<p>Account theft isn't isolated only to those who choose to trade or share their station accounts. (which is ignoring the EULA!) As the internet and online gaming population grows, so does the cesspool of scammers. There are a variety of ways in which people will attempt to gain access to your account, and the list grows everyday. Fear not, there are simple tips to ensure that your account is protected. Keep in mind these worn-out (but useful!) words of wisdom:</p><b>Sharing your account information is never a good idea.</b><p>Gamers have heard the advice before, yet a lot of people still opt to share their account information with close friends. Having a guildmate complete a quest for you while you're sleeping may seem mostly harmless, but bad things can happen. While it doesn't always end in catastrophe, you could log back in with a new last name like "Lovetrollslongtime" or something slightly worse which might result in a banning. It's not always obvious, malicious attacks that cause good accounts to go bad!</p><p>I'm sure we've all heard the fateful stories of guildbanks emptied and outfit members booted. Sadly, this is often a direct result of sharing account information. Not only do you run the risk of virtual strangers reeking havoc on all you've worked hard for, but you make it difficult for SOE's customer service staff to investigate and resolve issues.</p><div style="text-align: center;"><img src="http://stationplayers.station.sony.com/images/en/security/foogly.JPG" border="0" alt="" width="317" height="332" /></div><b>Be aware of phishing sites!</b><p>What is a phishing site? Simply, it's usually a website created to mimic a well-known or frequently used site in an attempt to fraudulently gain sensitive account information. Gaming communities have been targeted in the past via email, spamming a link that takes the reader to a site that, upon first glance, appears to be legit. The imposter site may offer in-game items for completing surveys, or pose as a game representative, warning that your account is in limbo.</p><p>Here at SOE we do not offer enticing ways to earn in-game money through email. We prefer the old fashioned way of logging in, killing mobs, completing quests, etc. Be extremely cautious when exposed to external sites through email, claiming to be affiliated with Sony Online. You will only be prompted to enter your password when logging into an SOE game, or when visiting an official Station site.</p><div style="text-align: center;"><img src="http://stationplayers.station.sony.com/images/en/security/foogly2.JPG" border="0" alt="" width="350" height="322" /></div><b>SOE employees will NEVER ask for your password.</b><p><img src="http://eq2players.station.sony.com/content/en/news/icons/sneakpeak.gif" border="0" alt="" width="58" height="49" /> Not in email. Not in-game. Not on the phone. Never! We have ample ways to access your account; the only thing we require from you is patience and a Station name. If you suspect that someone is impersonating a CSR in-game, use the /report feature and again, do not divulge your account password.</p><b>Things you should know:</b><p><img src="http://eq2players.station.sony.com/content/en/news/icons/devchest.gif" border="0" alt="" width="58" height="49" /> Account security is the responsibility of the account owner. This includes password protection, running virus checks, disabling file sharing, or any other means of checking that the owner's account has not been stolen or compromised.</p><p>If you find yourself a victim, not all is lost! CSR's may be able to offer a one-time only "character restoration." But first you must recover your account (details on doing this can be found here.) SOE strives to maintain an exciting and safe gaming environment. To make things more enjoyable for everyone, we offer basic advice on how to keep your account secure.</p><b>Time Honored Tips:</b><ul><li>Use a unique Station name. </li><li>Use an alpha-numeric password consisting of at least 8 characters; a mix of letters, numbers and special characters is best. Never write down your password! </li><li>Never use the same word for your Station name and password; change it periodically. </li><li>Never trust a troll in a dress. </li><li>Always create a secret question when prompted (this allows for quicker password recovery and confirmation when needed.) </li><li>Keep your registration information, including current email address, up to date in so that we can contact you regarding your account and for retrieving lost passwords. (SOE will not use your email for marketing purposes, unless you specifically opt in for newsletters and announcements.) </li></ul><p>Keep your credit card information safe too. Here is a handy place to get some <a rel="nofollow" href="http://www.ckfraud.org/credit_card.html" target="_blank">good tips</a>.</p>

My girl friend has just had her account robbed - All gear deleted and coin gone.   She has never shared account information with anyone. Also password in the Abc_123 format.It seems that we need to remove all personal information from our accounts to be safe, including Names, home address, credit card information.    I see this as a huge security issue in the soe account security department.

<cite>Evilan@Venekor wrote:</cite><blockquote>My girl friend has just had her account robbed - All gear deleted and coin gone.   She has never shared account information with anyone. </blockquote>There are two sides to every story. 90% of the "My account was hacked" stories always end in "Oops.."Sorry, not to say that your girlfriend isn't that small 10%.. but odds are at some point she compromised her account. Whenever somebody says they were hacked there is usually something more that they aren't sharing.Remember, don't use the same login info on 3rd part sites that you use for your login for your account. That is where most non-authorized access occurs.Hope your girlfriend gets it sorted out, but there are no "super hackers" out there that can just guess logins and passwords without hijacking an email account first. And, if that's the case, then the login and/or password on the email account was compromised, not the station account.

<cite>Spyderbite@Venekor wrote:</cite><blockquote><cite>Evilan@Venekor wrote:</cite><blockquote>My girl friend has just had her account robbed - All gear deleted and coin gone.   She has never shared account information with anyone. </blockquote>There are two sides to every story. 90% of the "My account was hacked" stories always end in "Oops.."Sorry, not to say that your girlfriend isn't that small 10%.. but odds are at some point she compromised her account. Whenever somebody says they were hacked there is usually something more that they aren't sharing.Remember, don't use the same login info on 3rd part sites that you use for your login for your account. That is where most non-authorized access occurs.Hope your girlfriend gets it sorted out, but there are no "super hackers" out there that can just guess logins and passwords without hijacking an email account first. And, if that's the case, then the login and/or password on the email account was compromised, not the station account.</blockquote><p>90% huh?</p><p><a href="http://news.yahoo.com/s/infoworld/20080313/tc_infoworld/95949;_ylt=Am_mapSP5LbfyXmlFNbb8T663MMF" target="_blank" rel="nofollow">http://news.yahoo.com/s/infoworld/2...XmlFNbb8T663MMF</a></p>

