Symantec Finds Server Containing 44 Million Stolen Gaming Credentials

← Back to Stories (view on slashdot.org)

Symantec Finds Server Containing 44 Million Stolen Gaming Credentials

Posted by Soulskill on Thursday May 27, 2010 @05:49AM from the who-wants-to-buy-a-level-80-paladin dept.

A Symantec blog post reports that the company recently stumbled upon a server hosting the stolen credentials for 44 million game accounts. It goes on to explain how the owners of the server made use of a botnet to process that mountain of data: "Now it's time to turn those gaming credentials into hard cash. But how do you find out which credentials are valid and thus worth some money? Three options come to mind: 1) Log on to gaming websites 44 million times! 2) Write a program to log in to the websites and check for you (this would take months). 3) Write a program that checks the login details and then distribute the program to multiple computers. Option one naturally seems next to impossible. Option two is also not very feasible, since websites typically block IP addresses after multiple failed login attempts. By taking advantage of the distributed processing that the third option offers, you can complete the task more quickly and help mitigate the multiple-login failure problems by spreading the task over more IP addresses. This is what Trojan.Loginck's creators have done."

32 of 146 comments (clear)

Min score:

Reason:

Sort:

I must be new here by jeffmeden · 2010-05-27 05:58 · Score: 2, Interesting

I an a little naive to the criminal enterprise that is stolen gaming credentials, but I have to wonder: why does it matter, if you are selling a stolen credential, if it's good or not? Is the buyer really going to come back and demand a refund when it doesn't work? And what real benefit are these, anyway? Don't tell me that people buy stolen creds and log into them just to take all their e-loot (worth thousands of e-dollars)? Oh for the love of humanity the things people will do in the name of wasting time.
1. Re:I must be new here by Monkeedude1212 · 2010-05-27 06:01 · Score: 4, Informative
  
  Don't tell me that people buy stolen creds and log into them just to take all their e-loot (worth thousands of e-dollars)? Oh for the love of humanity the things people will do in the name of wasting time.
  No, this is often the people who STOLE the creds, log in, and sell the E-loot for REAL money. If you've never played WoW, Eve, or Runescape for more than a Month, I wouldn't expect you to understand. But this is a problem that does occur regularly.
2. Re:I must be new here by keithjr · 2010-05-27 06:06 · Score: 3, Insightful
  
  Is the buyer really going to come back and demand a refund when it doesn't work?
  
  Probably not, but reputation must be worth something in criminal enterprises. Giving out a bunch of bogus products kills the word-of-mouth.
  
  And what real benefit are these, anyway? Well, all the criminal has to do is sell off the account for less than the game costs up-front. They make pure profit and people willing to buy stolen games get a discount. Steam accounts could probably be quite lucrative, for instance.
3. Re:I must be new here by interkin3tic · 2010-05-27 06:07 · Score: 2, Informative
  
  Is the buyer really going to come back and demand a refund when it doesn't work?
  While I'd guess it's not impossible to just fake the account details, and maybe people do that, it could just be that these particular people found it is just more profitable to be legitimate after stealing the account for a variety of reasons. These are legitimate auction sites according to TFA.
  Just guessing, but you see a account you'd like to get on the auction site, check to see if that character is actually good or has good equipment on WOW or whatever. If it isn't, no bid. If you buy it and the login doesn't work, I guess you first might cancel the transaction on your credit card or report it to paypal, the auction house bans that user from selling again, they'd have to start over with a new auction account with a lower user feedback rating.
4. Re:I must be new here by BobMcD · 2010-05-27 06:10 · Score: 4, Insightful
  
  Oh for the love of humanity the things people will do in the name of wasting time.
  One man's wasted time is another man's Sistine Chapel, or pornography collection, or fictitious language for a fantasy book series.
  From the moment you open your eyes in the morning until you close them at night you're passing time. Whether or not it is wasted depends entirely on whether or not you regret how you spent it.
5. Re:I must be new here by jgagnon · 2010-05-27 06:24 · Score: 2, Funny
  
  It's a little easier than that... all they have to do is use hordes of 3rd world labor at low rates to farm and auction what they get, especially if they work on commission.
  
  --
  Remember to maintain your supply of /facepalm oil to prevent chafing.
6. Re:I must be new here by nbert · 2010-05-27 06:31 · Score: 2, Insightful
  
  Probably not, but reputation must be worth something in criminal enterprises. Giving out a bunch of bogus products kills the word-of-mouth.
  
