Symantec Finds Server Containing 44 Million Stolen Gaming Credentials

← Back to Stories (view on slashdot.org)

Symantec Finds Server Containing 44 Million Stolen Gaming Credentials

Posted by Soulskill on Thursday May 27, 2010 @05:49AM from the who-wants-to-buy-a-level-80-paladin dept.

A Symantec blog post reports that the company recently stumbled upon a server hosting the stolen credentials for 44 million game accounts. It goes on to explain how the owners of the server made use of a botnet to process that mountain of data: "Now it's time to turn those gaming credentials into hard cash. But how do you find out which credentials are valid and thus worth some money? Three options come to mind: 1) Log on to gaming websites 44 million times! 2) Write a program to log in to the websites and check for you (this would take months). 3) Write a program that checks the login details and then distribute the program to multiple computers. Option one naturally seems next to impossible. Option two is also not very feasible, since websites typically block IP addresses after multiple failed login attempts. By taking advantage of the distributed processing that the third option offers, you can complete the task more quickly and help mitigate the multiple-login failure problems by spreading the task over more IP addresses. This is what Trojan.Loginck's creators have done."

146 comments

Min score:

Reason:

Sort:

Symantec stumbled by Anonymous Coward · 2010-05-27 05:55 · Score: 0

Symantec stumbled upon a server hosting the stolen credentials for 44 million game accounts. On their own LAN!
1. Re:Symantec stumbled by KovaaK · 2010-05-27 06:51 · Score: 1
  
  Although a little outdated, mmogchart had the total number of active MMO subscriptions at less than 20 million in 2008. Makes you wonder 1) what % of those 44 million are inactive accounts, and 2) what do they do when they find an inactive account - scrap it, save it, or purchase an untraceable game-time card to reactivate?
  If their methods for stealing logins are that advanced, do you think they have some sort of organization of those inactive accounts by likelihood of them containing enough loot to be worth it?
2. Re:Symantec stumbled by Anachragnome · 2010-05-27 09:23 · Score: 2, Informative
  
  My WoW account was inactive for a year and a half.
  It was also hacked, months after I canceled my subscription. No idea how.
  So, in short, they sit on the account info and wait until it is inactive. This way they are less likely to be noticed as they link the WoW account to a battle.net account that they control. They also PAY to have the stolen account reactivated and thus raise no flags with Blizzard. It looks like someone simply reactivated the account as far as Blizzard is concerned.
  Once they have the account, and they are pretty sure nobody will be using it anytime soon (except them), they turn your best toon into a miner/herbalist and set it up to bot its way to mountains of ore/herbs. All the resources were simply mailed to another of my toons and auctioned or passed onto yet another toon on another account.
  I choose to reactivate my account while the guy was full-steam-ahead. He had dropped my enchanting on my hunter (already had 375 herbs), paid for the WotLK expansion so he could get both herbalism and mining skills to 450. He didn't touch any of my other toons, except for a level 2 in Stormwind.
  After Blizzard was done restoring my account they left the hunter with 450 Herbalism, reset the enchanting and replaced his items. He also had about 3k in gold more then he did when I canceled.
  They joy was on the level 2. STACKS and STACKS of ore that the hacker mailed to another toon came back in the mail. This worked out great as I wanted to roll a new toon with engineering. All told, I logged back in about 6k richer, more then enough to get back into the swing of things.
  At least that is what happened to my account.
3. Re:Symantec stumbled by sortius_nod · 2010-05-27 10:27 · Score: 1
  
  Yeh, I had a guy in my old guild get hacked. He came back to a lvl 85 with epic flying and 5k more gold than he had before.
  Then you have others that get hacked, have their accounts transferred to other servers and lose everything.
  It can go either way.
4. Re:Symantec stumbled by QuantumBeep · 2010-05-27 10:55 · Score: 1
  
  Level 85?
5. Re:Symantec stumbled by Anonymous Coward · 2010-05-27 11:10 · Score: 0
  
  I call BS, unless you are talking about a different game than WoW, since 80 is the max level. And even if they transferred the toon to another server, Blizzard can still restore your account to how it was before it was hacked, so you never "lose everything".
6. Re:Symantec stumbled by JDeane · 2010-05-27 11:39 · Score: 1
  
  Well maybe he is from the future come to warn us of the coming WoW hacking apocalypse !!!
  I hear the expansion has a new level cap of 85 lol
7. Re:Symantec stumbled by fishexe · 2010-05-27 12:02 · Score: 1
  
  They also PAY to have the stolen account reactivated and thus raise no flags with Blizzard...All told, I logged back in about 6k richer, more then enough to get back into the swing of things.
  At least that is what happened to my account.
  Whoa. It's brilliant! Pay for someone else's account to be reopened, and spend time making the unsuspecting victim richer. They're criminal masterminds!
  
  --
  "I don't care about the Constitution!" --Bill O'Reilly, November 17, 2009
8. Re:Symantec stumbled by Anonymous Coward · 2010-05-27 14:17 · Score: 0
  
  Agreed, Blizzard's actually gotten quite efficient at restoring hacked accounts completely, which I know several people who are very thankful of this fact.
  Though it is sad that they've had so much experience with the issue that they've gotten so efficient at it.
9. Re:Symantec stumbled by hesaigo999ca · 2010-05-28 02:47 · Score: 1
  
  I wonder about this, this costs a lot of money for someone to activate your account for you....and use it to farm maybe 20$ a month (= to 10,000 gold?) worth of gold, if they are good....and even then would not blizzard realize something is up if the ip address is now playing from china instead of the us???
  I was also thinking if you had your account hacked when it was deactivated, trying to log unto it once in a while during the time it is deactivated should be good, as well changing the password to your account once a week, keeps it rolling with activity.
  One question for you though, when you went to reactivate your account to log in, did it not show you how much time you had left (and pop up a flag in your head) as being activated and expiring on a date greater then the day you were trying to activate it???
10. Re:Symantec stumbled by Anachragnome · 2010-05-28 08:18 · Score: 1
  
  "I wonder about this..."
  Keep in mind that that account was probably being used by several people, 24/7. 10k gold is nothing to these guys. They can whip it up pretty quick, especially since they are using Bots. At that point, it is just a computer generating money. As long as the numbers balance to the black, all is good and it was worthwhile.
  The IP is more then likely going through a controlled proxy, giving the appearance that the account is being accessed from the US.
  We are talking US dollars in a Chinese economy, so your preconceptions about what is worth a dollar are probably a bit skewed compared to a Chinese person's perception of a buck.
  I had no idea I was hacked until I spoke to Blizz reps. I tried to merge an old WoW account with a freshly created battle.net account(they didn't exist when I first played and were not required), and it simply wouldn't let me. Probably because it was already tied to another battle.net account.
  I had no intention of going back to WoW when I quit, so why would I keep checking on the account? I stopped "prepping accounts for reactivation" when I quit playing Ultima Online (the last time, that is...).
11. Re:Symantec stumbled by hesaigo999ca · 2010-05-31 05:08 · Score: 1
  
  good to know, tyvm....
  will keep my eyes peeled as i am intending to come back to wow once cat. comes out...
I must be new here by jeffmeden · 2010-05-27 05:58 · Score: 2, Interesting

I an a little naive to the criminal enterprise that is stolen gaming credentials, but I have to wonder: why does it matter, if you are selling a stolen credential, if it's good or not? Is the buyer really going to come back and demand a refund when it doesn't work? And what real benefit are these, anyway? Don't tell me that people buy stolen creds and log into them just to take all their e-loot (worth thousands of e-dollars)? Oh for the love of humanity the things people will do in the name of wasting time.
1. Re:I must be new here by Monkeedude1212 · 2010-05-27 06:01 · Score: 4, Informative
  
  Don't tell me that people buy stolen creds and log into them just to take all their e-loot (worth thousands of e-dollars)? Oh for the love of humanity the things people will do in the name of wasting time.
  No, this is often the people who STOLE the creds, log in, and sell the E-loot for REAL money. If you've never played WoW, Eve, or Runescape for more than a Month, I wouldn't expect you to understand. But this is a problem that does occur regularly.
2. Re:I must be new here by rocket97 · 2010-05-27 06:02 · Score: 1
  
  I cant say for other games, but for World of Warcraft, they sell the in game items for in game currency, and then turn around and sell the in game currency for actual real currency. There are several websites set up that sell "X gold for $y".
  