<cite>Spyderbite@Venekor wrote:</cite><blockquote><cite>Evilan@Venekor wrote:</cite><blockquote>My girl friend has just had her account robbed - All gear deleted and coin gone.   She has never shared account information with anyone. </blockquote>There are two sides to every story. 90% of the "My account was hacked" stories always end in "Oops.."Sorry, not to say that your girlfriend isn't that small 10%.. but odds are at some point she compromised her account. Whenever somebody says they were hacked there is usually something more that they aren't sharing.Remember, don't use the same login info on 3rd part sites that you use for your login for your account. That is where most non-authorized access occurs.</blockquote>There has been an extremely large increase in compromised accounts. This post tells me it is as bad as it seemed to be. At this point my best guess is actually a problem at SoE that they will never admit too. Most likely having to do with LoN  ... ok that is just because I hate LoN <img src="/smilies/8a80c6485cd926be453217d59a84a888.gif" border="0" alt="SMILEY" />  .. The 3rd party thing is extremely good advice that I hope everyone already knows but I am sure most dont. However some people that have had their accounts compromised were using strong unique passwords so I doubt this was the case.

<p>So, proly posting in wrong thread or what not, but my question is this:</p><p> Today, a wife's guildmate went LD...only to log back in a few minutes later (they were in VP).  Only, heres the catch...the PLAYER gets on vent and says, "It isnt me"....Thats right, HACKED.  The imposter took one look around at the assembled raid and high tailed it - straight to QH and began selling everything off.</p><p>So, the /petition went out...and the GM responds that theres nothing they can do.  Now, the whole guild is following this guy around watching him slowly get to the point of being naked.  Then, a guildie goes to the house, sure enuff here comes mister jerkface...cleans it out.  Finally, after several trips from bank to vendor...he logs... *whew*</p><p>And logs in his alt, and the process starts over.</p><p>I mean, what the heck....i am sure a GM coulda /boot or /make dead permanently.  But to watch this happen with a whole guild following the guy around...very sad</p><p>I assume after much hand wringing, and apologies that "they will look into the problem" he will get his stuff back...eventually.</p><p>What kind of customer service is this exactly?</p><p>signed, Confused</p>

<p>Had this happen to our guild leader tongiht, We got lucky in it was a rarly used account that had the password changed fist and he got the email for it, He gave his cash on the toon he was playing and the other guild leaders kicked him to prevent the guild bank from being sold off and taken. We watched as each toon got logged in stripped of everything he had and sold. The WW channels all kind of blew up at the same time with this happening and it happend about 5 mins after CS closed for the night so you cant call them and the GMs cant do anything. We all got to stand around and watch this guy clean out the toons and nothing that could be done about it. </p><p>    What bothers me is with the reports of this happening quite often right now, that there was nothing told to the gms to boot/Kick/Suspend accounts. No network security people around to trace IPs. Im going to be as blunt as i can here. </p><p>   SOE,</p><p>  Your customers are being targeted, there accounts are being hacked. Where are you? why do you not have GMs in game on stand by waiting to help. Why is it even after following around these toons and making it obvious that we know that they are hacked accounts they have no fear and continue to do it. They know what time CS closes, They know that people cant get there accounts back. Why are you not protecting your customers!</p>

(( This is scary. I changed my password the other day too because I was getting worried. I just installed a brand new insanely-powerful firewall, internet security thingy and antivirus, and every single program is on lockdown, every incoming and outgoing connection is monitored and checked.(( just remember, if you are logging into the Station website, it's using your EQ2 information as well, so if your Browser is hijacked, You're screwed.Often the problem originates from your browser.  If you have an old or outdated browser, or use IE, you're a big target. Even the latest updates to IE will still leave you vulnerable. Its scary, I know.

<p>Is there any other word from SOE other than Gnorbin's original post?  Are they working on trying to help there customers with this recent spike?  I'm not asking for details of what they are doing, but it would be nice to know that they are at least trying to help people and working on the situation.</p>

<p>I just got to thinking, I wonder if running your browsers in a virtual machine would help...  Microsoft has an ms virtual machine app (forget the name, but it cant be more then a simple search on ms's site away ) as a free download that basically creates a machine in a machine.  If that gets compromised, in theroy you would just have to delete the virtual machine file and copy in a fresh one.  It also keeps everything seperate from your main machine.  </p><p> I will have to check that out.  I have seen several programs like this for windows, although it is much more common in linux / unix setups since its something that is done for high security setups and has been for quite a while.  </p>

<p>FYI, this is a big issue, folks...  Here's a couple recent news blurbs about this very thing.</p><p><a href="http://www.abcnews.go.com/Technology/PCWorld/story?id=4441255" rel="nofollow" target="_blank"><b>ABCnews</b></a></p><p><a href="http://news.yahoo.com/s/infoworld/20080313/tc_infoworld/95949;_ylt=Am_mapSP5LbfyXmlFNbb8T663MMF" rel="nofollow" target="_blank"><b>YAHOO</b></a></p><p>This isn't <b>just</b> a simple "keep your info safe", it's a matter of keeping your system safe too.  PLEASE be sure to update everything you run on a regular basis, since this is that some of the more malicious folks use to get the information they need.  It takes only minutes to ensure your system's safe, please take those few moments so that you are.</p><p>~Gnobrin!</p>

My solution to this problem comes in four steps.1. Dual boot between Linux and XP2. Use Firefox exclusively in conjunction with a handy extension called NoScript.3. Use XP for gaming only.  All general-purpose web browsing is done in Linux.4. Use unique username/password combinations for each on-line game.A little healthy paranoia has kept my Station account secure every day for the last year. <img src="/eq2/images/smilies/e8a506dc4ad763aca51bec4ca7dc8560.gif" border="0" alt="SMILEY" width="15" height="15" />

<p>What if SOE hired someone with strong ties to a plat selling service like IGE or something and he secretly obtained everyone's account info so he could have someone log them on, steal all their plats, and then resell the plats on IGE?</p><p>Wow, that would work faster and cheaper than hiring korean plat farmers at .50 cents an hour.</p><p>But who am I kidding, SOE would NEVER hire anyone from IGE. </p><p>Would they? .......................OH WAIT! THEY DID!</p><p> Of course this is just a conspiracy theory of mine.</p>

<cite>Daeva_1 wrote:</cite><blockquote><p>What if SOE hired someone with strong ties to a plat selling service like IGE or something and he secretly obtained everyone's account info so he could have someone log them on, steal all their plats, and then resell the plats on IGE?</p><p>Wow, that would work faster and cheaper than hiring korean plat farmers at .50 cents an hour.</p><p>But who am I kidding, SOE would NEVER hire anyone from IGE. </p><p>Would they? .......................OH WAIT! THEY DID!</p><p> Of course this is just a conspiracy theory of mine.</p></blockquote>Too funny.  But I do like the conspiracy theory.  None of your platz are safe!!!! /em puts money in a coffee can in Neriak.

