I'm wondering if a DNS poisoning or malware using a system they control as a proxy for your FF connections is one possibility. they could then in theory cut off your proxy access and hijack the session as they were already a hop in the communication.
What sticks in my mind are those that DC, but people in game just see the red dot; followed by the run to dbox/jeuno without ever fully disconnecting.
Are we even sure that the people using Firefox + NoScript that were compromised have it configured properly to actually block Flash, FRAMEs, and IFRAMEs (and apply those settings even to trusted sites)? NoScript out of the box won't really cover your ass from the exploits in the past, im sure it wouldn't protect people from the current problems in its default state.
I don't think people are deliberately blowing smoke up our asses, but when a person in one of my social LSs claimed two days ago that they were 'hacked by windower even with a security token' and I ask them if they use IE and frequent FFXI sites and they tell me 'yes' I realize the source of my information isn't exactly the best...
I think we need more detailed information from those infected. What exactly were their Internet browsers, versions, and settings, and exactly which FFXI sites do they frequent. Noone seems to have been able to pin down exactly what this exploit is, or how it is getting loaded into machines (the recent Flash exploit comes to mind), and that bothers me a little.
One does have to look at all possibilities or common traits between the users who have been compromised and to simply dismiss one factor is imo careless. There are windower users on alla but being that talking about it is looked down upon, people do not openly discuss it as prevalently as on a forum where you will not be bashed or locked for it.
Also, if everyone posting on this forum uses it, then perhaps I am not posting because I don't use it.
It's possible people are getting compromised by bad windower versions, but based on the descriptions of what is happening it seems extremely unlikely that windower would be required for this hack to work. I have a feeling that, as usual, the culprit is probably paid ad banners on FFXI and related gaming sites. For all we know this exploit might be targeting more than just FFXI, and it you have any related programs (FFXI, WoW, etc.) your shit gets jacked.
Understood. I am not in any format, trying to say it is windower to blame. I know nothing about how the program works and do not have the technical knowledge to even guess about any program other than by process of elimination.
I am simply stating that I think it is wise to consider every factor in common between the people who have been compromised instead of dismissing something.
tl;dr I am trying to help assemble factors we all can go by to protect ourselves.
that actually makes a lot more sense than what i was postulating, basically the reverse of my thinking.
for those that didn't understand what hanyoko suggested, it essentially means that the RMT alter your computer to log in by bouncing your connection through an RMT's server. then at will, they can cut your connection through their server and take control of your login themselves. you never log off since their server stays on line and assumes control of your current log in, and they are then able to pilfer all your stuff.
this would be brain dead easy to detect though, by simply capturing where the login on an infected machine goes to. if it routes to china, a dynamic ip, or anything that's not owned by SE, we've got a lot of the puzzle pieces put together. if not, well we can take that off the table.
i realize that i'm probably committing heresy by asking, but have any non-windower users been hit? since portions of windower do auto update, a great way to slow us down and distribute the malware wide and far would be to infect say the spellcast update repository. the result of this would be not only installing the malware on a vast number of systems, but also targeting generally higher value accounts (those who know about windower and how to use it tend to be the more hardcore players and not the lvl 25 newbies) as well as stowing it in a resource we're trained to assume is genuine and safe. am i pointing the finger at windower developers? absolutely not. am i trying to incite a panic and get people to stop using windower? no. only mentioning it as a possibility as we attempt to research this phenomenon more. most likely this is not the case as if it were, we'd be hearing a LOT more accounts being jacked, but we can't sweep it off the table either.
I was just reading on Alla, that PS2 and Xbox accounts are getting hacked too.
Shit is scary.
Don't panic.
I asked Aikar earlier for help with this but he is probably very busy with his forum. I don't know if SE is being properly informed about this. Is everyone who is hacked giving a detailed analysis of the problem to GM's and customer service? likely not.
So I figured I should send a notification to SE about the problem but I want it to be concise so that it demonstrates what the actual format is on the majority of the attacks, not a bunch of garble or assumptions.
I have no clue what to tell them as far as technical data so I am trying to encourage people to help me with this or either emailing SE themselves or contributing to a common post where the description of the problem can be defined.
People who are reporting it to get their accounts restored or rolled back, please do what you can to explain to SE if you feel it is not a standard compromised account issue.
I just read an article about this too
Mr. Stewart recently decoded a particularly nasty Trojan that uses a real-time technique called Clampi, which is used to attack people who have access to corporate bank accounts with large balances.
When people visit Web sites that have been taken over by the hackers, the software is surreptitiously downloaded onto their machines. Clampi has an unusual feature that can take advantage of a vulnerability in Windows and spread itself to all of the computers on a corporate network. Mr. Stewart found that each of those machines, in turn, was programmed to notice when their users visited any of 4,600 specified Web pages, including banks, brokerages and other sorts of sites.
Then Clampi starts sending a real-time stream of the user’s actions using a modified version of standard instant messaging software. The hackers log into the user’s bank account, quickly copying the one-time password if one is used. They start initiating wire transfers to accomplices (mules is the term of art) who send the funds on to the crooks. Sometimes they have even set up “mules” or fake employees who earn fat salaries by direct deposit.
One victim of Clampi was Slack Auto Parts in Gainesville, Ga., which lost $75,000 to the scam, according to a post in the Washington Post’s Security Fix blog.
Clampi appears to be operated by a single gang, Mr. Stewart said. He infers that the hackers speak Russian because that language is used in the computer code. Other similar Trojans, including ZeuS and Silentbanker, are being sold to many different groups of cybercrooks. (Here is an article from USA Today about the hacker behind ZeuS.)
Does this all mean that all those password gizmos are a waste of money? Not exactly. They still protect against less sophisticated forms of password phishing, not to mention people just looking over your shoulder as you log onto your computer. Moreover, if you can keep your computer clean of malware by avoiding suspicious e-mail attachments and Internet downloads, you are safer.
I have a rock solid solution to screw any RMT that DOES get a hold of your account...AUGMENT ALL YOUR ITEMS. Solved. You're welcome.
Really though we know SE won't do shit and they're content to just collect our 14.95+ a month to put out little bullshit updates about handyman moogles and MORE crystals. FF14??? Yeah right. If their policies for 11 are any hint I think i'll be staying clear of the next one and of SE in general. If FF13 stinks it will be their last game I buy. Everything they put out anymore is garbage.
I came here to share my being hacked experience to prevent other people from getting hacked. But i got flamed by SKYJIE RETICE douchebags.
I was not here to complain or cry. I though this thread was made to find where and how people got hacked and not bash on people that use internet explorer and get hacked.