The sky is falling: player with token hacked? (lolIE)

**Frogger** · 2009-08-24 10:35

Originally Posted by Narse

Did you attempt to log back in from the same PC and were unable to immediately after crashing when you were getting hacked? I imagine, with a token, if your POL just crashes, the best thing to do is to just log on from another computer and change PW, or at least reboot the system you're on first.

Also, has anyone done any rootkit scans yet that has been hacked?

I did 1 attempt to relog on the first hack on the same PC. At the same time I was doing it I was booting up my second PC and logged in there and kicked them. The second time that I was hacked I went straight to my second PC and logged in there but I was not fast enough and was stripped. After the First hack I changed all my PW's mulitiple times on my 2nd PC before attempting to log back in on my main PC. After the second hack I changed PW's 2 times on my 2nd PC and will be calling SE to unlock/rollback my account when they open in 30mins. I have ran 2 different rootkit scans since my first post in this thread and nothing turned up in either scan. I am begining to wonder if this "hack" can be found by any scans of any kind. Before I play again on my main PC I plan on wiping the hard drive and re-installing everything. This may be the only thing so far that can take care of whatever has infected my PC.

**Izzy** · 2009-08-24 10:36

Originally Posted by Therin

You'd think that if someone had the means to use those types of keyloggers, they'd target something with a little more value than an MMORPG. Like a bank account. I wouldn't think we'd have to worry about that, for a while. But I dunno.

Stealing an MMO account is not punishable by law in most (all?) places. If I were a thief, I'd steal something I couldn't possibly get in trouble for if I got caught too!

**Siniroth** · 2009-08-24 10:52

Originally Posted by Izzy

Hahah, of course you're going to get DC'd if your IP changes.

Well that's logical

I meant to point out that you do stay connected for a little before you get kicked off, and the connection lets you actually do stuff before you get kicked off, so in that time it might be too late

**Mafai** · 2009-08-24 10:53

Originally Posted by Frogger

I did 1 attempt to relog on the first hack on the same PC. At the same time I was doing it I was booting up my second PC and logged in there and kicked them. The second time that I was hacked I went straight to my second PC and logged in there but I was not fast enough and was stripped. After the First hack I changed all my PW's mulitiple times on my 2nd PC before attempting to log back in on my main PC. After the second hack I changed PW's 2 times on my 2nd PC and will be calling SE to unlock/rollback my account when they open in 30mins. I have ran 2 different rootkit scans since my first post in this thread and nothing turned up in either scan. I am begining to wonder if this "hack" can be found by any scans of any kind. Before I play again on my main PC I plan on wiping the hard drive and re-installing everything. This may be the only thing so far that can take care of whatever has infected my PC.

post a hijackthis log of that pc.

also you could look at the modules being hooking pol just by going to the login screen and running this (this is how i found smart.dll during the early account stealing days). you do not need to login.

http://lmxvii.net/mafai/showmodules.exe

When at the login screen, open this program, then pick pol.exe in the top box. Down below will load all the modules. Right click and hit select all, then hit save selected this will generate a text file. Post the contents of the file back here.

Back when the hackings first occured, smart.dll looked like this. The bold is what threw a flag to me:

Code:

==================================================
Module Name : smart.dll
Base Address : 0x013C0000
Module Size : 0x0000C000
Version : 5.1.2600.2180 (xpsp_sp2_rtm.040803-215
Description : Framebuffer Display Driver
Company : Microsoft Corporation
Product Name : Microsoft? Windows? Operating System
Modified Date : 5/26/2008 11:07:07 AM
File Size : 35,840
Filename : C:\WINDOWS\system32\smart.dll
File Attributes : A
==================================================

**Narse** · 2009-08-24 11:27

Originally Posted by Mafai

post a hijackthis log of that pc.

also you could look at the modules being hooking pol just by going to the login screen and running this (this is how i found smart.dll during the early account stealing days). you do not need to login.

http://lmxvii.net/mafai/showmodules.exe

When at the login screen, open this program, then pick pol.exe in the top box. Down below will load all the modules. Right click and hit select all, then hit save selected this will generate a text file. Post the contents of the file back here.