  I can't imagine how they could sell those individually to gamers. For them it makes more sense to single out invalid accounts and to sell large blocks to less skilled criminals at a premium. Just like in the normal business world one would pay more than twice for a product which has a 0% failure rate instead of 50%. Of course one could just pretend that all accounts are valid, but word of mouth would be your least least problem in that scenario ;)
  
  --
  I don't read replies by ACs.
Damn it. by LupidStupy · 2010-05-27 06:03 · Score: 5, Funny

Mom!!!! Symantec hacked my server again.
They should post the usernames... by BobMcD · 2010-05-27 06:04 · Score: 4, Interesting

They could, as a service to the online community, go ahead and post the usernames that are compromised.
1. Re:They should post the usernames... by JWSmythe · 2010-05-27 06:34 · Score: 4, Interesting
  
  I used to have a lot of fun with that, when I was the sysadmin for a large site. It seemed every script kiddie wanted the password to it. It showed up regularly on passwordz sites. We had a whole bunch of triggers to detect and resecure accounts. One of the easy and obvious ones was to let them post it, and catch it afterwards (usually within seconds of being posted). The legitimate account holder got a notification that we changed their password to a secure one. Everyone else just sat there and wondered how we'd catch them so fast.
  That trigger was pretty low on the list though. My favorite was to catch 'em scanning for passwords. If they tried say 1000 wrong passwords in a short period, but got one or two right, we'd let them keep scannning for a while, and then block their access to the server. (iptables drop rule). Then the program would figure out which passwords they actually got right, change those, and notify the account holder of their new password. :) It was always fun to see what the delay was between them finding a password, and when it started being used from passwordz sites. In those cases, we always had the account secured before they had time to post it. The typical time from being scanned to being posted was about 12 hours. The typical time for us to reissue the passwords was less than 5 minutes.
  I can't imagine online game places wouldn't have something similar. Brute force attacks are just too easy, and people will always try them. How many different usernames can a person really try before you know that they're just brute force attacking.
  
  --
  Serious? Seriousness is well above my pay grade.
2. Re:They should post the usernames... by noidentity · 2010-05-27 07:19 · Score: 2, Insightful
  
  Hopefully they'll try to return all these stolen credentials back to the owners. Returning stolen property can get pretty costly though, with so many different owners. They can't just go destroying them, then the owners would lose them.
3. Re:They should post the usernames... by Dumnezeu · 2010-05-27 07:50 · Score: 2, Insightful
  
  What would be the point of publishing a 500 MB (@~11 chars/user) text file? And how would they do that? If anyone gives a shit about their account, they'll just change their password as soon as they hear about this.
  Also, let's do some statistics, shall we? Let's say there are 20 million WoW accounts (pulled the number out of my ass, Wikipedia said 12 million in 2008). There are also 0.2 million stolen WoW accounts. The chance of your account being compromised is 100:1. Pretty high, if you ask me, so just scan your computer online with an antivirus if you don't have one installed, change your password and stop asking for stupid stuff in the name of the community (what community?!?).
  
  --
  Yes, it's sarcasm. Deal with it!
And if I did this... by FrankSchwab · 2010-05-27 06:08 · Score: 3, Insightful

OK, so Symantec "recently stumbled upon a server hosting...".
What, was it placed on their doorstep one night, and they didn't notice it when they went outside to get the morning paper?
So, they wrote a crawler that intrusively scanned servers that they didn't have permission to access, opening and analyzing files that they didn't have permission to read, then published what they found?
And the penalty if I did that is, what, 5 years in federal PMITA prison?
There is something wrong in this world.

--
And the worms ate into his brain.
1. Re:And if I did this... by BobMcD · 2010-05-27 06:16 · Score: 4, Insightful
  
  And the penalty if I did that is, what, 5 years in federal PMITA prison?
  There is something wrong in this world.
  You're quite wrong. This is an example of one of the few somethings that is right in this world. Selective enforcement is designed into the system, along with jury nullification, to help the laws achieve ends that keep the public they support happy. Any "completely fair" application of the law would make it unworkable in very short order.
  Could you imagine a robot issuing you indecency citations every time you pass gas in public? Could you imagine a police officer doing the same if you passed gas into a megaphone-amplified-sound-system aimed at, say, an Inaugural speech? Context is key, and thankfully so.
2. Re:And if I did this... by InsertWittyNameHere · 2010-05-27 06:22 · Score: 3, Funny
  
  It was probably one (some) of their client's servers that got hacked and used in the collection of the credentials. The client found out that they got hacked and demanded that Symantec explain what happen. Symantec investigated and found out.
  
