacked on Xbox Live

ceo@secureplay.com (SecurePlay) — Wed, 24 Mar 2010 05:56:00 -0700

The higher your score, the more you are a target for getting hacked on Microsoft's Xbox Live. High Gamerscore's are both valuable and there is no way to hide them.

Many Xbox Live users have either have money on their account or a credit card tied to their account which can then be used to purchase more games and other entertainment.

... and, of course, some people just want the high score in a game, no matter what AND are willing to pay for it.

Microsoft customer support is often the way these accounts are compromised via classic social engineering techniques.

Phishing for user account information via email is also popular (no surprise).

Interestingly, malicious players can spam a player with friend requests which effectively creates a Denial of Service attack.

S. Kerner (2010), "Hackers Target Xbox Live", http://www.internetnews.com/security/article.php/3842751/Hackers+Target+Xbox+Live.htm

Crooks use HW activation for Zeus Crimeware Kit to fight ... Crooks

ceo@secureplay.com (SecurePlay) — Tue, 23 Mar 2010 05:40:00 -0700

The developers of the Zeus crimeware kit sell their product's base version for $4000. With all the options, it can be $10,000 or more (the Ultimate Edition... just like strong>Windows):

Real-time notification via Jabber - $500
Firefox form entries - $2000
Remote Control / Connection software - $10,000

Oh, and just like Windows, the bot developers use hardware activation so that it is tied only to one computer.

Current version: 1.3.3.7

Version 1.4 coming soon with some awesome features including:

It offers polymorphic encryption that allows the trojan to re-encrypt itself each time it infects a victim, giving each one a unique digital fingerprint. As a result, anti-virus programs, which already struggle mightily to recognize Zeus infections, have an even harder time detecting the menace.

D. Goodin (2010), "Trojan armed with hardware-based anti-piracy control", http://www.theregister.co.uk/2010/03/12/new_zeus_features/

via

"Malware Authors Learn Market Segmentation From the Best", http://it.slashdot.org/story/10/03/13/0247253/Malware-Authors-Learn-Market-Segmentation-From-the-Best