<cite>Ekaunek@Lucan DLere wrote:</cite><blockquote>My solution to this problem comes in four steps.1. Dual boot between Linux and XP2. Use Firefox exclusively in conjunction with a handy extension called NoScript.3. Use XP for gaming only.  All general-purpose web browsing is done in Linux.4. Use unique username/password combinations for each on-line game.A little healthy paranoia has kept my Station account secure every day for the last year. <img src="/eq2/images/smilies/e8a506dc4ad763aca51bec4ca7dc8560.gif" border="0" alt="SMILEY" width="15" height="15" /></blockquote>Or just run EQ2 in Linux with Wine... :p<a href="http://appdb.winehq.org/appview.php?iVersionId=358" target="_blank" rel="nofollow">http://appdb.winehq.org/appview.php?iVersionId=358</a>Another suggestion, make a habit of clearing your private data from whichever browser you use.  Firewalls are nice in that you can monitor traffic in and out and block IPs that are suspect, but not ideal for everyone's budget.  Bare min. turn on auto-update on your browser and windows install, and make sure to never use your login/password from EQ2 for any other application, be it 3rd party or just your windows login.

<cite>Daeva_1 wrote:</cite><blockquote><p>What if SOE hired someone with strong ties to a plat selling service like IGE or something and he secretly obtained everyone's account info so he could have someone log them on, steal all their plats, and then resell the plats on IGE?</p><p>Wow, that would work faster and cheaper than hiring korean plat farmers at .50 cents an hour.</p><p>But who am I kidding, SOE would NEVER hire anyone from IGE. </p><p>Would they? .......................OH WAIT! THEY DID!</p><p> Of course this is just a conspiracy theory of mine.</p></blockquote><p><i>Pth</i>, if this was the issue then all our fellow MMO's across the board wouldn't be having the same issue, it'd just affect us.  This isn't <i><b>JUST</b></i> an SOE issue, it's MANY MMOs.</p><p>As stated on the ABC article: <i>"If the code is successful, it then installs a password-stealing program on the victim's computer that looks for passwords for a number of online games, including the Lord of the Rings Online."</i></p><p>Please all, just make sure you're up to date on your system so you can be ensured that you're safe.</p><p>~Gnobrin!</p>

<p>Here's some information on who is responsible for stealing the passwords:</p><p><a href="http://isc.sans.org/diary.html?storyid=4139" rel="nofollow" target="_blank">http://isc.sans.org/diary.html?storyid=4139</a></p><p>It covers how to protect yourself, your servers and how it was exploited. Good read...</p>

And here we learn that not only is Internet Explorer garbage, so is IIS.

<cite>Ekaunek@Lucan DLere wrote:</cite><blockquote>And here we learn that not only is Internet Explorer garbage, so is IIS.</blockquote>It's actually the application running on IIS which is bad, not IIS itself. Though it appears that a number of web-applications has this problem, not just those running on IIS.

<p>Nah, it's the fault of the administrators that are no proactive about security. Apache has it's share of problems as well.</p><p>IIS works fine and is secure enough as long as you are responsible with your servers and proactive about security. Simple tools like <a href="http://www.microsoft.com/technet/security/tools/mbsahome.mspx" rel="nofollow" target="_blank">MSBSA</a> and <a href="http://www.microsoft.com/technet/security/tools/locktool.mspx" rel="nofollow" target="_blank">IIS Lockdown tool </a>in addition to <a href="http://www.microsoft.com/technet/security/tools/urlscan.mspx" rel="nofollow" target="_blank">URLScan</a> and a good firewall with updated IDS signatures will keep you pretty good. I've been hosting sites on IIS for 8 years now and not once been compromised. The same can be said about Apache, if you set it up and maintain it correctly you shouldn't have a problem.</p>

(( Awesomes. My new firewall just detected and removed something called Save Key 6.0 lol. It said it was a High risk item hehe, I'll say!Time to change all my passwords and and lock things down even better now! l<img src="/smilies/8a80c6485cd926be453217d59a84a888.gif" border="0" alt="SMILEY" />(it must have got in last night while I was installing a new firewall service I might have been unprotected ><

<cite>Jesdyr@Unrest wrote:</cite><blockquote><cite></cite>The 3rd party thing is extremely good advice that I hope everyone already knows but I am sure most dont. However some people that have had their accounts compromised were using strong unique passwords so I doubt this was the case. </blockquote>Actually it's fairly easy. Set your account up with a strong password. Go to somewhere with free WiFi that doesn't take care of security on their equipment or network. Sit down and log into the forums to check posts. Oops, your password's just been scooped up by the transparent-proxy software one of the bad guys installed on the Windows-based machine the place uses to handle it's Internet connection. Or you borrowed a friend's malware-infested computer to check the forums or EQ2Players or something.A few rules:<ul><li>Internet Explorer is pure unadulterated evil and should be avoided like the plague it is. If you have to use it to browse, disable ActiveX, Active Scripting and a bunch of other features and run it in minimum-permissions maximum-paranoia mode.</li><li>Any network you don't control is compromised. Any unencrypted traffic should be assumed to be being monitored by the bad guys. Encrypted traffic is probably being monitored as well. Remember that if the bad guys control the router, they can redirect your Web session to a machine that'll terminate the SSL connection itself and proxy your Web session to your actual destination so you wont' realize this is happening unless you check the SSL certificate details.</li><li>Any machine you don't control is infected with every piece of malware known to man. Any passwords you enter on it should be assumed to be being saved and sent to the bad guys.</li><li>All e-mail is carrying malware. Do not view it in any program that'll attempt to interpret the contents as anything other than text to be displayed verbatim. This includes mail from people you know. See prior point about machines you don't control. What makes you think that e-mail from their machine, bearing their username, containing an attachment in reply to an e-mail you sent them, came from them and not a piece of malware running on their machine monitoring their inbox and using their e-mail account information?</li></ul>If this sounds paranoid, bear this in mind: "You're not paranoid if they really are out to get you.". Or my usual comment about my system-administration philosophy: "The question isn't whether you're paranoid. It's whether you're paranoid enough.".  I've avoided infection by malware for 25 years. Meanwhile, I see workplaces with anti-virus software on the desktops, in the e-mail system and in the Web proxy/filtering system <i>still</i> seeing Helpdesk come around at least once a week to clean up a machine that's gotten itself infected by something the antivirus didn't catch.

