Symantec Finds Server Containing 44 Million Stolen Gaming Credentials 146
A Symantec blog post reports that the company recently stumbled upon a server hosting the stolen credentials for 44 million game accounts. It goes on to explain how the owners of the server made use of a botnet to process that mountain of data:
"Now it's time to turn those gaming credentials into hard cash. But how do you find out which credentials are valid and thus worth some money? Three options come to mind: 1) Log on to gaming websites 44 million times! 2) Write a program to log in to the websites and check for you (this would take months). 3) Write a program that checks the login details and then distribute the program to multiple computers. Option one naturally seems next to impossible. Option two is also not very feasible, since websites typically block IP addresses after multiple failed login attempts. By taking advantage of the distributed processing that the third option offers, you can complete the task more quickly and help mitigate the multiple-login failure problems by spreading the task over more IP addresses. This is what Trojan.Loginck's creators have done."
I must be new here (Score:3, Interesting)
I an a little naive to the criminal enterprise that is stolen gaming credentials, but I have to wonder: why does it matter, if you are selling a stolen credential, if it's good or not? Is the buyer really going to come back and demand a refund when it doesn't work? And what real benefit are these, anyway? Don't tell me that people buy stolen creds and log into them just to take all their e-loot (worth thousands of e-dollars)? Oh for the love of humanity the things people will do in the name of wasting time.
They should post the usernames... (Score:5, Interesting)
They could, as a service to the online community, go ahead and post the usernames that are compromised.
Inflated Numbers Are Misleading (Score:2, Interesting)
Summary (and article) claims "44 million stolen gaming credentials", which sounds like a lot of us English-speaking and English-game-playing Slashdot readers.
However, in the article, they analyze "a particular sample", with about ~18.3 million accounts in it. Of those ~18.3 million, ~16 million of them were game accounts for "Wayi Entertainment", which is an Asian company. They have no English website, that I can tell, and I think it's a safe assumption there are no English counterpart to these games.
So we're mainly talking about accounts for crazy Asian freemium sprite-based "MMO's". There were only ~210,000 World of Warcraft accounts, most of which, I assume, are also for the Chinese version of the game.
So if you're reading this, I'm going to go out on a limb and say your account is probably safe.
Re:And if I did this... (Score:5, Interesting)
OK, so Symantec "recently stumbled upon a server hosting...".
What, was it placed on their doorstep one night, and they didn't notice it when they went outside to get the morning paper?
So, they wrote a crawler that intrusively scanned servers that they didn't have permission to access, opening and analyzing files that they didn't have permission to read, then published what they found?
Symantec and many other companies set up honeypot computers.
The honeypot gets infected, Symantec pulls apart the trojan and studies its web traffic.
This usually leads to the dumpsite where the trojan is uploading the data.
Many botnet/trojan masters don't bother to encrypt their data dumps or secure the server hosting it.
And even if they did, are they going to sue Symantec for unauthorized access?
Re:They should post the usernames... (Score:5, Interesting)
I used to have a lot of fun with that, when I was the sysadmin for a large site. It seemed every script kiddie wanted the password to it. It showed up regularly on passwordz sites. We had a whole bunch of triggers to detect and resecure accounts. One of the easy and obvious ones was to let them post it, and catch it afterwards (usually within seconds of being posted). The legitimate account holder got a notification that we changed their password to a secure one. Everyone else just sat there and wondered how we'd catch them so fast.
That trigger was pretty low on the list though. My favorite was to catch 'em scanning for passwords. If they tried say 1000 wrong passwords in a short period, but got one or two right, we'd let them keep scannning for a while, and then block their access to the server. (iptables drop rule). Then the program would figure out which passwords they actually got right, change those, and notify the account holder of their new password. :) It was always fun to see what the delay was between them finding a password, and when it started being used from passwordz sites. In those cases, we always had the account secured before they had time to post it. The typical time from being scanned to being posted was about 12 hours. The typical time for us to reissue the passwords was less than 5 minutes.
I can't imagine online game places wouldn't have something similar. Brute force attacks are just too easy, and people will always try them. How many different usernames can a person really try before you know that they're just brute force attacking.
Re:I must be new here (Score:1, Interesting)
It took me a stack of 20 Mageweave Cloth to make 1000 pg once...
It was in my first uses of auctioneer add-on in which by mistake I’ve had put 50 pg per unit instead of 50 pg per stack.-
Surprisingly someone bought it. Ahh!!, the good old business days and the beginners luck, beautiful combination.-
Re:And if I did this... (Score:4, Interesting)
You know "IMHO" can sometimes be interpretted as "honest" and not "humble" right?
Re:And if I did this... (Score:3, Interesting)
OK, so a compromised machine was pointing to the server.
That somehow gives them the right to go rummage through that server uninvited, reading and analyzing what they found and publishing it? Now, I know the vigilante in all of us wants to say "yes", but it's not clear to me that the law permits that kind of activity. And I stand by my statement that, if I did it, I'd end up a very unhappy puppy.
Let's imagine that I find some Symantec product on my machine that I didn't install, and I find a server address in the code. Does that give me the right to go pillage Symantec's machine and publish information about what I'd found?