New RMT attacks

[Tubbers]

Two of my LS members and good friends had their accounts stolen yesterday at around 5:45 PM EST. However these were not ordinary attacks, they were different.

In about 10 seconds from "Disconnected, this PlayOnline ID was logged in from another Terminal", both of their passwords had been changed. That is impossibly fast for a human to do, so the thieves are using a program to change passwords immediately.

Both of them managed to call GMs from other characters (or have friends do so), and get their accounts locked, but because it was Sunday and they couldn't phone in, the process took too long, somewhere around 45 minutes, so the damage was definitely already dealt.

Today both of them called SE and presented their info only to be told, "The name on the account doesn't match, sorry. There is no way to change the name on the account so it must not be you."

Neither of their accounts were bought, they are the original owners and have been playing for years, their names were definitely on the account prior to the thefts. This means there is a way to change the names on accounts, and now SE is unwilling to return the accounts to them.

Update: PoL Message is unrelated

I'll keep you updated with whatever I find out.

(3:06:23 PM) Caitlyn: ok so SE sucks
(3:06:35 PM) Caitlyn: they refuse to believe that it is possible that this can happen
(3:06:54 PM) Caitlyn: but i took my CC off the account and they told me i might get charged for the server transfer
(3:07:07 PM) Caitlyn: and there is nothing i can do because i can't verify the account
(3:07:12 PM) Caitlyn: wtf is up with that

Cliff Notes:
On Sunday 5:45pm EST 2 people (Servont and Caitlyn) who play on PC in my LS had their accounts stolen. None of their other accounts, or the accounts of anyone who had access to their accounts were compromised. Only these two. Servont and Caitlyn did not have each others info.

Caitlyn and Servont both exchanged ID/PW info via PM on our LS website. This was how the accounts were compromised.

The most important thing to note is that the name on the account was changed after the hacking, making Caitlyn and Servont unable to retrieve ownership.

The main point I am trying to get at here is that there seems to be a method to change the name of the owner of the account, making you unable to get back your account. The PoL message was speculation as it is unknown how the accounts were being compromised, we now know the accounts were compromised via forum PMs, so there is no exploit with PoL Messages to worry about.

[oldoldman]

NONONO WILL NEVER HAPPEN TO ME LALALALA

[The_OG_Nelta]

holy wow, i'm scared.

[fndragon]

But... the blinking... drives us mad...

Was it a POL message or a "new email" message? Does it hurt to open up a POL message in-game?

[Kyten]

Wow, that sucks.

[altwight]

Strange Tubbers, I got an empty POL message yesterday too. Just after X told me they were hacked. I guess if my account gets exploded then we can confirm that's the cause.

[Yvonne]

Strange Tubbers, I got an empty POL message yesterday too. Just after X told me they were hacked. I guess if my account gets exploded then we can confirm that's the cause.

I got one too, but I'm on the PS3. Not sure if that means I'm safe from anything, but I'll keep you guys posted.

[Tarage]

From a programing standpoint, this seems highly improbable.

Are you sure these people weren't doing something else stupid, like, say, using IE?

[Stubwub]

Well, if you get one of these blank messages change your password asap. Then everyone flood SE's phones and demand they look into this bullshit. >_>

[Tubbers]

It was a PoL message, Cait said she got two of them, then poof. I just spoke with the other one (Servont), he said he doesn't remember getting any PoL messages, so I'm really really hoping it was a strange coincidence. The fact that they can change names now is bad enough.

[Starr]

fuck, the Chinese are this smart? :D

[Tubbers]

From a programing standpoint, this seems highly improbable.

Are you sure these people weren't doing something else stupid, like, say, using IE?

Both of then use Firefox + NoScript. Servont has/had the block <IFRAME> checked, Caitlyn did not; however both of them only visited FFXIAH, otherWiki, and our LS (my) website. I've thoroughly checked my website for any invasion, and there's nothing there. Which means It's either FFXIAH, otherWiki (RMT Vandalism?), or a new form of attack.

Also from a programming standpoint it is not that improbable. If there are vulnerabilities in POL (which there most definitely are) they may be able to be exploited like this. It's very unlikely, but it's possible.

[Yvonne]

From a programing standpoint, this seems highly improbable.

Are you sure these people weren't doing something else stupid, like, say, using IE?

Yeah, I can see PC users might be affected by this, but not sure how a blank message would do it. I haven't changed any routines on my PS3 or shared my account info with anyone.

[pugnax179]

need to get the Security Token out already!

[Corrderio]

Do you know who sent the POL messages? Since something just seems off about them getting an invisible message then getting their account hacked. Unless the RMT found a way around the "Lets be friends!" invite message.

[VivixKujata]

Wait so if i'm reading this right, Servont got hacked with little/no evidence of what he did in any case?

Im scared, tell me this isn't true.

[Tubbers]

@ Corr : No, according to Caitlyn it was "completely blank" with nothing in it whatsoever.

[Corrderio]

@ Corr : No, according to Caitlyn it was "completely blank" with nothing in it whatsoever.

So there wasn't even a sender's name... okay now I am scared...

[anjiru]

I'm not sure about any of you, but I don't use my POL Mail for anything, at all. Pretty sure there are much safer/better e-mail services out there. The only crap I get in that box is RMT mail, so I fiddled with those mail filter settings. No more junk mail or blinking in the top right corner cause of their mail. Just take a few minutes to configure your mail filter to prevent getting mail from anyone you do not list (I believe it's called white listing).

Regardless, thanks for the heads up.

[Olo401]

Did they ask SE for the affidavit & provide the original reg codes when they called? From what I understand those are both the easiest way to get their accounts back from RMT shenanigans.