<p>Shut down your paranoia about IE and Windows. As said in every articel so far: "A properly-patched system should not be at-risk from this attack." Just be sure that your have the windows update active in automatic mode and you're fine and have a look for updates regulary for the applications you use.</p><p>And of course the regular tips are still valid, don't install software you don't know. Don't surf on porno sites, don't open emails from people you don't know.</p><p>And of course use a firewall/antivirus that is up to date.</p>

<cite>Bakual wrote:</cite> <blockquote><p>And of course the regular tips are still valid, Don't surf on porno sites</p></blockquote>[Removed for Content] that.

<cite>Garthan@Kithicor wrote:</cite><blockquote><p>Here's some information on who is responsible for stealing the passwords:</p><p><a rel="nofollow" href="http://isc.sans.org/diary.html?storyid=4139" target="_blank">http://isc.sans.org/diary.html?storyid=4139</a></p><p>It covers how to protect yourself, your servers and how it was exploited. Good read...</p></blockquote>Hey guys, if this thing only pulls passwords from IE post requests, it can't be getting passwords from launching EQ?  Or does the launcher use IE?

<cite>Vrelkyn@Venekor wrote:</cite><blockquote><cite>Garthan@Kithicor wrote:</cite><blockquote><p>Here's some information on who is responsible for stealing the passwords:</p><p><a rel="nofollow" href="http://isc.sans.org/diary.html?storyid=4139" target="_blank">http://isc.sans.org/diary.html?storyid=4139</a></p><p>It covers how to protect yourself, your servers and how it was exploited. Good read...</p></blockquote>Hey guys, if this thing only pulls passwords from IE post requests, it can't be getting passwords from launching EQ?  Or does the launcher use IE? </blockquote>the launcher does use IE and so does the Account managment site if you launch it through the launchpad.I'm not saying gnobrin's tip's where bad, but in my opinion they dont go far enough, so heres my list:10 Step Guide to be safe: 1. Never let anyone irl touch your computer, i.e. dont allow your better half nor your brother, kids or Housemate access to your computer. 2. Use different Usernames and Passwords everywhere. 3. Type in Links manually or use bookmarks and never click on a link before right clicking and checking what url it leads to.4. Windows, Antivirus and Firewall need to be up to date.5. Never use Outlook or similar stuff, you dont want those spam emails anywhere near your computer, use web based email services only where potentially damaging code stays on the server of someone else. 6. Never ever even open a email from someone you dont know, also never click on links in emails.7. Never write down Passwords.8. Never give them to anyone.9. Pick security Questions for Password recovery not even family members or close friends can answer. 10. Don't use Internet Explorer, its the most common browser still, so most malicious code is compatible with it, also, make sure you run tight security settings, disable easy exploitable stuff like Activex.

<cite>Killerbee3000 wrote:</cite><blockquote><cite>Vrelkyn@Venekor wrote:</cite><blockquote><cite>Garthan@Kithicor wrote:</cite><blockquote><p>Here's some information on who is responsible for stealing the passwords:</p><p><a rel="nofollow" href="http://isc.sans.org/diary.html?storyid=4139" target="_blank">http://isc.sans.org/diary.html?storyid=4139</a></p><p>It covers how to protect yourself, your servers and how it was exploited. Good read...</p></blockquote>Hey guys, if this thing only pulls passwords from IE post requests, it can't be getting passwords from launching EQ?  Or does the launcher use IE? </blockquote>the launcher does use IE and so does the Account managment site if you launch it through the launchpad.I'm not saying gnobrin's tip's where bad, but in my opinion they dont go far enough, so heres my list:</blockquote>Well if the launcher uses IE, then there really isn't anything that can be done.  That's too bad.  There will always be a lag between exploit and patch.  As evidenced by the fact that some of this is based off vulnerabities going back at least two years.  Only a matter of time before it happens again.  Glad I have a mac ;PI don't think Gnobrins tips address the actual issue, like yours.  Thanks

<cite>Vrelkyn@Venekor wrote:</cite><blockquote><cite>Garthan@Kithicor wrote:</cite><blockquote><p>Here's some information on who is responsible for stealing the passwords:</p><p><a rel="nofollow" href="http://isc.sans.org/diary.html?storyid=4139" target="_blank">http://isc.sans.org/diary.html?storyid=4139</a></p><p>It covers how to protect yourself, your servers and how it was exploited. Good read...</p></blockquote>Hey guys, if this thing only pulls passwords from IE post requests, it can't be getting passwords from launching EQ?  Or does the launcher use IE? </blockquote><p>Only a portion of the launcher is IE, and that's the part that displays info *AFTER* you log in. The launcher isn't going to compromise you, UNLESS you have a keylogger on your system, then it's not the launcher it's your system. A keylogger runs in the background and records every keypress and mouse click you do and what application it was done in. Then it transmits the data to the site that it was programmed to send your data to.</p><p>Basically for the moment if you block the IP listed in the SANS article your system will not transmit the data if it is infected with the virus. You will still need to confirm that you system is clean if you have doubts.</p><p><a href="http://www.safer-networking.org/en/index.html" rel="nofollow" target="_blank">Spybot Search and Destroy</a>, Norton Antivirus or similar virus software will help you determine if you have an issue. Just becareful when using Spybot to ensure you don't mess up your machine. Always use caution when using programs like Spybot because there is the potential of doing damage if you don't know what you are doing. If you have any questions about Spybot you can post on their forums. The latest versions of Norton also have a spyware/web surfing protection plug in (at least the corporate edition). Either way, as long as you have your Windows Update configured to update everyday as well as your antivirus software you can avoid things like this.</p><p>IE, is fine to use. Firefox has it's own security holes as well, no browser is 100% safe. Opera, Safari, Firefox, they all have holes and they all get patches pushed out for them. As long as you are responsible in your surfing you will be ok. IE 7 will warn you when sites try to run active content (ActiveX etc) for the most part. Using high security settings is always recommended for any browser. Using <a href="http://www.microsoft.com/technet/security/tools/mbsahome.mspx" rel="nofollow" target="_blank">MSBSA</a> to scan your system for vulnerabilities every once in a while is a good thing as well.</p>