  --
  "The two most abundant elements in the universe are hydrogen and stupidity." -Harlan Ellison
3. Re:I must be new here by Monkeedude1212 · 2010-05-27 06:05 · Score: 1
  
  Not to mention the selling of characters, which does happen on occasion.
4. Re:I must be new here by keithjr · 2010-05-27 06:06 · Score: 3, Insightful
  
  Is the buyer really going to come back and demand a refund when it doesn't work?
  
  Probably not, but reputation must be worth something in criminal enterprises. Giving out a bunch of bogus products kills the word-of-mouth.
  
  And what real benefit are these, anyway? Well, all the criminal has to do is sell off the account for less than the game costs up-front. They make pure profit and people willing to buy stolen games get a discount. Steam accounts could probably be quite lucrative, for instance.
5. Re:I must be new here by interkin3tic · 2010-05-27 06:07 · Score: 2, Informative
  
  Is the buyer really going to come back and demand a refund when it doesn't work?
  While I'd guess it's not impossible to just fake the account details, and maybe people do that, it could just be that these particular people found it is just more profitable to be legitimate after stealing the account for a variety of reasons. These are legitimate auction sites according to TFA.
  Just guessing, but you see a account you'd like to get on the auction site, check to see if that character is actually good or has good equipment on WOW or whatever. If it isn't, no bid. If you buy it and the login doesn't work, I guess you first might cancel the transaction on your credit card or report it to paypal, the auction house bans that user from selling again, they'd have to start over with a new auction account with a lower user feedback rating.
6. Re:I must be new here by Anonymous Coward · 2010-05-27 06:09 · Score: 0
  
  I cant say for other games, but for World of Warcraft, they sell the in game items for in game currency, and then turn around and sell the in game currency for actual real currency. There are several websites set up that sell "X gold for $y".
  Exactly.. and at rates that would be very difficult to make a profit from had they farmed the gold in game legitimately. It's around $5-6 per 1000g now, which unless you're very lucky, will take several hours to get. Compound this by the hundreds of servers on which they'd have to keep a decent supply of gold in stock, and it becomes nearly impossible to keep up a business without stealing from hordes of accounts.
  8D
7. Re:I must be new here by BobMcD · 2010-05-27 06:10 · Score: 4, Insightful
  
  Oh for the love of humanity the things people will do in the name of wasting time.
  One man's wasted time is another man's Sistine Chapel, or pornography collection, or fictitious language for a fantasy book series.
  From the moment you open your eyes in the morning until you close them at night you're passing time. Whether or not it is wasted depends entirely on whether or not you regret how you spent it.
8. Re:I must be new here by Ephemeriis · 2010-05-27 06:11 · Score: 1
  
  Don't tell me that people buy stolen creds and log into them just to take all their e-loot (worth thousands of e-dollars)?
  This is typically what happens.
  In WoW, for example, they'll sell off all your nifty loot for gold. Then they'll transfer the gold to some other character and leave you sitting naked and penniless in the auction house.
  They will then sell those huge piles of ill-gotten gold for real-world dollars.
  People will actually pay real cash for in-game cash.
  
  --
  "Work is the curse of the drinking classes." -Oscar Wilde
9. Re:I must be new here by jgagnon · 2010-05-27 06:24 · Score: 2, Funny
  
  It's a little easier than that... all they have to do is use hordes of 3rd world labor at low rates to farm and auction what they get, especially if they work on commission.
  
  --
  Remember to maintain your supply of /facepalm oil to prevent chafing.
10. Re:I must be new here by royallthefourth · 2010-05-27 06:27 · Score: 1
  
  You'd find something else to do, just like anyone with a normal psyche. This stuff does hold the potential for addiction, which for most of these people is the only explanation for their obsessive behavior.
  Think about it: nobody really wants his life to be sitting in a chair wasting time and just waiting for death to come a little closer. Nonetheless, this is the behavior of folks with addictions.
  Actually, that description sounds like having a (white collar) job. I produce nothing of value, but here I am, helping my employer to shuffle piles of dollars into his pocket while I get enough to pay the rent. Nobody else gets a useful product or service out of it. I do it most days, but it feels like in a sane world I would be doing something that actually has tangible benefit or is personally enriching.
11. Re:I must be new here by Anonymous Coward · 2010-05-27 06:31 · Score: 0
  
  Actually, that description sounds like having a (white collar) job. I produce nothing of value, but here I am, helping my employer to shuffle piles of dollars into his pocket while I get enough to pay the rent. Nobody else gets a useful product or service out of it. I do it most days, but it feels like in a sane world I would be doing something that actually has tangible benefit or is personally enriching.
  You work on wall street? Boy, I feel for ya!
  wink
12. Re:I must be new here by nbert · 2010-05-27 06:31 · Score: 2, Insightful
  
  Probably not, but reputation must be worth something in criminal enterprises. Giving out a bunch of bogus products kills the word-of-mouth.
  
  I can't imagine how they could sell those individually to gamers. For them it makes more sense to single out invalid accounts and to sell large blocks to less skilled criminals at a premium. Just like in the normal business world one would pay more than twice for a product which has a 0% failure rate instead of 50%. Of course one could just pretend that all accounts are valid, but word of mouth would be your least least problem in that scenario ;)
  
  --
  I don't read replies by ACs.
13. Re:I must be new here by mlts · 2010-05-27 06:31 · Score: 1
  
  This is very common in WoW. It usually goes like this:
  1: Someone visits a website which is either legit but gets served up a fake ad via an ad-rotater, or the site is using exploits directly. Either way, a keylogger gets downloaded. It can be an add-on that just logs keys in the background and ends when the Web browser is closed and not even installed on the system.
  2: The keylogger grabs the WoW password.
  3: The account is grabbed, password and other info is changed.
  4: The higher level characters have their gear sold for in game currency, and are used as mining bots, mailing the mined loot to another hacked account, and put on the auction house for people to buy. This continues until people notice the hacked accounts (characters running through walls, jumping below the ground level, or just warping) and the account gets banned.
  5: The game currency is then sold for real life currency, or the accounts are sold to suckers.
  Of course, Blizzard has a solid solution to protect against this: Plunk down $6.50 for a Blizzard Authenticator or download and use an app for the iPhone or Android. With two-factor authentication, a keylogger will not be able to seize a WoW account, although every other account on the system is at risk. Anyone who is serious about security should get secondary authentication.
  Ultimately, banks and other MMO companies need to get on this bandwagon and offer a secondary authentication mechanism.
14. Re:I must be new here by Anonymous Coward · 2010-05-27 06:34 · Score: 0
  
  Trolling on slashdot might be slightly higher on the list, even.
  We can see that.
15. Re:I must be new here by ch-chuck · 2010-05-27 06:37 · Score: 1
  
  I wonder if anyone has ever filed a police report for stole e-goods?
  I can just see the officer's face taking a report about stolen gold as it slowly dawns on him it's from a video game.
  
  --
  try { do() || do_not(); } catch (JediException err) { yoda(err); }
16. Re:I must be new here by Anonymous Coward · 2010-05-27 06:40 · Score: 0
  
  I must agree with you - I came to this realization a number of years ago after I was laid off. Thanks to the fantastic EI system in Canada, I was able to go back to school for 8 months and reconsider my life.
  What was I really creating that benefits the world (different than benefitting humanity/people)? I came to the conclusion: not much.
  I checked out geekcorps (http://www.geekcorps.org/) and got in touch with them. Unfortunately they didn't have anything for me until nearly a year later, but by then I had met a great woman (now my wife), and she wasn't ready to live in Cote d'Ivoire or Mongolia for 6-10 months, and I have had to push out my plans for going back to school to teach.
  I realized that teaching is one way I could bring a benefit to the world and humanity, but lack the education to do so, and from seeing friends and family struggle as teachers in a country (at least in my home province, BC) bent on destroying any glimmer of hope of having a decent education system.
  Anyway, this ended up being quite the rant, but I wholeheartedly agree. I feel that I'm well paid, but well paid for doing what? Making sure someone else is well paid, basically. :)
17. Re:I must be new here by BobMcD · 2010-05-27 06:45 · Score: 0, Troll
  
  You'd find something else to do, just like anyone with a normal psyche. This stuff does hold the potential for addiction, which for most of these people is the only explanation for their obsessive behavior.
  You have no idea. MMO's are new, and new things tend to get noticed, but hobbies that waste zillions of hours and dollars are anything but new. Look at the cost and time involved in, say, rebuilding an old car. Finding all the parts, tearing down, cleaning, rebuilding, tuning, paint and polish. All for what, a car worth at most $10k? For what cost of labor and materials?
  Look also at the cost of raising a family. Much, much, much more expensive to have spawns running around than it would be just to rent a lot of porno.
  