  They're not going to say "a server we were protecting with our products got hacked and was used in an operation to steal 44 million credentials..."
3. Re:And if I did this... by TubeSteak · 2010-05-27 06:27 · Score: 4, Interesting
  
  OK, so Symantec "recently stumbled upon a server hosting...".
  What, was it placed on their doorstep one night, and they didn't notice it when they went outside to get the morning paper?
  So, they wrote a crawler that intrusively scanned servers that they didn't have permission to access, opening and analyzing files that they didn't have permission to read, then published what they found?
  Symantec and many other companies set up honeypot computers.
  The honeypot gets infected, Symantec pulls apart the trojan and studies its web traffic.
  This usually leads to the dumpsite where the trojan is uploading the data.
  Many botnet/trojan masters don't bother to encrypt their data dumps or secure the server hosting it.
  And even if they did, are they going to sue Symantec for unauthorized access?
  
  --
  [Fuck Beta]
  o0t!
4. Re:And if I did this... by Demonantis · 2010-05-27 06:28 · Score: 2, Insightful
  
  Sounds more like FUD to get people to buy into Symantec so something like this never happens to your computer. Legitimately though they could have looked at the viruses they were finding and traced them back to the server that was commanding the botnet. I would say the numbers are estimates and no actual cracking occurred as there was no specifics on how they found the data, which would be much more interesting. Everyone has heard tonnes about DDOS already and this is just another boiler plate application of the concept. I wouldn't be surprised if this was just a hypothetical situation dreamed up by Symantec.
5. Re:And if I did this... by girlintraining · 2010-05-27 06:33 · Score: 2, Insightful
  
  Selective enforcement is what creates tyranny and allows those in authority undue power in determining who's looked after and who isn't.
  
  --
  #fuckbeta #iamslashdot #dicemustdie
6. Re:And if I did this... by BForrester · 2010-05-27 06:38 · Score: 4, Informative
  
  RTFA. This is not a case of Symantec hammering through random servers looking for bogeymen.
  The very first sentence of the article states that the server was flagged from a new set of sample data submitted to Symantec. This is likely user data aggregated from Norton's threat detection network.
7. Re:And if I did this... by KahabutDieDrake · 2010-05-27 06:55 · Score: 3, Insightful
  
  Neither of the cases you cite are actually illegal. This is a key feature of the law, if something isn't codified as illegal, it's NOT ILLEGAL. The context is effectively null, since the example isn't valid.
  
  You say that any completely fair application of the law would make it unworkable. That is the biggest pile of bullshit I've seen on /. in a long long time. Believe me, that's saying something. ONLY a completely fair application of the law works. Our founding fathers knew this. Our ancestors knew this. The fact that you don't know this is frightening beyond reason. You didn't say, but you implied that symantec should have rights and privileges that an ordinary citizen does not. That is the largest perversion of the law that is possible. Companies do not have any trust, they can't be given confidence, because they exist for ONLY one purpose, to make money. You can trust a person, you can't trust a company, and even attempting to do so is foolish (at least) and IMNSHO stupid beyond belief. Our entire foundation of laws is based on the INDIVIDUAL being the top, and everything else coming second. If you know believe that corporations should be on top (they are, but they should not be), well, we've already lost, haven't we?
8. Re:And if I did this... by idontgno · 2010-05-27 07:11 · Score: 4, Funny
  
  We don't care about your sick perverted little secret fetishes.
  Oh, "tyranny." Never mind.
  
  --
  Welcome to the Panopticon. Used to be a prison, now it's your home.
9. Re:And if I did this... by Monkeedude1212 · 2010-05-27 07:28 · Score: 3, Interesting
  
  You know "IMHO" can sometimes be interpretted as "honest" and not "humble" right?
10. Re:And if I did this... by BobMcD · 2010-05-27 07:28 · Score: 2, Insightful
  
  I lol'ed. :P
11. Re:And if I did this... by BobMcD · 2010-05-27 07:35 · Score: 2, Funny
  
  Don't let me squash your corporate angst that you're grooving on, but you're entirely off my point, and have gone on to bend it towards one of your own.
  Symantec being 'the machine' is completely irrelevant. We still use them as a tool to keep our computers protected (the effectiveness is debatable, but not the use), and so would definitely allow them more leeway than we would an individual that neither harms nor benefits us.
  
  Our founding fathers knew this.
  Our founding fathers were, by the strictest application of the law, brazen criminals. Do you think they paid for all that tea before tossing it into the harbor? Do you think they properly rescinded all those treaties broken with the native population? Are you under the assumption that open rebellion was somehow legal? Because if the answer to any of these is 'no' then you ought to be calling for their (historical) prosecution for these crimes.
  Don't dilute the point with your anti-establishment crap. Nobody, and I mean nobody, wants every law enforced for every infraction. That just isn't how the system was set up.
12. Re:And if I did this... by FrankSchwab · 2010-05-27 07:45 · Score: 2, Interesting
  
  OK, so a compromised machine was pointing to the server.
  That somehow gives them the right to go rummage through that server uninvited, reading and analyzing what they found and publishing it? Now, I know the vigilante in all of us wants to say "yes", but it's not clear to me that the law permits that kind of activity. And I stand by my statement that, if I did it, I'd end up a very unhappy puppy.
  Let's imagine that I find some Symantec product on my machine that I didn't install, and I find a server address in the code. Does that give me the right to go pillage Symantec's machine and publish information about what I'd found?
  