<cite>Vrelkyn@Venekor wrote:</cite><blockquote><cite>Killerbee3000 wrote:</cite><blockquote><cite>Vrelkyn@Venekor wrote:</cite><blockquote><cite>Garthan@Kithicor wrote:</cite><blockquote><p>Here's some information on who is responsible for stealing the passwords:</p><p><a rel="nofollow" href="http://isc.sans.org/diary.html?storyid=4139" target="_blank">http://isc.sans.org/diary.html?storyid=4139</a></p><p>It covers how to protect yourself, your servers and how it was exploited. Good read...</p></blockquote>Hey guys, if this thing only pulls passwords from IE post requests, it can't be getting passwords from launching EQ?  Or does the launcher use IE? </blockquote>the launcher does use IE and so does the Account managment site if you launch it through the launchpad.I'm not saying gnobrin's tip's where bad, but in my opinion they dont go far enough, so heres my list:</blockquote>Well if the launcher uses IE, then there really isn't anything that can be done.  That's too bad.  There will always be a lag between exploit and patch.  As evidenced by the fact that some of this is based off vulnerabities going back at least two years.  Only a matter of time before it happens again.  Glad I have a mac ;PI don't think Gnobrins tips address the actual issue, like yours.  Thanks</blockquote>Believe it or not Macs get viruses too <img src="/smilies/69934afc394145350659cd7add244ca9.gif" border="0" alt="SMILEY" />

<cite>Garthan@Kithicor wrote:</cite><blockquote><cite>Vrelkyn@Venekor wrote:</cite><blockquote><cite>Killerbee3000 wrote:</cite><blockquote><cite>Vrelkyn@Venekor wrote:</cite><blockquote><cite>Garthan@Kithicor wrote:</cite><blockquote><p>Here's some information on who is responsible for stealing the passwords:</p><p><a rel="nofollow" href="http://isc.sans.org/diary.html?storyid=4139" target="_blank">http://isc.sans.org/diary.html?storyid=4139</a></p><p>It covers how to protect yourself, your servers and how it was exploited. Good read...</p></blockquote>Hey guys, if this thing only pulls passwords from IE post requests, it can't be getting passwords from launching EQ?  Or does the launcher use IE? </blockquote>the launcher does use IE and so does the Account managment site if you launch it through the launchpad.I'm not saying gnobrin's tip's where bad, but in my opinion they dont go far enough, so heres my list:</blockquote>Well if the launcher uses IE, then there really isn't anything that can be done.  That's too bad.  There will always be a lag between exploit and patch.  As evidenced by the fact that some of this is based off vulnerabities going back at least two years.  Only a matter of time before it happens again.  Glad I have a mac ;PI don't think Gnobrins tips address the actual issue, like yours.  Thanks</blockquote>Believe it or not Macs get viruses too <img src="/eq2/images/smilies/69934afc394145350659cd7add244ca9.gif" border="0" alt="SMILEY<img src="/smilies/69934afc394145350659cd7add244ca9.gif" border="0" alt="SMILEY" />" /></blockquote>There is a link in the diary:<a href="http://www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20080313" target="_blank" rel="nofollow">http://www.shadowserver.org/wiki/pm...lendar.20080313</a>That explains how the keylogger actually works.  This 'keylogger' does not record all of your keystrokes.  Only things from IE.  Which was what prompted my question.  If the password field in the launcher is sent through IE.... well it's not really my problem, I was just curious.  In fairness computers don't get viruses, users do <img src="/smilies/8a80c6485cd926be453217d59a84a888.gif" border="0" alt="SMILEY" />

<p>Mcafee has a write up on it as well:</p><p><b><hr />Another Mass Attack Underway</b></p> <p>Wednesday March 12, 2008 at 4:35 pm CSTPosted by <b>Craig Schmugar</b></p><p>On the heels of recent <a href="http://ddanchev.blogspot.com/2008/03/more-high-profile-sites-iframe-injected.html" rel="nofollow" target="_blank">iframe attacks</a>, we're currently tracking another mass compromise. This attack involves injection of script into valid web page to include a reference to a malicious .JS file (sometimes in the BODY, other times in the TITLE section). The .JS file uses script to write an IFRAME, which loads an HTML file that attempts to exploit several vulnerabilities, including:</p><ul><li>MS06-014 </li><li>RealPlayer (ActiveX Control) </li><li>Baofeng Storm (ActiveX Control) </li><li>Xunlei Thunder DapPlayer (ActiveX Control) </li><li>Ourgame GLWorld GlobalLink Chat (ActiveX Control) </li></ul><p>This is one of those cascading threats, where one page leads to another and another, which leads to an executable, which leads to another and another. At least one of the payload trojans targets online gamers.</p><p>Preliminary research results suggest more than 10,000 pages were affected by this hack attack.</p><p><a href="http://www.avertlabs.com/research/blog/index.php/2008/03/12/another-mass-attack-underway/" rel="nofollow" target="_blank">http://www.avertlabs.com/research/b...ttack-underway/</a></p><hr />

This attack installs a keylogger that collects user/pass information.The keylogger is installed via either an IE exploit thats been patched, or via numerous activex control hacks.  The key here is people with fully patched IE, and good virus detection software have been exploited by this hack because they failed to update something like realplayer that they may have forgotten they even ever installed on their PC.  But because an older version is latent and available to be called by this attack, their systems are compromised.I'm curious just how many EQ2 accounts have been hit by this.  I personally know of over 50, and thats just people I know.

<p>Watched a guildie last night get booted out of game, while then someone else pops on his characters one-by-one zoning them into the city and selling everything on them.</p><p>Of course it was after Sony service hours, so phone calls only got a machine and /petitions got zero response.</p>

The simplist, and fastest protection from this is to go into your firewall and block all connections to 61.188.39.175 and 2117966.net.This will protect you from this current version of the attack, however you really must secure all your software to protect yourself from future versions.