  Think about it: nobody really wants his life to be sitting in a chair wasting time and just waiting for death to come a little closer. Nonetheless, this is the behavior of folks with addictions.
  Actually, that description sounds like having a (white collar) job. I produce nothing of value, but here I am, helping my employer to shuffle piles of dollars into his pocket while I get enough to pay the rent. Nobody else gets a useful product or service out of it. I do it most days, but it feels like in a sane world I would be doing something that actually has tangible benefit or is personally enriching.
  The key difference, for me anyway, in what you're describing and the virtual world is choice. I get to decide who I work with in that world - not so much in this one. I can say and do as I please. I can unplug whenever I want. I can even fire up a completely different game at a moment's notice, and come back to this one without any hard feelings. Even within the one game I can level a new character, explore a new facet of the game itself, or invent things to do out of thin air. I never need to buy special equipment, never need to replace anything, and can have an amazing variety of activities involving literally fifty different people (at a minimum), all from that same comfortable spot on the couch.
18. Re:I must be new here by DarkIye · 2010-05-27 06:52 · Score: 1
  
  Is the buyer really going to come back and demand a refund when it doesn't work?
  If enough money changes hands (they'll be bought and sold in tens or hundreds of thousands), the buyer's retaliation would probably be to have the seller whacked.
  
  --
  To prevent this day from getting worse, I'll just read ERROR as GOOD TH
19. Re:I must be new here by Anonymous Coward · 2010-05-27 06:53 · Score: 0
  
  You have no idea. MMO's are new, and new things tend to get noticed, but hobbies that waste zillions of hours and dollars are anything but new. Look at the cost and time involved in, say, rebuilding an old car. Finding all the parts, tearing down, cleaning, rebuilding, tuning, paint and polish. All for what, a car worth at most $10k? For what cost of labor and materials?
  Look also at the cost of raising a family. Much, much, much more expensive to have spawns running around than it would be just to rent a lot of porno.
  Ah, er, if you are comparing the endgame in having a family to that of a porno, either you are watching some messed up pornos or you are doing it all wrong.
20. Re:I must be new here by Capt.+Skinny · 2010-05-27 06:54 · Score: 1
  
  Not sure, but there have been lawsuits over stolen e-goods: http://blogs.pcworld.com/staffblog/archives/005816.html
21. Re:I must be new here by Anonymous Coward · 2010-05-27 06:54 · Score: 0
  
  http://www.geek.com/articles/news/virtual-goods-theft-leads-to-3-years-in-jail-20090526/
  First hit when using a fairly large search engine whose name begins with a 'g' with the keywords "Stolen virtual goods".
22. Re:I must be new here by Drakkenmensch · 2010-05-27 06:55 · Score: 1
  
  When the hired thugs come by your dark alley where you conduct your stolen credential business and complain about the quality of your premium stolen information, would you prefer they break your arms or your legs?
23. Re:I must be new here by Anonymous Coward · 2010-05-27 06:57 · Score: 0
  
  So these aren't the people wasting time.... these are the people who are stealing from the people who are wasting time.
24. Re:I must be new here by BobMcD · 2010-05-27 06:57 · Score: 1
  
  Ah, er, if you are comparing the endgame in having a family to that of a porno, either you are watching some messed up pornos or you are doing it all wrong.
  That'd be the point, wouldn't it?
  I'm illustrating a cost-benefit vs the specific short-term need.
25. Re:I must be new here by idontgno · 2010-05-27 07:05 · Score: 1
  
  Oh for the love of humanity the things people will do in the name of wasting time.
  Quoth second poster on a slashdot gaming article...
  
  --
  Welcome to the Panopticon. Used to be a prison, now it's your home.
26. Re:I must be new here by rednip · 2010-05-27 07:15 · Score: 1
  
  Is the buyer really going to come back and demand a refund when it doesn't work?
  
  No, but it would be impossible to sell him a bigger list if the test account comes up empty. No one who would give any real good price for a large 'batch' of accounts would start out by 'testing' a 'supplier'. It shouldn't be surprising that, even to criminals, guaranteed results have a monetary value. e.g. If you stole an apartment super's keyring, you could break into each home yourself. However few pickpockets like yourself have the stones for burglary, so instead you sell them to someone who will. If you sold fake keys, you might get a buyer now and again, maybe it'd even be worth the trouble. Working keys could actually generate a biding war.
  
  --
  The force that blew the Big Bang continues to accelerate.
27. Re:I must be new here by Anonymous Coward · 2010-05-27 07:16 · Score: 1, Interesting
  
  It took me a stack of 20 Mageweave Cloth to make 1000 pg once...
  It was in my first uses of auctioneer add-on in which by mistake I’ve had put 50 pg per unit instead of 50 pg per stack.-
  Surprisingly someone bought it. Ahh!!, the good old business days and the beginners luck, beautiful combination.-
28. Re:I must be new here by Zen+Hash · 2010-05-27 07:25 · Score: 1
  
  Many farming operations also use bots so that their workers can manage multiple characters simultaneously instead of only one at a time.
  
  --
  Here I sit, all broken hearted.
  Came to poop, but only farted.
29. Re:I must be new here by Anonymous Coward · 2010-05-27 07:28 · Score: 0
  
  No they sell them in bulk to interested parties who then examine each of the accounts individually.
  It works just like people with bulk credit card info.
  They gather a bunch and sell them in bulk sections to other people who do the dirty work of frauding them.
  At least that's how it sounded like after reading some of the articles about that big credit card underground site that got busted awhile back.
30. Re:I must be new here by Anonymous Coward · 2010-05-27 07:29 · Score: 0
  
  So I can pay 30 EUR for the game, 20 for each expansion pack and if i want to actually keep all the stuff I i earned while i played i have to pay even more? What sort of horse shit is that? Why isnt the authenticator part of what I am paying for?
31. Re:I must be new here by pellik · 2010-05-27 08:02 · Score: 1
  
  This is exactly why real money trade is so prevalent in MMORPGs. Typically the end-game material is the most enjoyable part of these games, where teamwork and friendship are really necessary to succeed and the multiplayer aspect really shines. However, getting to the endgame (really fun) part of these games takes more time then adults can generally commit. For the amount of money you earn in an hour or two at work you can buy the product of a day of labor in the game.
32. Re:I must be new here by orient · 2010-05-27 09:05 · Score: 1
  
  Is the buyer really going to come back and demand a refund when it doesn't work?
  It depends on the customer: some might not care, some might want a refund, some might want to skin you alive for disrespecting them...
  
  --
  Laudele lor desigur m-ar mahni peste masura.
33. Re:I must be new here by Anonymous Coward · 2010-05-27 09:36 · Score: 0
  
  Also, with most people being what they are, if you have there WoW account name and password, you also have the account name and password for their bank accounts, their credit cards, their brokerage account, etc.
34. Re:I must be new here by cowscows · 2010-05-27 10:12 · Score: 1
  
  Seriously. Here's a system that, if put into widespread use, would not only make their game more appealing to players, but should also decrease their support costs by significantly reducing an issue that is a completely pain in the ass for all parties involved.
  How many people does Blizzard employ just to spend all day taking care of hacked account related issues? They should be doing everything they can to make that problem go away.
  
  --
  One time I threw a brick at a duck.
35. Re:I must be new here by ImprovOmega · 2010-05-27 10:12 · Score: 1
  
  Or you have to be smart enough not to visit shady websites that result in keyloggers getting installed on your system.
36. Re:I must be new here by Anonymous Coward · 2010-05-27 10:17 · Score: 0
  
  I an a little naive to criminal enterprise of ANY kind, so I have to wonder: why does it matter, if you are selling black market goods, if you actually deliver them or not? Is the buyer really going to come back and demand a refund when it doesn't work?
  I edited that to illustrate exactly how naive you really are, and to make the question more valid.
  The answers are:
  1. Yes, it matters.
  2. Because they will probably come back and KILL you.
  This is the black market. The people you deal with aren't going to ask to speak with your manager, or fill out a "feedback survey" and mail it back to company HQ.
  +3 Interesting? Jesus Fucking Christ.
37. Re:I must be new here by _Sprocket_ · 2010-05-27 11:19 · Score: 1
  
  Don't tell me that people buy stolen creds and log into them just to take all their e-loot (worth thousands of e-dollars)?
  It's about cold, hard cash. The e-loot and e-dollars are worth hard currency; mainly because you can trade e-dollars for it. From a somewhat aged article on the BBC in 2007:
  
  Research by security firm Symantec suggests that the raw value of a WoW account is now higher than a credit card and its associated verification data.
  One card can be sold for up to $6 (£3) suggests Symantec, but a WoW account will be worth at least $10. An account that has several high level characters associated with it could be worth far more as the gold and rare items can be sold for real cash.
  Corry Doctrow has even turned the concept in to a novel called For The Win (far more fictional than educational - but there are echoes of reality to be found).
38. Re:I must be new here by fishexe · 2010-05-27 12:03 · Score: 1
  
  Oh for the love of humanity the things people will do in the name of wasting time.
  One man's wasted time is another man's Sistine Chapel, or pornography collection, or fictitious language for a fantasy book series.
  I don't think that last example really helps your case...
  
