Symantec Finds Server Containing 44 Million Stolen Gaming Credentials 146
A Symantec blog post reports that the company recently stumbled upon a server hosting the stolen credentials for 44 million game accounts. It goes on to explain how the owners of the server made use of a botnet to process that mountain of data:
"Now it's time to turn those gaming credentials into hard cash. But how do you find out which credentials are valid and thus worth some money? Three options come to mind: 1) Log on to gaming websites 44 million times! 2) Write a program to log in to the websites and check for you (this would take months). 3) Write a program that checks the login details and then distribute the program to multiple computers. Option one naturally seems next to impossible. Option two is also not very feasible, since websites typically block IP addresses after multiple failed login attempts. By taking advantage of the distributed processing that the third option offers, you can complete the task more quickly and help mitigate the multiple-login failure problems by spreading the task over more IP addresses. This is what Trojan.Loginck's creators have done."
or... (Score:1, Insightful)
4) Sell them in bulk, untested.
Re:I must be new here (Score:4, Insightful)
Probably not, but reputation must be worth something in criminal enterprises. Giving out a bunch of bogus products kills the word-of-mouth.
And what real benefit are these, anyway? Well, all the criminal has to do is sell off the account for less than the game costs up-front. They make pure profit and people willing to buy stolen games get a discount. Steam accounts could probably be quite lucrative, for instance.
And if I did this... (Score:3, Insightful)
OK, so Symantec "recently stumbled upon a server hosting...".
What, was it placed on their doorstep one night, and they didn't notice it when they went outside to get the morning paper?
So, they wrote a crawler that intrusively scanned servers that they didn't have permission to access, opening and analyzing files that they didn't have permission to read, then published what they found?
And the penalty if I did that is, what, 5 years in federal PMITA prison?
There is something wrong in this world.
Re:I must be new here (Score:5, Insightful)
Oh for the love of humanity the things people will do in the name of wasting time.
One man's wasted time is another man's Sistine Chapel, or pornography collection, or fictitious language for a fantasy book series.
From the moment you open your eyes in the morning until you close them at night you're passing time. Whether or not it is wasted depends entirely on whether or not you regret how you spent it.
Re:And if I did this... (Score:5, Insightful)
And the penalty if I did that is, what, 5 years in federal PMITA prison?
There is something wrong in this world.
You're quite wrong. This is an example of one of the few somethings that is right in this world. Selective enforcement is designed into the system, along with jury nullification, to help the laws achieve ends that keep the public they support happy. Any "completely fair" application of the law would make it unworkable in very short order.
Could you imagine a robot issuing you indecency citations every time you pass gas in public? Could you imagine a police officer doing the same if you passed gas into a megaphone-amplified-sound-system aimed at, say, an Inaugural speech? Context is key, and thankfully so.
Re:And if I did this... (Score:3, Insightful)
Re:I must be new here (Score:3, Insightful)
I can't imagine how they could sell those individually to gamers. For them it makes more sense to single out invalid accounts and to sell large blocks to less skilled criminals at a premium. Just like in the normal business world one would pay more than twice for a product which has a 0% failure rate instead of 50%. Of course one could just pretend that all accounts are valid, but word of mouth would be your least least problem in that scenario ;)
Re:And if I did this... (Score:1, Insightful)
> OK, so Symantec "recently stumbled upon a server hosting...".
> What, was it placed on their doorstep one night, and they didn't notice it when they went outside to get the morning paper?
> So, they wrote a crawler that intrusively scanned servers that they didn't have permission to access, opening and analyzing files that they didn't have permission to read, then published what they found?
Yeah, it's not like Symantec reverse engineered a trojan that was attracting their attention (Trojan.Loginck), analyzed its traffic, did their "mumbo-jumbo" on it and came across a server hosting *all* the accounts (which would mean a mistake by the trojan's creators I assume, hence the "stumbling upon," given that a distributed trojan is pretty much a clever thing), and was startling as it held 44 MILLIYUN accounts.
No.
They must've written a crawler.
We're not paranoid.
Re:And if I did this... (Score:2, Insightful)
Selective enforcement is what creates tyranny and allows those in authority undue power in determining who's looked after and who isn't.
Re:And if I did this... (Score:4, Insightful)
You say that any completely fair application of the law would make it unworkable. That is the biggest pile of bullshit I've seen on
Re:And if I did this... (Score:1, Insightful)
OK, so Symantec "recently stumbled upon a server hosting...".
No.
What, was it placed on their doorstep one night, and they didn't notice it when they went outside to get the morning paper?
No.
So, they wrote a crawler that intrusively scanned servers that they didn't have permission to access, opening and analyzing files that they didn't have permission to read, then published what they found?
No. Looks like they took a shufty through a promiscuous database server that didn't mind them running their fingers through it's long, flowing indexes.
And the penalty if I did that is, what, 5 years in federal PMITA prison?
Was the server asking for it? Or was it wearing a chastity belt?
There is something wrong in this world.
Yeah. It is full of ignorant assburger geeks who start spouting assumptions after skimming the summary instead of RTFA and also full of ignorant assburger moderator geeks who mod the aforementioned hasty assumption-spewing assburger geeks as insightful when they're being anything but.
Maybe the world would be different if there was a "-1, Didn't bother to read the article before commencing outraged rant on the injustice of it all" mod?
Re:They should post the usernames... (Score:3, Insightful)
Re:And if I did this... (Score:3, Insightful)
I lol'ed. :P
Re:They should post the usernames... (Score:2, Insightful)
What would be the point of publishing a 500 MB (@~11 chars/user) text file? And how would they do that? If anyone gives a shit about their account, they'll just change their password as soon as they hear about this.
Also, let's do some statistics, shall we? Let's say there are 20 million WoW accounts (pulled the number out of my ass, Wikipedia said 12 million in 2008). There are also 0.2 million stolen WoW accounts. The chance of your account being compromised is 100:1. Pretty high, if you ask me, so just scan your computer online with an antivirus [google.com] if you don't have one installed, change your password and stop asking for stupid stuff in the name of the community (what community?!?).
Re:And if I did this... (Score:3, Insightful)
Selective enforcement is designed into the system
[citation needed] Can you cite a single government document that says this? "Selective enforcement" does in fact exist, but it is almost always used unfairly. It's an excuse to target the poor or minorities and let the rich and powerful off the hook.
Sometimes they have "zero tolerance" policies in place in my city, and they're always in place in the ghetto. This coountry was NOT started with the concept of "selective enforcement" in mind, it was started with the concept that "all men are created equal" and that all people should be treated equally.
If I shoot and kill a rapist I should go to prison for murder. Period. No exceptions. They can't enforce all the laws? Well, maybe they should repeal a few of them.
Re:And if I did this... (Score:3, Insightful)
"Selective enforcement" does in fact exist, but it is almost always used unfairly.
Selective enforcement, by definition, is ALWAYS used unfairly. Sort of like how water is wet.
Re:Games and security... (Score:3, Insightful)
But it ended up that he eventually figured out that a server admin had poisoned a Web-downloadable .exe map pack file with a trojan that scraped some account info off files while running a keylogger to get anything that the scraper missed. These hackers are usually on top of their game
That's one step above coldcalling your friend and asking for his credentials. These aren't "hackers" "on top of their game"...your bud is just a complete moron.