<cite>Atan@Unrest wrote:</cite><blockquote>The simplist, and fastest protection from this is to go into your firewall and block all connections to 61.188.39.175 and 2117966.net.This will protect you from this current version of the attack, however you really must secure all your software to protect yourself from future versions.</blockquote><p>Good tip. Another good way to protect yourself from these kinds of attacks is to get a solid hardware firewall and use NAT (network address translation). What this does is that any attacks go direclty at your NAT hardware (typically a router of some kind) and never even get to your actual computer, and simply don't find the requisite software to propagate themselves.</p><p>Another thing to keep in mind is that if you have software that opens ports on your computer, you need to watch those ports carefully or simply shut off the software and fully uninstall them following steps on the company's website (many programs that open ports such as mediasharing software remain operational until you follow all of the uninstallation steps).</p>

For any of you that are interested, here is a list of offending IPs for March of my firewall that made some form of an attempt to connect to my network unauthorized.  With so many attempts per month, even with an ongoing block all list... I don't see how anyone can remotely feel safe with out a firewall.ALL: 58.242.42.214ALL: 203.156.140.73ALL: 12.218.49.16ALL: 212.203.9.64ALL: 220.113.9.100ALL: 59.77.6.106ALL: 72.44.51.116ALL: 201.88.73.66ALL: 213.136.105.104ALL: 122.153.194.10ALL: 210.101.218.67ALL: 74.94.201.22ALL: 219.94.174.31ALL: 211.239.154.63ALL: 211.21.112.65ALL: 194.117.255.205ALL: 74.52.15.114ALL: 61.181.240.247ALL: 61.172.200.171ALL: 61.219.147.75ALL: 200.57.71.165ALL: 218.159.92.34ALL: 87.197.110.47ALL: 61.255.238.108ALL: 218.26.15.221ALL: 72.54.182.69ALL: 222.90.234.68ALL: 221.151.163.52ALL: 124.207.193.17ALL: 62.166.206.29ALL: 211.160.161.146ALL: 195.86.244.189ALL: 124.228.10.20ALL: 83.242.78.3ALL: 90.184.5.63ALL: 61.188.39.175ALL: 62.175.237.224ALL: 193.85.144.29ALL: 123.30.105.139ALL: 59.151.33.150ALL: 218.93.143.5ALL: 80.38.55.47ALL: 123.200.65.4ALL: 210.205.231.78ALL: 85.234.147.240ALL: 58.53.194.72ALL: 81.201.103.117ALL: 86.64.111.122ALL: 211.233.13.137ALL: 121.240.110.2ALL: 213.232.93.96ALL: 59.106.22.173ALL: 202.79.217.187ALL: 201.20.202.66ALL: 222.184.250.36ALL: 202.130.109.230ALL: 24.123.108.102ALL: 210.14.17.115ALL: 211.63.6.202ALL: 64.72.125.6ALL: 84.16.248.21ALL: 59.125.98.91ALL: 140.113.215.106ALL: 212.64.73.25

<cite>Garthan@Kithicor wrote:</cite><blockquote><cite>Vrelkyn@Venekor wrote:</cite><blockquote><cite>Garthan@Kithicor wrote:</cite><blockquote><p>Here's some information on who is responsible for stealing the passwords:</p><p><a rel="nofollow" href="http://isc.sans.org/diary.html?storyid=4139" target="_blank">http://isc.sans.org/diary.html?storyid=4139</a></p><p>It covers how to protect yourself, your servers and how it was exploited. Good read...</p></blockquote>Hey guys, if this thing only pulls passwords from IE post requests, it can't be getting passwords from launching EQ?  Or does the launcher use IE? </blockquote><p>Only a portion of the launcher is IE, and that's the part that displays info *AFTER* you log in. The launcher isn't going to compromise you, UNLESS you have a keylogger on your system, then it's not the launcher it's your system. A keylogger runs in the background and records every keypress and mouse click you do and what application it was done in. Then it transmits the data to the site that it was programmed to send your data to.</p><p>Basically for the moment if you block the IP listed in the SANS article your system will not transmit the data if it is infected with the virus. You will still need to confirm that you system is clean if you have doubts.</p><p><a rel="nofollow" href="http://www.safer-networking.org/en/index.html" target="_blank">Spybot Search and Destroy</a>, Norton Antivirus or similar virus software will help you determine if you have an issue. Just becareful when using Spybot to ensure you don't mess up your machine. Always use caution when using programs like Spybot because there is the potential of doing damage if you don't know what you are doing. If you have any questions about Spybot you can post on their forums. The latest versions of Norton also have a spyware/web surfing protection plug in (at least the corporate edition). Either way, as long as you have your Windows Update configured to update everyday as well as your antivirus software you can avoid things like this.</p><p>IE, is fine to use. Firefox has it's own security holes as well, no browser is 100% safe. Opera, Safari, Firefox, they all have holes and they all get patches pushed out for them. As long as you are responsible in your surfing you will be ok. IE 7 will warn you when sites try to run active content (ActiveX etc) for the most part. Using high security settings is always recommended for any browser. Using <a rel="nofollow" href="http://www.microsoft.com/technet/security/tools/mbsahome.mspx" target="_blank">MSBSA</a> to scan your system for vulnerabilities every once in a while is a good thing as well.</p></blockquote><p>I'd be less worried about the launcher, and more worried about these forums (which require your account username/password to login).  Nobody from SOE has commented on whether any of their sites were one of the 10,000 compromised.</p><p>SC</p>