  --
  "I don't care about the Constitution!" --Bill O'Reilly, November 17, 2009
39. Re:I must be new here by Samah · 2010-05-27 15:42 · Score: 1
  
  From the moment you open your eyes in the morning until you close them at night you're passing time. Whether or not it is wasted depends entirely on whether or not you regret how you spent it.
  I think this is possibly the most profound and insightful quote I've read in the past year. Kudos to you, good sir/madam.
  
  --
  Homonyms are fun!
  You're driving your car, but they're riding their bikes there.
40. Re:I must be new here by Anonymous Coward · 2010-05-27 18:21 · Score: 0
  
  1: Someone visits a website which is either legit but gets served up a fake ad via an ad-rotater, or the site is using exploits directly. Either way, a keylogger gets downloaded. It can be an add-on that just logs keys in the background and ends when the Web browser is closed and not even installed on the system.
  That's quite rare. The usual infection method is through random warez downloads eg someone downloads Crysis and their WoW account goes kaput...Or through a hack program eg someone downloads a RuneScape bot and then loses their account.
  Infections through legitimate sites should involve law enforcement, though probably not through the end user.
41. Re:I must be new here by Anonymous Coward · 2010-05-27 22:06 · Score: 0
  
  Your account can be worth real world money, as there are always idiots who buy the items/gold.
  In WOW what normally happens to a hacked account.
  - Password is changed.
  - All characters are logged in.
  - Anything that isn't locked to the character is sold for gold or put onto the AH for sale at a cheap price.
  - That gold is used to buy a number of items on the Auction House. Some of the items are put there by the hacker so they can launder the money.
  - Sell items and repeat. They don't get all the gold but most of it.
  - Delete the character.
  - Create random characters for the server
  - Move those characters to major towns and get spam gold adverts.
  - Get banned.
  Start on next account.
42. Re:I must be new here by hitmark · 2010-05-27 23:46 · Score: 1
  
  people will pay just about anything for a "performance enhancement"...
  
  --
  comment first, facts later. http://chem.tufts.edu/AnswersInScience/RelativityofWrong.htm
43. Re:I must be new here by drinkypoo · 2010-05-28 00:35 · Score: 1
  
  Or you have to be smart enough not to visit shady websites that result in keyloggers getting installed on your system.
  Or you have to be smart enough not to buy games from shady companies that designed a game with a built-in protection racket. It's not like they can't restore your character to an earlier point. And if they can't, their game blows.
  
  --
  "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
44. Re:I must be new here by Stan92057 · 2010-05-28 06:12 · Score: 1
  
  I agree,and too many people waste too much time deciding what is and isn't a waste of others peoples time.
  
  --
  Jack of all trades,master of none
45. Re:I must be new here by Nyder · 2010-05-28 22:47 · Score: 1
  
  I an a little naive to the criminal enterprise that is stolen gaming credentials, but I have to wonder: why does it matter, if you are selling a stolen credential, if it's good or not? Is the buyer really going to come back and demand a refund when it doesn't work? And what real benefit are these, anyway? Don't tell me that people buy stolen creds and log into them just to take all their e-loot (worth thousands of e-dollars)? Oh for the love of humanity the things people will do in the name of wasting time.
  If it's Xbox Live Gold info, then they have access to your credit card if you have it on the account.
  
  --
  Be seeing you...
46. Re:I must be new here by Gaffod · 2010-05-29 05:19 · Score: 0
  
  When you spend 8 hours to gain what you might as well have gained in 8 minutes, you have wasted your time. It's not even about regret. And in a more relevant form, when you pay money to work a second job, overtime, you are wasting time.
  Stop pretending hardcore MMO players are all perfectly well adjusted people with no issues in the name of rationalizing your little hobby. Why be so defensive anyway? So what if it's wasting time. Maybe you just enjoy wasting time.
  By the way, the Sistine Chapel is something. A fictional language is something. Even a pornography collection, if it has an interesting theme or accentuates a surprising trend, is something. You can point to it and say "this is the product of my efforts, regardless of the value of that product, I accomplished something". What does a WoW player accomplish? The sword they looted was already there, in the game. The game they play has been designed literally in every detail. The action the player performs in order to acquire the carrot is already obvious and clear from the beginning, and it is clear what the carrot is and does. And the carrot is not even a physical object. Gaining the carrot provides absolutely no benefit of any kind, and cannot, because there is nothing to be gained, except maybe the approval of other players who are also pursuing the same worthless goal, and admire your "achievement" out of misguided envy.
As if.. by Anonymous Coward · 2010-05-27 05:58 · Score: 0

As if a million gnome mages cried out in torment and were silenced at once.
Hey you guys by Monkeedude1212 · 2010-05-27 05:58 · Score: 1

You know Slashdot doesn't let you say your own password? Check it out:
*********
Also, Alt+F4 gets you instant Karma!
---
Had to get that out of me. So I didn't RTFA, but what I gather is that they used some kind of keylogger and now the server has 44 Million user credentials. At first I was like "Why didn't it just test the credentials when it recieved them, and then changed the password?" But that runs the risk of users detecting the virus, having it's spread shut down by Symantec, and the account being deemed worthless once the Game-Dev's shut it down and hand a new one to the original user.
So then I thought, "Why don't they have a system to report how often a keylog sends specific credentials to their server, so they know how recently certain credentials were used, to know which are still active?" Perhaps they didn't include that info when sending back keylogs though - sloppy programming, but I imagine they let this thing run for a while to see if it would even work and take off before putting in a ton of functionality.
So, I guess the issue I have is, how do you get a botnet to try out various logins without alerting the user? Could this have been how they were caught?
1. Re:Hey you guys by jeffmeden · 2010-05-27 06:01 · Score: 1
  
  To test this I found a really old article (to avoid the chance of someone coming upon it) and posted a comment in it with my password. Turns out you were wrong!!! Damn you.
2. Re:Hey you guys by Monkeedude1212 · 2010-05-27 06:02 · Score: 1
  
  It's the oldest trick in the book, and you'd be surprised how many people have lost their account info that way. ...
  *shifty eyes*
  I was twelve okay? I didn't know any better.
3. Re:Hey you guys by 2obvious4u · 2010-05-27 06:03 · Score: 1
  
  lol, you actually tried it - I fell for the Alt + F4 once in a game of starcraft.
4. Re:Hey you guys by biryokumaru · 2010-05-27 06:04 · Score: 0, Offtopic
  
  No, no, no. He means it'll come up stars for everyone else, see: hunter2.
  
  --
  When you're afraid to download music illegally in your own home, then the terrorists have won!
5. Re:Hey you guys by kevinNCSU · 2010-05-27 06:07 · Score: 1
  
  The proper response is that you still see it as plain text but everyone else just sees the asterisks.
6. Re:Hey you guys by Anonymous Coward · 2010-05-27 06:08 · Score: 0
  
  When I try it, I see hunter2
7. Re:Hey you guys by The+MAZZTer · 2010-05-27 06:09 · Score: 2, Funny
  
  hunter2
8. Re:Hey you guys by rocket97 · 2010-05-27 06:14 · Score: 2, Funny
  
  One of my co-workers was giving a presentation once (he is a self proclaimed computer expert in every facet), and he asked us "how do I make this power point presentation full screen?". We replied Alt-F4. He did it and said "hmm that is weird", and restarted power point and pressed Alt-F4 again... after attempting it 5 times he gave up and said "Oh well I guess we will just do the presentation like this".
  