  --
  And the worms ate into his brain.
13. Re:And if I did this... by mcgrew · 2010-05-27 08:13 · Score: 2, Insightful
  
  Selective enforcement is designed into the system
  [citation needed] Can you cite a single government document that says this? "Selective enforcement" does in fact exist, but it is almost always used unfairly. It's an excuse to target the poor or minorities and let the rich and powerful off the hook.
  Sometimes they have "zero tolerance" policies in place in my city, and they're always in place in the ghetto. This coountry was NOT started with the concept of "selective enforcement" in mind, it was started with the concept that "all men are created equal" and that all people should be treated equally.
  If I shoot and kill a rapist I should go to prison for murder. Period. No exceptions. They can't enforce all the laws? Well, maybe they should repeal a few of them.
  
  --
  Free Martian Whores!
14. Re:And if I did this... by BobMcD · 2010-05-27 08:19 · Score: 2, Insightful
  
  "Selective enforcement" does in fact exist, but it is almost always used unfairly.
  Selective enforcement, by definition, is ALWAYS used unfairly. Sort of like how water is wet.
Re:Hey you guys by The+MAZZTer · 2010-05-27 06:09 · Score: 2, Funny

hunter2
Re:Hey you guys by rocket97 · 2010-05-27 06:14 · Score: 2, Funny

One of my co-workers was giving a presentation once (he is a self proclaimed computer expert in every facet), and he asked us "how do I make this power point presentation full screen?". We replied Alt-F4. He did it and said "hmm that is weird", and restarted power point and pressed Alt-F4 again... after attempting it 5 times he gave up and said "Oh well I guess we will just do the presentation like this".

--
"The two most abundant elements in the universe are hydrogen and stupidity." -Harlan Ellison
Inflated Numbers Are Misleading by Maarx · 2010-05-27 06:24 · Score: 2, Interesting

Summary (and article) claims "44 million stolen gaming credentials", which sounds like a lot of us English-speaking and English-game-playing Slashdot readers.
However, in the article, they analyze "a particular sample", with about ~18.3 million accounts in it. Of those ~18.3 million, ~16 million of them were game accounts for "Wayi Entertainment", which is an Asian company. They have no English website, that I can tell, and I think it's a safe assumption there are no English counterpart to these games.
So we're mainly talking about accounts for crazy Asian freemium sprite-based "MMO's". There were only ~210,000 World of Warcraft accounts, most of which, I assume, are also for the Chinese version of the game.
So if you're reading this, I'm going to go out on a limb and say your account is probably safe.
Re:Symantec stumbled by Anachragnome · 2010-05-27 09:23 · Score: 2, Informative

My WoW account was inactive for a year and a half.
It was also hacked, months after I canceled my subscription. No idea how.
So, in short, they sit on the account info and wait until it is inactive. This way they are less likely to be noticed as they link the WoW account to a battle.net account that they control. They also PAY to have the stolen account reactivated and thus raise no flags with Blizzard. It looks like someone simply reactivated the account as far as Blizzard is concerned.
Once they have the account, and they are pretty sure nobody will be using it anytime soon (except them), they turn your best toon into a miner/herbalist and set it up to bot its way to mountains of ore/herbs. All the resources were simply mailed to another of my toons and auctioned or passed onto yet another toon on another account.
I choose to reactivate my account while the guy was full-steam-ahead. He had dropped my enchanting on my hunter (already had 375 herbs), paid for the WotLK expansion so he could get both herbalism and mining skills to 450. He didn't touch any of my other toons, except for a level 2 in Stormwind.
After Blizzard was done restoring my account they left the hunter with 450 Herbalism, reset the enchanting and replaced his items. He also had about 3k in gold more then he did when I canceled.
They joy was on the level 2. STACKS and STACKS of ore that the hacker mailed to another toon came back in the mail. This worked out great as I wanted to roll a new toon with engineering. All told, I logged back in about 6k richer, more then enough to get back into the swing of things.
At least that is what happened to my account.
Re:Games and security... by paeanblack · 2010-05-27 09:53 · Score: 2, Insightful

But it ended up that he eventually figured out that a server admin had poisoned a Web-downloadable .exe map pack file with a trojan that scraped some account info off files while running a keylogger to get anything that the scraper missed. These hackers are usually on top of their game
That's one step above coldcalling your friend and asking for his credentials. These aren't "hackers" "on top of their game"...your bud is just a complete moron.