<cite>Trilarian-2 wrote:</cite><blockquote>For any of you that are interested, here is a list of offending IPs for March of my firewall that made some form of an attempt to connect to my network unauthorized.  With so many attempts per month, even with an ongoing block all list... I don't see how anyone can remotely feel safe with out a firewall.ALL: 58.242.42.214ALL: 203.156.140.73ALL: 12.218.49.16ALL: 212.203.9.64ALL: 220.113.9.100ALL: 59.77.6.106ALL: 72.44.51.116ALL: 201.88.73.66ALL: 213.136.105.104ALL: 122.153.194.10ALL: 210.101.218.67ALL: 74.94.201.22ALL: 219.94.174.31ALL: 211.239.154.63ALL: 211.21.112.65ALL: 194.117.255.205ALL: 74.52.15.114ALL: 61.181.240.247ALL: 61.172.200.171ALL: 61.219.147.75ALL: 200.57.71.165ALL: 218.159.92.34ALL: 87.197.110.47ALL: 61.255.238.108ALL: 218.26.15.221ALL: 72.54.182.69ALL: 222.90.234.68ALL: 221.151.163.52ALL: 124.207.193.17ALL: 62.166.206.29ALL: 211.160.161.146ALL: 195.86.244.189ALL: 124.228.10.20ALL: 83.242.78.3ALL: 90.184.5.63<span style="color: #ff0000;">ALL: 61.188.39.175</span>ALL: 62.175.237.224ALL: 193.85.144.29ALL: 123.30.105.139ALL: 59.151.33.150ALL: 218.93.143.5ALL: 80.38.55.47ALL: 123.200.65.4ALL: 210.205.231.78ALL: 85.234.147.240ALL: 58.53.194.72ALL: 81.201.103.117ALL: 86.64.111.122ALL: 211.233.13.137ALL: 121.240.110.2ALL: 213.232.93.96ALL: 59.106.22.173ALL: 202.79.217.187ALL: 201.20.202.66ALL: 222.184.250.36ALL: 202.130.109.230ALL: 24.123.108.102ALL: 210.14.17.115ALL: 211.63.6.202ALL: 64.72.125.6ALL: 84.16.248.21ALL: 59.125.98.91ALL: 140.113.215.106ALL: 212.64.73.25</blockquote>did you notice?

<p>Your browser isn't the only thing you should worry about. How would you like to buy a new item like a flash drive or digital picture frame from a store, take it out of the ever hard to open shrink wrap, plug it in and instantly infect your system?</p><p><a rel="nofollow" href="http://www.sfgate.com/cgi-bin/article.cgi?f=/c/a/2008/02/15/BU47V0VOH.DTL" target="_blank">http://www.sfgate.com/cgi-bin/artic...5/BU47V0VOH.DTL</a></p><p><b>Virus from China the gift that keeps on giving</b></p><p>Deborah Gage, Chronicle Staff Writer</p><p>Friday, February 15, 2008</p><p>An insidious computer virus recently discovered on digital photo frames has been identified as a powerful new Trojan Horse from China that <b>collects passwords for online games</b> - and its designers might have larger targets in mind. </p><p>"It is a nasty worm that has a great deal of intelligence," said Brian Grayek, who heads product development at Computer Associates, a security vendor that analyzed the Trojan Horse. </p><p>The virus, which Computer Associates calls Mocmex, recognizes and blocks antivirus protection from more than 100 security vendors, as well as the security and firewall built into Microsoft Windows. It downloads files from remote locations and hides files, which it names randomly, on any PC it infects, making itself very difficult to remove. It spreads by hiding itself on photo frames and any other portable storage device that happens to be plugged into an infected PC. </p><p>The authors of the new Trojan Horse are well-funded professionals whose malware has "specific designs to capture something and not leave traces," Grayek said. "This would be a nuclear bomb" of malware.</p><p>By studying how the code is constructed and how it's propagated, Computer Associates has traced the Trojan to a specific group in China, Grayek said. He would not name the group.</p><p>The strength of the malware shows how skilled hackers have become and how serious they are about targeting digital devices, which provide a new frontier for stealing information from vast numbers of unwary PC owners. More than 2.26 million digital frames were sold in 2007, according to the Consumer Electronics Association, and it expects sales to grow to 3.26 million in 2008. </p><p>The new Trojan also has been spotted in Singapore and the Russian Federation and has 67,500 variants, according to Prevx, a security vendor headquartered in England.</p><p>Grayek said Mocmex might be a test for some bigger attack, because it's designed to capture any personal, private or financial information, yet so far it's only stealing passwords for online games. </p><p>"If I send you a package but it doesn't explode, why did I send it?" he said. "Maybe I want to see if I can get it out to you and how you open it."</p><p>The initial reports of infected frames came from people who had bought them over the holidays from Sam's Club and Best Buy. New reports involve frames sold at Target and Costco, according to SANS, a group of security researchers in Bethesda, Md., who began asking for accounts of infected devices on Christmas Day. So far the group has collected more than a dozen complaints from people across the country. </p><p>The new Trojan isn't the only piece of malware involved. Deborah Hale of Sans said the researchers also found four other, older Trojans on each frame, which may serve as markers for botnets - networks of infected PCs that are remotely controlled by hackers. </p><p>There is W32.Rajump, which deposits the same piece of malware that infected some of Apple's video iPods during manufacturing in October 2006. It gathers Internet Protocol addresses and port numbers from infected PCs and ships them out, according to Symantec. One destination is registered to a service in China that allows people to conceal their own IP addresses. </p><p>Then there is a generic Trojan; a Trojan that opens a back door on PCs and displays pop-up ads; and a Trojan that spreads itself through portable devices like Mocmex does. </p><p>How all this malware got onto the photo frames and what it's doing there is unclear. Trojans can download other Trojans, which is part of how botnets are controlled. </p><p>While SANS is investigating the infections, the retailers are saying little. </p><p>Sam's Club said it has found no infected frames, and its distributor, Advanced Design Systems, did not return calls seeking comment.</p><p>A few Target customers complained about frames distributed by Uniek, a store spokesman confirmed. Target is no longer selling those frames, but that's because the frames didn't sell well over the holidays, he said. Target has found no infections, he said, but is watching for them. </p><p>Best Buy said one line of its Insignia frames - also now discontinued - was infected during manufacturing but would not provide details.</p><p>Costco did not return calls seeking comment. </p><p><b>How to avoid problems </b></p><p>Protecting against these new computer viruses, which so far are aimed at PCs running Windows, is hard - and sometimes impossible.</p><p>Updated antivirus software works unless the malware writers get ahead of the antivirus vendors, which is what happened with the new Trojan. Computer Associates, for example, just began protecting against it last week.</p><p>While some advise disabling Autorun in Windows, which allows devices to run automatically when they're plugged into a USB port, it's not a failsafe. Doing so requires some computer expertise, and this Trojan re-enables Autorun if it's turned off, according to Brian Grayek of Computer Associates. "If you plug in (the frame), you're already infected," he said.</p><p>Deborah Hale at SANS suggested that PC users find friends with Macintosh or Linux machines and have them check for malware before plugging any device into a PC.</p><p>She also recommended backing up data with an online service such as Mozy.com that offers free backup for home users with less than 2 gigabytes of data. But it does not back up the operating system, she warned. If you're attacked and your PC fails, you'll have to reformat and reload all of the programs.</p><p>If you think bought an infected device, call your retailer.</p><p>-- Best Buy: (877) 467-4289 </p><p>-- Sam's Club: (88<img src="http://forums.station.sony.com/eq2/images/smilies/b2eb59423fbf5fa39342041237025880.gif" border="0" alt="SMILEY<img src="/smilies/b2eb59423fbf5fa39342041237025880.gif" border="0" alt="SMILEY" />" width="15" height="15" /> 746-7726 </p><p>-- Target: (800) 591-3869 </p><p>-- Costco: (800) 955-2292 </p><p><i>E-mail Deborah Gage at <a rel="nofollow" href="mailto:[email protected]" target="_blank">[email protected]</a>.</i> </p><p>This article appeared on page <b>C - 1</b> of the San Francisco Chronicle</p>