  --
  "The two most abundant elements in the universe are hydrogen and stupidity." -Harlan Ellison
9. Re:Hey you guys by tangelogee · 2010-05-27 06:19 · Score: 1
  
  I miss the days of Ctrl-Alt-Del restarting the computer...used to be so much fun!
10. Re:Hey you guys by JWSmythe · 2010-05-27 06:23 · Score: 1
  
  1234
  Nope, it lets me post my own password. :)
  
  --
  Serious? Seriousness is well above my pay grade.
11. Re:Hey you guys by kalirion · 2010-05-27 07:10 · Score: 1
  
  Actually he was right. You can see your own password because it's your password.
  You can even see it after logging out, because slashdot remembers your ip.
  And detects it through web proxies.
  And uses biometrics on the keyboard to recognize you from another computer.
  Yeah, that's it.
12. Re:Hey you guys by archangel9 · 2010-05-27 07:20 · Score: 1
  
  That's the stupidest password I've ever heard in my life! The kind of thing an idiot would have on his luggage!
13. Re:Hey you guys by mcgrew · 2010-05-27 07:28 · Score: 1
  
  You can't comment in really old articles.
  
  --
  Free Martian Whores!
14. Re:Hey you guys by quercus.aeternam · 2010-05-27 08:49 · Score: 1
  
  Did you know that by clicking on your username, I can see what posts you have recently made?
15. Re:Hey you guys by JWSmythe · 2010-05-27 09:24 · Score: 1
  
  Remind me to change the code on my luggage too. :)
  
  --
  Serious? Seriousness is well above my pay grade.
16. Re:Hey you guys by shadowrat · 2010-05-27 09:38 · Score: 1
  
  yeah, it seems a little suspicious if the bot on your computer downloads and runs wow.
17. Re:Hey you guys by Fnkmaster · 2010-05-27 12:18 · Score: 1
  
  Apparently, your password is asstastic. Now that's funny.
or... by Anonymous Coward · 2010-05-27 06:00 · Score: 1, Insightful

4) Sell them in bulk, untested.
Damn it. by LupidStupy · 2010-05-27 06:03 · Score: 5, Funny

Mom!!!! Symantec hacked my server again.
They should post the usernames... by BobMcD · 2010-05-27 06:04 · Score: 4, Interesting

They could, as a service to the online community, go ahead and post the usernames that are compromised.
1. Re:They should post the usernames... by MikeBabcock · 2010-05-27 06:20 · Score: 1
  
  I get your point, except that you should change your gaming password now anyway. It might have been you, it might not have, and your creds. might've been stolen by someone else entirely.
  Change your passwords anyway.
  
  --
  - Michael T. Babcock (Yes, I blog)
2. Re:They should post the usernames... by Culture20 · 2010-05-27 06:26 · Score: 1
  
  They could, as a service to the online community, go ahead and post the usernames that are compromised.
  Along with the passwords. Because, um, then we'd know if the thieves have old creds? Yeah, that's the reason.
3. Re:They should post the usernames... by BobMcD · 2010-05-27 06:31 · Score: 1
  
  I get your point, except that you should change your gaming password now anyway. It might have been you, it might not have, and your creds. might've been stolen by someone else entirely.
  Change your passwords anyway.
  This is true every moment of every day. Maybe my password was stolen a second ago, or maybe in the next second. We have to make some assumptions or else the protection becomes unusable.
  Symantec, however, has the list and so makes far fewer assumptions as to whom should take action.
  Also, having the list would let people know that they are in need of better security, along with letting them know their password needs changed. Omitting the former means your new password would be immediately compromised as well.
  Now, as for ME, I have an authenticator, so I'm golden. But there would seem to be at least 210,000 other WoW players who do not.
4. Re:They should post the usernames... by BobMcD · 2010-05-27 06:32 · Score: 1
  
  In truth, if my password were divulged back to me I'd know WHEN the compromise happened as well.
  But, as you so eloquently pointed out, there would be other uses for this information...
5. Re:They should post the usernames... by JWSmythe · 2010-05-27 06:34 · Score: 4, Interesting
  
  I used to have a lot of fun with that, when I was the sysadmin for a large site. It seemed every script kiddie wanted the password to it. It showed up regularly on passwordz sites. We had a whole bunch of triggers to detect and resecure accounts. One of the easy and obvious ones was to let them post it, and catch it afterwards (usually within seconds of being posted). The legitimate account holder got a notification that we changed their password to a secure one. Everyone else just sat there and wondered how we'd catch them so fast.
  That trigger was pretty low on the list though. My favorite was to catch 'em scanning for passwords. If they tried say 1000 wrong passwords in a short period, but got one or two right, we'd let them keep scannning for a while, and then block their access to the server. (iptables drop rule). Then the program would figure out which passwords they actually got right, change those, and notify the account holder of their new password. :) It was always fun to see what the delay was between them finding a password, and when it started being used from passwordz sites. In those cases, we always had the account secured before they had time to post it. The typical time from being scanned to being posted was about 12 hours. The typical time for us to reissue the passwords was less than 5 minutes.
  I can't imagine online game places wouldn't have something similar. Brute force attacks are just too easy, and people will always try them. How many different usernames can a person really try before you know that they're just brute force attacking.
  
  --
  Serious? Seriousness is well above my pay grade.
6. Re:They should post the usernames... by noidentity · 2010-05-27 07:19 · Score: 2, Insightful
  
  Hopefully they'll try to return all these stolen credentials back to the owners. Returning stolen property can get pretty costly though, with so many different owners. They can't just go destroying them, then the owners would lose them.
7. Re:They should post the usernames... by Smallpond · 2010-05-27 07:30 · Score: 1
  
  needs changed
  What's the weather like in Pittsburgh today?
8. Re:They should post the usernames... by Dumnezeu · 2010-05-27 07:50 · Score: 2, Insightful
  
  What would be the point of publishing a 500 MB (@~11 chars/user) text file? And how would they do that? If anyone gives a shit about their account, they'll just change their password as soon as they hear about this.
  Also, let's do some statistics, shall we? Let's say there are 20 million WoW accounts (pulled the number out of my ass, Wikipedia said 12 million in 2008). There are also 0.2 million stolen WoW accounts. The chance of your account being compromised is 100:1. Pretty high, if you ask me, so just scan your computer online with an antivirus if you don't have one installed, change your password and stop asking for stupid stuff in the name of the community (what community?!?).
  
  --
  Yes, it's sarcasm. Deal with it!
9. Re:They should post the usernames... by BobMcD · 2010-05-27 07:55 · Score: 1
  
  You might want to check out some of the other posts in the thread...
10. Re:They should post the usernames... by psyque · 2010-05-27 09:23 · Score: 1
  
  How many people do you think would use their username as their password? I bet quite a few.
Infringed! by TaoPhoenix · 2010-05-27 06:04 · Score: 1

Hey, the original users got to keep their credentials - all that happened was the hacker got a spare set! (Until the password was changed...)

--
My first Journal Entry ever, in 8 years! http://slashdot.org/journal/365947/aphelion-scifi-fantasy-horror-poetry-webzine
And if I did this... by FrankSchwab · 2010-05-27 06:08 · Score: 3, Insightful

OK, so Symantec "recently stumbled upon a server hosting...".
What, was it placed on their doorstep one night, and they didn't notice it when they went outside to get the morning paper?
So, they wrote a crawler that intrusively scanned servers that they didn't have permission to access, opening and analyzing files that they didn't have permission to read, then published what they found?
And the penalty if I did that is, what, 5 years in federal PMITA prison?
There is something wrong in this world.

--
And the worms ate into his brain.
1. Re:And if I did this... by BobMcD · 2010-05-27 06:16 · Score: 4, Insightful
  
  And the penalty if I did that is, what, 5 years in federal PMITA prison?
  There is something wrong in this world.
  You're quite wrong. This is an example of one of the few somethings that is right in this world. Selective enforcement is designed into the system, along with jury nullification, to help the laws achieve ends that keep the public they support happy. Any "completely fair" application of the law would make it unworkable in very short order.
  Could you imagine a robot issuing you indecency citations every time you pass gas in public? Could you imagine a police officer doing the same if you passed gas into a megaphone-amplified-sound-system aimed at, say, an Inaugural speech? Context is key, and thankfully so.
2. Re:And if I did this... by Anonymous Coward · 2010-05-27 06:22 · Score: 0
  
  It was probably one of their own Norton 360 servers they found. Who know what kind of information that sends back and forth all the time.
3. Re:And if I did this... by InsertWittyNameHere · 2010-05-27 06:22 · Score: 3, Funny
  
  It was probably one (some) of their client's servers that got hacked and used in the collection of the credentials. The client found out that they got hacked and demanded that Symantec explain what happen. Symantec investigated and found out.
  