Back when the hackings first occured, smart.dll looked like this. The bold is what threw a flag to me:

Code:

==================================================
Module Name : smart.dll
Base Address : 0x013C0000
Module Size : 0x0000C000
Version : 5.1.2600.2180 (xpsp_sp2_rtm.040803-215
Description : Framebuffer Display Driver
Company : Microsoft Corporation
Product Name : Microsoft? Windows? Operating System
Modified Date : 5/26/2008 11:07:07 AM
File Size : 35,840
Filename : C:\WINDOWS\system32\smart.dll
File Attributes : A
==================================================

My 'hacking' seems to have been a little different than what is generally happening to people right now (my system was knocked offline with a "logged in from another terminal" message, and [perhaps because I didn't notice it for 30minutes + having a token] my account appeared to never have actually been accessed), but I have, as of yet, been unable to determine how anyone could have access to my information (I use FireFox + NoScript, etc). I'll post info on the PC I was at when I was logged on from another terminal, and in a bit the other PCs that I use to play FFXI with as well.

Main PC, running Vista 32 bit OS

CurrProcess info:

Spoiler: show

Post character limit, will have to make a 2nd post to post the rest.

**Narse** · 2009-08-24 11:28

Continued from previous post:

Spoiler: show

HijackThis:

Spoiler: show

**Dimmauk** · 2009-08-24 11:31

Originally Posted by tarumalphius

Just found this linked on slashdot...don't know if it has been mentioned yet but I didn't see it so here ya go:

How Hackers Snatch Real-Time Security ID Numbers - Bits Blog - NYTimes.com

Basically says there are now realtime keyloggers...your token is useless.

So are we at a greater risk using the tokens? Will Hackers be looking for token usage and prey on those people?

**Gulkeeva** · 2009-08-24 11:31

Originally Posted by Jotaru

they'd still get relative motion

I had my password emailed to me in a mumbo jumbo mix of about 500 characters, and would copy+paste just the 6 that were my password into the box. Win.

http://www.neko-sentai.com/images6sr1/1.jpg
http://www.neko-sentai.com/images6sr1/3.jpg
http://www.neko-sentai.com/images6sr1/4.jpg

Programs out there can easily see what you do, they can be set to take "screenshots" of what you do, even video record

**ronin sparthos** · 2009-08-24 11:34

Originally Posted by Spekkio

SE needs to stop thinking of account restoration like they do item restoration: a favor. they're not doing us a favor. they're not being nice. they're doing their JOB to keep us paying them. if i'd lost every sellable item on my account and every gil in my inventory and i couldn't get it restored, i'm done. i have a relic horn, i could continue playing with nothing more than that, but i think i'd feel so sickly violated by both the RMT and SE's inaction that i'd just cut my losses and give up.

players who have been attacked once and had their accounts rolled back should not be forced to live in fear that the next compromise of their account becomes terminal. players who have just been attacked the first time should not have to be concerned if their account will be returned to them or if SE will simply declare without recourse that they didn't feel there was enough evidence and dismiss the player. when SE realizes that they can't blame the victim (no matter how many of the victims carelessly use IE) we'll be in a much better place.

It may be time that SE considers amending the one time restore policy to multiple times depending on situation.

Im sure the counter-argument would be that SE would then have people crying wolf multiple times in an attempt to profit but is that worth leaving your entire playerbase out in the cold?

It isn't like SE treats you well during the entire restore process (calls arent toll-free, you have to sit on hold possibly for hours, restore process could take months etc) but the option to restore (for people that have been restored once before) after something new pops up and ganks some people before preventative measures arise would be a step in the right direction.

The playerbase is now on the forefront of a 4-pronged attack:

-RMT tells offering to sell gil
-RMT ads offering to buy gil
-SE phantom bans
-Phishing /tells

Let's add:
-Smash and grab RMT tactics

I really don't want to see what this holiday season holds in store for the players....what's next?

**jammalamma** · 2009-08-24 12:01

So has there been enough information given by the people claiming to have been hacked so far to find a common link between them all? Can't really blame IE if people are being hit with firefox + noscript. Maybe people are forgetting they visited websites they might have added permissions to. =(

I hate this paranoid feeling of sitting here at school with nothing to do with my modem plugged in at home and a good portion of my LS bank just sitting there waiting to be taken away by god knows what.

I'm still somewhat a skeptic and think this could just be a joke that's gone out of hand, because I simply can not believe SE would not even post that they are investigating the issue. As much as people might like to complain about poor customer service, I can not imagine anybody letting a major security flaw like this go on unanswered.

**Gere** · 2009-08-24 12:05

Originally Posted by Dimmauk

So are we at a greater risk using the tokens? Will Hackers be looking for token usage and prey on those people?

No because the same keylogger will work whether or not you have a token. Plus the token restricts them to only stealing your sellable items and gil rather than your entire account.