  They're not going to say "a server we were protecting with our products got hacked and was used in an operation to steal 44 million credentials..."
4. Re:And if I did this... by TubeSteak · 2010-05-27 06:27 · Score: 4, Interesting
  
  OK, so Symantec "recently stumbled upon a server hosting...".
  What, was it placed on their doorstep one night, and they didn't notice it when they went outside to get the morning paper?
  So, they wrote a crawler that intrusively scanned servers that they didn't have permission to access, opening and analyzing files that they didn't have permission to read, then published what they found?
  Symantec and many other companies set up honeypot computers.
  The honeypot gets infected, Symantec pulls apart the trojan and studies its web traffic.
  This usually leads to the dumpsite where the trojan is uploading the data.
  Many botnet/trojan masters don't bother to encrypt their data dumps or secure the server hosting it.
  And even if they did, are they going to sue Symantec for unauthorized access?
  
  --
  [Fuck Beta]
  o0t!
5. Re:And if I did this... by Demonantis · 2010-05-27 06:28 · Score: 2, Insightful
  
  Sounds more like FUD to get people to buy into Symantec so something like this never happens to your computer. Legitimately though they could have looked at the viruses they were finding and traced them back to the server that was commanding the botnet. I would say the numbers are estimates and no actual cracking occurred as there was no specifics on how they found the data, which would be much more interesting. Everyone has heard tonnes about DDOS already and this is just another boiler plate application of the concept. I wouldn't be surprised if this was just a hypothetical situation dreamed up by Symantec.
6. Re:And if I did this... by Anonymous Coward · 2010-05-27 06:32 · Score: 1, Insightful
  
  > OK, so Symantec "recently stumbled upon a server hosting...".
  > What, was it placed on their doorstep one night, and they didn't notice it when they went outside to get the morning paper?
  > So, they wrote a crawler that intrusively scanned servers that they didn't have permission to access, opening and analyzing files that they didn't have permission to read, then published what they found?
  Yeah, it's not like Symantec reverse engineered a trojan that was attracting their attention (Trojan.Loginck), analyzed its traffic, did their "mumbo-jumbo" on it and came across a server hosting *all* the accounts (which would mean a mistake by the trojan's creators I assume, hence the "stumbling upon," given that a distributed trojan is pretty much a clever thing), and was startling as it held 44 MILLIYUN accounts.
  No.
  They must've written a crawler.
  We're not paranoid.
7. Re:And if I did this... by girlintraining · 2010-05-27 06:33 · Score: 2, Insightful
  
  Selective enforcement is what creates tyranny and allows those in authority undue power in determining who's looked after and who isn't.
  
  --
  #fuckbeta #iamslashdot #dicemustdie
8. Re:And if I did this... by BobMcD · 2010-05-27 06:35 · Score: 1
  
  Selective enforcement is what creates tyranny and allows those in authority undue power in determining who's looked after and who isn't.
  Clearly, but then we like a little tyranny, don't we?
9. Re:And if I did this... by BForrester · 2010-05-27 06:38 · Score: 4, Informative
  
  RTFA. This is not a case of Symantec hammering through random servers looking for bogeymen.
  The very first sentence of the article states that the server was flagged from a new set of sample data submitted to Symantec. This is likely user data aggregated from Norton's threat detection network.
10. Re:And if I did this... by daten · 2010-05-27 06:43 · Score: 0
  
  Why is the parent being modded down? The GP is an ignorant troll and this is an informed response.
11. Re:And if I did this... by KahabutDieDrake · 2010-05-27 06:55 · Score: 3, Insightful
  
  Neither of the cases you cite are actually illegal. This is a key feature of the law, if something isn't codified as illegal, it's NOT ILLEGAL. The context is effectively null, since the example isn't valid.
  
  You say that any completely fair application of the law would make it unworkable. That is the biggest pile of bullshit I've seen on /. in a long long time. Believe me, that's saying something. ONLY a completely fair application of the law works. Our founding fathers knew this. Our ancestors knew this. The fact that you don't know this is frightening beyond reason. You didn't say, but you implied that symantec should have rights and privileges that an ordinary citizen does not. That is the largest perversion of the law that is possible. Companies do not have any trust, they can't be given confidence, because they exist for ONLY one purpose, to make money. You can trust a person, you can't trust a company, and even attempting to do so is foolish (at least) and IMNSHO stupid beyond belief. Our entire foundation of laws is based on the INDIVIDUAL being the top, and everything else coming second. If you know believe that corporations should be on top (they are, but they should not be), well, we've already lost, haven't we?
12. Re:And if I did this... by Anonymous Coward · 2010-05-27 06:55 · Score: 1, Insightful
  
  OK, so Symantec "recently stumbled upon a server hosting...".
  No.
  
  What, was it placed on their doorstep one night, and they didn't notice it when they went outside to get the morning paper?
  No.
  
  So, they wrote a crawler that intrusively scanned servers that they didn't have permission to access, opening and analyzing files that they didn't have permission to read, then published what they found?
  No. Looks like they took a shufty through a promiscuous database server that didn't mind them running their fingers through it's long, flowing indexes.
  
  And the penalty if I did that is, what, 5 years in federal PMITA prison?
  Was the server asking for it? Or was it wearing a chastity belt?
  
  There is something wrong in this world.
  Yeah. It is full of ignorant assburger geeks who start spouting assumptions after skimming the summary instead of RTFA and also full of ignorant assburger moderator geeks who mod the aforementioned hasty assumption-spewing assburger geeks as insightful when they're being anything but.
  Maybe the world would be different if there was a "-1, Didn't bother to read the article before commencing outraged rant on the injustice of it all" mod?
13. Re:And if I did this... by Jeng · 2010-05-27 07:07 · Score: 1
  
  I thought having a Just Plain Wrong moderation option would be useful, but it would just be abused by trolls. So instead one must actually respond to wrong such as you and others have. It helps foster the community in that we can't just say something is wrong, but we have to say how it is wrong.
  
  --
  Don't know something? Look it up. Still don't know? Then ask.
14. Re:And if I did this... by idontgno · 2010-05-27 07:11 · Score: 4, Funny
  
  We don't care about your sick perverted little secret fetishes.
  Oh, "tyranny." Never mind.
  
  --
  Welcome to the Panopticon. Used to be a prison, now it's your home.
15. Re:And if I did this... by Monkeedude1212 · 2010-05-27 07:28 · Score: 3, Interesting
  
  You know "IMHO" can sometimes be interpretted as "honest" and not "humble" right?
16. Re:And if I did this... by BobMcD · 2010-05-27 07:28 · Score: 2, Insightful
  
  I lol'ed. :P
17. Re:And if I did this... by BobMcD · 2010-05-27 07:35 · Score: 2, Funny
  
  Don't let me squash your corporate angst that you're grooving on, but you're entirely off my point, and have gone on to bend it towards one of your own.
  Symantec being 'the machine' is completely irrelevant. We still use them as a tool to keep our computers protected (the effectiveness is debatable, but not the use), and so would definitely allow them more leeway than we would an individual that neither harms nor benefits us.
  
  Our founding fathers knew this.
  Our founding fathers were, by the strictest application of the law, brazen criminals. Do you think they paid for all that tea before tossing it into the harbor? Do you think they properly rescinded all those treaties broken with the native population? Are you under the assumption that open rebellion was somehow legal? Because if the answer to any of these is 'no' then you ought to be calling for their (historical) prosecution for these crimes.
  Don't dilute the point with your anti-establishment crap. Nobody, and I mean nobody, wants every law enforced for every infraction. That just isn't how the system was set up.
18. Re:And if I did this... by FrankSchwab · 2010-05-27 07:45 · Score: 2, Interesting
  
  OK, so a compromised machine was pointing to the server.
  That somehow gives them the right to go rummage through that server uninvited, reading and analyzing what they found and publishing it? Now, I know the vigilante in all of us wants to say "yes", but it's not clear to me that the law permits that kind of activity. And I stand by my statement that, if I did it, I'd end up a very unhappy puppy.
  Let's imagine that I find some Symantec product on my machine that I didn't install, and I find a server address in the code. Does that give me the right to go pillage Symantec's machine and publish information about what I'd found?
  
  --
  And the worms ate into his brain.
19. Re:And if I did this... by mcgrew · 2010-05-27 08:13 · Score: 2, Insightful
  
  Selective enforcement is designed into the system
  [citation needed] Can you cite a single government document that says this? "Selective enforcement" does in fact exist, but it is almost always used unfairly. It's an excuse to target the poor or minorities and let the rich and powerful off the hook.
  Sometimes they have "zero tolerance" policies in place in my city, and they're always in place in the ghetto. This coountry was NOT started with the concept of "selective enforcement" in mind, it was started with the concept that "all men are created equal" and that all people should be treated equally.
  If I shoot and kill a rapist I should go to prison for murder. Period. No exceptions. They can't enforce all the laws? Well, maybe they should repeal a few of them.
  
  --
  Free Martian Whores!
20. Re:And if I did this... by BobMcD · 2010-05-27 08:19 · Score: 2, Insightful
  
  "Selective enforcement" does in fact exist, but it is almost always used unfairly.
  Selective enforcement, by definition, is ALWAYS used unfairly. Sort of like how water is wet.
21. Re:And if I did this... by Anonymous Coward · 2010-05-27 08:38 · Score: 0
  
  I believe Symantec have reverse engineered a Trojan, which has allowed them to connect back to the server in question.
22. Re:And if I did this... by KahabutDieDrake · 2010-05-27 12:03 · Score: 1
  
  Don't toss your anti-establishment bullshit on me. I didn't invoke it, and I'm not going to debate it.
  
  Our founders knew that equality under the law mattered. They sure as hell didn't get it right in their lives, but they went further than anyone else had.
  
  YES, I expect every law to be enforced for every infraction, or I expect the law to be changed. If selective enforcement is the rule, then prejudice, classism, and eventually a chaste system will prevail. You can live in that world, or we can all work together and make this one righteous. Any hand waving about impossibilities is the side effect of a small closed mind.
  
  Granting privilege to a computer company whose sole value is providing you protection from the bad guys is right up there with allowing torture on terror suspects "because they are out to get us". Fuck you, coward. Stand, with pride, honor and integrity. Or walk away. But I'm not going to sit around while you and those like you slowly bleed all the power of the citizen into the state. The state has a purpose, and it isn't to provide a skewed legal system that blatantly ignores violations of the law because they might, maybe be helpful. Prove to me that symantec is working for the greater good, and I'll support an exception to the law to be CODIFIED legally. Until then you prosecute them like you would anyone else, that's pretty much the entire basis for out legal system. You know, justice is blind, equality under the law, and all. /flame on, I suppose.
23. Re:And if I did this... by fishexe · 2010-05-27 12:05 · Score: 1
  
  You know "IMHO" can sometimes be interpretted as "honest" and not "humble" right?
  IMHO, no it can't.
  
  --
  "I don't care about the Constitution!" --Bill O'Reilly, November 17, 2009
24. Re:And if I did this... by fishexe · 2010-05-27 12:15 · Score: 1
  
  "Selective enforcement" does in fact exist, but it is almost always used unfairly.
  Selective enforcement, by definition, is ALWAYS used unfairly. Sort of like how water is wet.
  Not necessarily. I say this having had a law selectively enforced against me. In my state, it is illegal to gamble, except in the state lottery or at Indian casinos. This is selectively enforced, and everybody knows it. It's even in the case law. The purpose of the law is not to stop gambling from occurring, but to stop it from becoming a racket or other public nuisance. It would be nearly possible to write all the distinctions into law for the types of gambling our state considers okay and the types we consider problematic. Leaving enforcement up to the discretion of the police allows them to employ the law as intended, not to stop a friendly poker game, but to stop a poker house that's being used to launder mob money. Or that's disturbing the neighbors with frequent, raucous noise late at night, as was the case with me and my roommates, who ran a poker house that was shut down by the police.
  
  My point is, it was perfectly fair to selectively target us with this law. Yes, it was selective, and yes, it kinda sucked to be on the end of it, but to call it unfair would be a stretch. On the other hand, if my city didn't have the finest and most professional police force I know of, I could see the potential for abuse. So GP's "almost always" is a substantially more accurate generalization than your "always by definition." Whether it's fair or not depends on whether the criteria for selection are fair, not whether or not there is any selection at all.
  
  --
  "I don't care about the Constitution!" --Bill O'Reilly, November 17, 2009
25. Re:And if I did this... by TubeSteak · 2010-05-27 14:31 · Score: 1
  
  Let's imagine that I find some Symantec product on my machine that I didn't install, and I find a server address in the code. Does that give me the right to go pillage Symantec's machine and publish information about what I'd found?
  There are several underlying issues which are highly relevant to your argument:
  1. Was the unwanted code contacting that particular server from your computer?
  2. Can a bad actor grant access rights to his program but not to you, the user whose machine it is residing on?
  3. If the bad actor does not secure the information on an internet facing server, have you exceed access by "pillaging" it?
  4. Can a bad actor even make a claim of unauthorized access?
  Personally, I'd make the argument that the answer for #2,3,4 is "no"
  
  --
  [Fuck Beta]
  o0t!
26. Re:And if I did this... by fishexe · 2010-05-27 15:28 · Score: 1
  
  That somehow gives them the right to go rummage through that server uninvited, reading and analyzing what they found and publishing it? Now, I know the vigilante in all of us wants to say "yes", but it's not clear to me that the law permits that kind of activity.
  Yes.
  
  --
  "I don't care about the Constitution!" --Bill O'Reilly, November 17, 2009
27. Re:And if I did this... by BobMcD · 2010-05-27 17:20 · Score: 1
  
  Jeez, but you're frothy. How do you possibly know me well enough to label me in such ways? (Hint, slashdot has a posting history feature...) And why didn't you respond to the non-prosecution of our founding father's crimes?
  I'm not telling you that I necessarily support every possible imaginary application of selective enforcement, but only that it is implicit and necessary in the system for us to have a thing we like to call 'justice'. If you don't get it, fine. If you disagree, try and do so on more than a 'because it makes me all pissy' platform. Use arguments. Don't try to appeal to some grandiose sense of morality. Justice can be a beautiful thing, and is very much what the people want.
  Changing the laws is important, but Congress makes a lot of sausage. In the meanwhile, we need decent people and juries of our peers making sure the law serves us, not the other way around.
  And since when does not throwing the book at everyone everywhere mean we HAVE to torture terrorists? Your logic unit may be damaged. Get a diagnostic ASAP.
28. Re:And if I did this... by BobMcD · 2010-05-27 17:24 · Score: 1
  
  Perhaps I got my arguments crossed, but I've been tangoing with many on here that want to see every infraction dealt with on exactly the same terms, and are labeling this as 'fair'. You're saying it can be (something close to) fair to society while not necessarily being entirely fair to the individual, or something, which is fine.
  But as long as it is selective, there will be errors and 'fair', being equitable, in the sense it was being used earlier cannot exist.
29. Re:And if I did this... by KahabutDieDrake · 2010-05-28 04:04 · Score: 1
  
  I don't recall labeling you, just rejecting the labels you put on me. Also, I would have prosecuted the founders of this country, if they had violated the laws of this country (which they almost certainly did)
  
  Let me try again with a little less froth. I believe in justice, and I don't believe that can be achieved by selective enforcement. Only by just laws. I do realize that under our current system I pretty much have to accept a little bit of both. At least for now. However, that doesn't mean I'm ok with it.
  
  I believe that letting anyone, and doubly so a company, have a non-codified exception to the law is how we end up with one law for plebeians, and one for the kings...er people with money. Historically this is easy to see, and our legal system was set up in ways that were supposed to stop that from happening. However, I think it's easy to see we are slipping away from those ideals, and I for one am going to fight that tooth and nail. Because the alternative is a bloody revolution, and frankly, that doesn't appeal to me in these so called civilized times.
  
  That grandiose sense of morality, that's what is missing these days. Far too many people believe it's out of reach. That is simply wrong, and defeatist. That being said, you are certainly entitled to your opinion, as I am to mine.
  
  I didn't say that allowing exception in the law was the same as FORCING torture, I said it was on par, and it is. Someone once said "Those who would give up Essential Liberty to purchase a little Temporary Safety deserve neither Liberty nor Safety" It's still true, and there are far too many doing it.
Read all about it! Read all about it! by spleen_blender · 2010-05-27 06:08 · Score: 1

Botnet does things botnets do! Data stolen, data processing distributed, Mayor surprised and outraged! Read all about it, only a nickle!
Games and security... by TrisexualPuppy · 2010-05-27 06:09 · Score: 1, Informative

There are lots of holes in games since the last thing that programmers or gamers really want to think about is account security. (Cheating security frequently is the first thing that comes to mind.)