Plus if it's real time keylogging, you can prevent a hack by not logging back in after they boot you from ffxi.

**Missnasty** · 2009-08-24 12:07

I would imagine that the paranoid could always just attempt to log in to their accounts twice as a counter measure to this. Once with an incorrect one time password and then with a correct one time password after assuring that their POL doesn't crash.

The technology SE *bought* for their game has been considered good enough for the banking industry for quite some time so badmouthing SE is rather lame. Clearly this type of attack is brand new and aimed specifically at circumventing security token technology.

**Mafai** · 2009-08-24 12:10

Originally Posted by Narse

Continued from previous post:

Spoiler: show

HijackThis:

Spoiler: show

nothing sticks out to me...

**blackmail** · 2009-08-24 12:11

If we say his name three times will he appear?

hmm....

It seems a third possibility for the end of ffxi has arisen.

I certainly hope individuals that are being hacked and have used their "one time rollback/restore" are not considering buying gil in order to repurchase their items. I suppose that would complete the cycle.

**Narse** · 2009-08-24 12:14

Second system, Windows XP 32 bit

CurrProcess:

Spoiler: show

Post character limit, Hijackthis on another post.

**Narse** · 2009-08-24 12:15

Hijackthis:

Spoiler: show

**sixstitches** · 2009-08-24 12:20

Originally Posted by Spekkio

...
i'd feel so sickly violated by both the RMT and SE's inaction that i'd just cut my losses and give up.

players who have been attacked once and had their accounts rolled back should not be forced to live in fear that the next compromise of their account becomes terminal. players who have just been attacked the first time should not have to be concerned if their account will be returned to them or if SE will simply declare without recourse that they didn't feel there was enough evidence and dismiss the player. when SE realizes that they can't blame the victim (no matter how many of the victims carelessly use IE) we'll be in a much better place.

this is where I am now, I live in fear, to the point where am thinking about setting up a computer just to play game only, no browsing or any other activities. Also super paranoid about anytime i feel like the virus is back, if my calc opens a little slower my mind is racing.

But i also think if we are force to live in fear, then really am i really having fun anymore? I pay 30$/month to SE to provide me with entertainment, I hardly slept lastnight anxious about contacting SE monday morning. Currently i am on the path of "i'd feel so sickly violated by both the RMT and SE's inaction that i'd just cut my losses and give up." I am not having fun anymore, y play. I use FF to get away from the RL, now I am right smack back in RL with the same types of worries.

I wonder how they deal with inflation when they restore, they pump more gils into the economy. I blame gil buyers!

Aselin · 2009-08-24 12:20

To the one who posted their HiJack This log, remove this line:
O1 - Hosts: ::1 localhost
O13 - Gopher Prefix:

I haven't found anything else in your post that raises red flags other than that.

Though, I'm still going through it a second time to check.

**Narse** · 2009-08-24 12:26

Originally Posted by Aselin

To the one who posted their HiJack This log, remove this line:
O1 - Hosts: ::1 localhost
O13 - Gopher Prefix:

I haven't found anything else in your post that raises red flags other than that.

Though, I'm still going through it a second time to check.

Removed it. Thanks. I Appreciate the look through.

**Spekkio** · 2009-08-24 12:28

if this is sophisticated enough to hijack a session live (again, i'm guessing not, but that's the only viable method i can think of to explain the partial DC and recover effect that was described above) would it be that much of a surprise to find out that they're using RK style obfuscation techniques to avoid detection? hooking the OS kernel to hide RK processes and files has been around for a decade, but most of the prior attacks appeared to be sloppy hack jobs by an attacker with limited expertise. if instead the RMT hired "professionals" to engineer this attack, it would not surprise me if they added the usual packing/RK tricks to minimize the threat of detection.

as for if session relocation is possible, if the above poster was able to action on their session from a different IP, that tends to indicate that it is possible to pull it off, if you can keep the server from firing a disconnect. if it's just checking for a keepalive from the original IP, either the attacker's software on the victim PC could deliver that or they might even be able to forge the keepalive to keep the session running till they can pilfer the contents of the account. without seeing any kind of connection logs, traffic capture, or anything beyond vague symptoms at this point though, this is all wild speculation.

Thread: The sky is falling: player with token hacked? (lolIE)

Thread Tools

Similar Threads

What in the fuck is going on with Ancient Currency prices?

Ok what the hell is up with Roc?

Oldschool players with JP Accounts & The new Expansion

Latest Threads

Up & Coming Threads

Hottest Threads