One of my buds ran a long thread here a while back. Several of his accounts were taken...don't remember how they got his WoW account. But it ended up that he eventually figured out that a server admin had poisoned a Web-downloadable .exe map pack file with a trojan that scraped some account info off files while running a keylogger to get anything that the scraper missed. These hackers are usually on top of their game (no pun intended).
1. Re:Games and security... by paeanblack · 2010-05-27 09:53 · Score: 2, Insightful
  
  But it ended up that he eventually figured out that a server admin had poisoned a Web-downloadable .exe map pack file with a trojan that scraped some account info off files while running a keylogger to get anything that the scraper missed. These hackers are usually on top of their game
  That's one step above coldcalling your friend and asking for his credentials. These aren't "hackers" "on top of their game"...your bud is just a complete moron.
Assumptions by Anonymous Coward · 2010-05-27 06:21 · Score: 0

I like how a post full of nothing but pure assumptions somehow gets modded insightful. Maybe check the facts? How do you know they weren't tipped off to the server? Some other rival hacker might have found it and wanted to spite their competition. My assumption is just as valid as yours.
In other, unrelated news... by Bobfrankly1 · 2010-05-27 06:21 · Score: 1

A Symantec blog post reports that the company recently stumbled upon a server hosting the stolen credentials for 44 million game accounts.
Symantec has reportedly bought up all the beer in the area and is planning raids into the deep mines.
Inflated Numbers Are Misleading by Maarx · 2010-05-27 06:24 · Score: 2, Interesting

Summary (and article) claims "44 million stolen gaming credentials", which sounds like a lot of us English-speaking and English-game-playing Slashdot readers.
However, in the article, they analyze "a particular sample", with about ~18.3 million accounts in it. Of those ~18.3 million, ~16 million of them were game accounts for "Wayi Entertainment", which is an Asian company. They have no English website, that I can tell, and I think it's a safe assumption there are no English counterpart to these games.
So we're mainly talking about accounts for crazy Asian freemium sprite-based "MMO's". There were only ~210,000 World of Warcraft accounts, most of which, I assume, are also for the Chinese version of the game.
So if you're reading this, I'm going to go out on a limb and say your account is probably safe.
how to make money from stolen gaming credentials by CosaNostra+Pizza+Inc · 2010-05-27 06:35 · Score: 1

For MMORPGs its fairly easy, so I've read. Sell off their items/gold to other players for RL cash
Re:I must be new here (not really!) by Anonymous Coward · 2010-05-27 06:38 · Score: 0

You can no longer sell in-game items on RuneScape for real life money. An update to the game in December 2007 prevented this practice.
Hold it Right There.... by mpapet · 2010-05-27 06:43 · Score: 1

The article glosses over the fact that *millions* of accounts are discovered.
That suggests the data is captured in massive quantities at one time. Specifically, 210,000 WoW accounts are hard to come by one-by-one. The computing effort might not be great, but the time to trawl compromised PC's would seem to be. Am I completely off-base with this assumption?
My point being, the bigger problem seems to be blocks of data that must come from the inside of these organizations pretends not to exist. Instead we have 'fun with large data sets' infotainment.

--
http://www.maxineudall.com/2010/02/should-economists-be-sued-for-malpractice.html
Mod parent up! by Anonymous Coward · 2010-05-27 06:43 · Score: 0

Uppity, I say!
1. Re:Mod parent up! by Anonymous Coward · 2010-05-27 07:08 · Score: 0
  
  Mod AC Down, down boy down
Its not about logging on. It's about selling by fluor2 · 2010-05-27 06:49 · Score: 1

They would split up the list and sell it as small lists. E.g. you could split it up into lists of 1000 accounts or less, wheras the newest accounts are the most likely to work, thus having the highest price or similar.
1. Re:Its not about logging on. It's about selling by smallfries · 2010-05-27 08:46 · Score: 1
  
  Your post is the closest in the discussion to how to make money out of the list. The only problem is that you didn't think big enough. So the problem is that you can only sell each list once, and the stinky ones are hard to shift.
  Rather than sell the lists you want to securitise them. Bundle the lists up into tranches and sell rights to the loot in each tranche. By using clever financial magic we can make the bad stink from the oldest accounts go away and sell each account many times over.
  Absolutely nothing can possibly go wrong. We just just need to get Goldman-Sachs in on this and we are made...
  
  --
  Slashdot: where don knuth is an idiot because he cant grasp the awesome power of php
And did Symantec report this to the authorities? by BcNexus · 2010-05-27 06:54 · Score: 1

So, did Symantec do what they could to A) report the server and botnet; B) take it down; and C) prosecute the alleged criminals?
Re:And did Symantec report this to the authorities by Anonymous Coward · 2010-05-27 07:02 · Score: 0

So, did Symantec do what they could to A) report the server and botnet; B) take it down; and C) prosecute the alleged criminals?
What gives Symantec the right to prosecute?
Release it by w00tsauce · 2010-05-27 07:15 · Score: 0

Just make it into a torrent and post it on the internet. It will all get sorted out eventually.
I smell a RAT by Anonymous Coward · 2010-05-27 07:51 · Score: 0

From TFA:
"So, picture this: you are a bad guy and have created or purchased a botnet"
My first thought when I read this...is that Symantec purchased THIS botnet for advertising, PR purposes. That's right. Is it really out of the ordinary for a criminal enterprise to 'anonymously' approach a security vendor and offer to sell their data (especially if the data maybe isn't worth much anymore"? This would seem pretty valuable to me from a vendor perspective.
"Hey there, what if I told you that you could be the first to 'stumble' upon 44 million stolen credentials and you can release blogs, releases, statements, quotes and all kinds of great things hailing yourself as a security pioneer who won one for the customer...would you be interested in that?"
??? Profit!!! by Angst+Badger · 2010-05-27 08:17 · Score: 1

For the benefit of the non-gamers amongst us, perhaps someone could explain exactly how one goes about converting game accounts into "hard cash".

--
Proud member of the Weirdo-American community.
Inside advice by pellik · 2010-05-27 08:24 · Score: 1

First let me preface this by saying that I am a pretty dedicated ISK seller in EVE Online. My name here on slashdot is not linked to my EVE operation in any way, so I'm not shy about owning up to my actions.

I make about $300 a week selling ISK. Sometimes more, sometimes less. Now that I've got everything worked out my time investment for that $300/wk extra income is less then an hour per week. Nobody in their right mind would seriously sell currency in any MMO that they earned "honestly", since you'd be making pennies per hour. The workhorses of the RMT (real money trade) industry are botters like me. I run 10 accounts all hours of the day that do nothing but earn money. This is the "honest" way to run a RMT business.

The other side of RMT are the people that run keyloggers and are looking to steal accounts. These people are almost exclusively part of the chinese RMT machine, which dominates the industry in any game. They will take your money and send you stolen goods, and couldn't care less when you get banned for your account being linked with the hackers that stole the money in the first place. Also there are numerous stories of these RMT shops offering up keyloggers to their own customers to steal back what they just sold further down the line.

If you're interested in buying currency, but don't want to support the hacker/stolen side of RMT, take a few minutes and search out one of the American RMT shops. They generally don't spam/advertise in the games, so you have to go looking for them. This won't eliminate any possibility that what your buying isn't stolen, but it certainly does reduce it. As an added bonus you're supporting about the only remaining industry that specifically employs young game addict geeks.
1. Re:Inside advice by blair1q · 2010-05-27 08:50 · Score: 1
  
  There are those who wonder how value can be created in a fantasy world.
  I wonder if they then turn around and wonder how it's created in the real world.
occam's razor OP had it all wrong. by Anonymous Coward · 2010-05-27 10:33 · Score: 0

The OP has it all wrong and actually missed the most direct least effort least detectable attack.
The credential is used to login, some game account personal information is collected, character names, last logon, time played.
A fully polished legit forged email is then sent to the last email on record. The email indicated the account eligible for a limited a special offer of 30 days free gaming.
These emails may or may not be discarded by active players, irrelevant.
Active and inactive players WHO CLICK and logon have forwarded the needed info for an enhanced spear phishing attack.
[optional] In game players give gold credits and provide effective twink support to guarantee the 30 day game card investment translates into a subscribed hacked account.
[note] This would only be done if the account tunes have assets or stats and are of sufficient sellable uber quality.
PROFIT. or Profit ++
Stupid Summary by virtualonliner · 2010-05-27 12:37 · Score: 1

The summary is just stupid. I mean when you use a botnet to collect all that credentials, wont you naturally use the same botnet to check them? All that blabber about options was just pointless on so many levels.
Stolen? by xenobyte · 2010-05-30 20:32 · Score: 1

Who says they're stolen?
Could be the owner suffered from schizophrenia with multiple personalities and had 44 million separate personalities, all avid gamers... ;)

--
"For every complex problem, there is a solution that is simple, neat, and wrong." -- H.L. Mencken (1880-1956) --