<cite>Sarafan@The Bazaar wrote:</cite><blockquote><p>Your browser isn't the only thing you should worry about. How would you like to buy a new item like a flash drive or digital picture frame from a store, take it out of the ever hard to open shrink wrap, plug it in and instantly infect your system?</p><p><a rel="nofollow" href="http://www.sfgate.com/cgi-bin/article.cgi?f=/c/a/2008/02/15/BU47V0VOH.DTL" target="_blank">http://www.sfgate.com/cgi-bin/artic...5/BU47V0VOH.DTL</a></p><p><b>Virus from China the gift that keeps on giving</b></p></blockquote>Note about this: it depends on the Autorun/Autoplay feature in Windows. In XP you can control part of this by right-clicking on a removable-media drive icon in My Computer, selecting Properties from the menu, going to the Autoplay tab and setting the action for the various media types to open the folder in Windows Explorer. When you double-click on the drive icon after that, rather than trying to run a program to play that type of content it'll open up a file window. That's the Autoplay part. For Autorun, off your Start menu pick Run... and type "gpedit.msc" (without the quotes) and hit Enter. Under Local Computer Policy | Computer Configuration | Administrative Templates | System, down near the bottom, you'll find an item called "Turn off Autoplay". Double-click on it to open it's dialog. It'll normally be set to "Not Configured". Set it to "Enabled", and select "All drives" from the pull-down menu, then OK the dialog. Now for all drives when you insert media XP will <i>not</i> auto-run any programs if the media has autorun information on it. This prevents the flash drives in those infected devices from auto-running the infection program. You can then open them as ordinary drives and see what's there, and delete what you don't need/want.

<cite>Jrral@Unrest wrote:</cite><blockquote><cite>Sarafan@The Bazaar wrote:</cite><blockquote><p>Your browser isn't the only thing you should worry about. How would you like to buy a new item like a flash drive or digital picture frame from a store, take it out of the ever hard to open shrink wrap, plug it in and instantly infect your system?</p><p><a rel="nofollow" href="http://www.sfgate.com/cgi-bin/article.cgi?f=/c/a/2008/02/15/BU47V0VOH.DTL" target="_blank">http://www.sfgate.com/cgi-bin/artic...5/BU47V0VOH.DTL</a></p><p><b>Virus from China the gift that keeps on giving</b></p></blockquote>Note about this: it depends on the Autorun/Autoplay feature in Windows. In XP you can control part of this by right-clicking on a removable-media drive icon in My Computer, selecting Properties from the menu, going to the Autoplay tab and setting the action for the various media types to open the folder in Windows Explorer. When you double-click on the drive icon after that, rather than trying to run a program to play that type of content it'll open up a file window. That's the Autoplay part. For Autorun, off your Start menu pick Run... and type "gpedit.msc" (without the quotes) and hit Enter. Under Local Computer Policy | Computer Configuration | Administrative Templates | System, down near the bottom, you'll find an item called "Turn off Autoplay". Double-click on it to open it's dialog. It'll normally be set to "Not Configured". Set it to "Enabled", and select "All drives" from the pull-down menu, then OK the dialog. Now for all drives when you insert media XP will <i>not</i> auto-run any programs if the media has autorun information on it. This prevents the flash drives in those infected devices from auto-running the infection program. You can then open them as ordinary drives and see what's there, and delete what you don't need/want.</blockquote><p>Guess you missed this part:</p><p>While some advise disabling Autorun in Windows, which allows devices to run automatically when they're plugged into a USB port, it's not a failsafe. Doing so requires some computer expertise,<b><u> and this Trojan re-enables Autorun if it's turned off</u></b>, according to Brian Grayek of Computer Associates. "If you plug in (the frame), you're already infected," he said.</p>

China is not our friend.That is all.

...For the computer illiterate (ie those of us who know enough to turn it on, play our games, and surf the web) this thread makes me want to run around in circles and scream "DOOM!"So please for the love of God someone translate it into "Dumb Blonde" so I can understand what's going on, how to protect my machine, and what to do in case of a hacked account without any confusing jargon that can be passed on to my guildmates...please <img src="/smilies/3b63d1616c5dfcf29f8a7a031aaa7cad.gif" border="0" alt="SMILEY" />

<p>I got hacked Tuesday evening.   Sent in my petition the next morning (took the day off even to take care of this)</p><p>Sony hooked me up with a changed password for the two accounts, that only took about a half hour.  I sent in the petition 15 minutes later. </p><p>I STILL HAVE NOT RECIEVED ANY NOTICE ON STATUS.  A regular GM "ESCALATED" it to the "Senior GM's"   </p><p>For 3 days I have updated my petitions saying when I would be online to fix the problem (a 6 hour window).  Still no help to get the account rollback started.  </p><p>If you could respond with a one sentance answer, "We are incredibly busy with hundreds of petitions just like yours" I would be fine, but it seems you are just ignoring me.</p><p>Oh yea, this happened, to probably dozens of people across all servers this week, AND SONY TAKES FRIDAY OFF    Way to support the people who pay you.</p>

I've been robbed clean. Petitioned. No SOE rsponse. Thanks guys.I was up all night updating and blocking. I guess its a good thing that I was shocked into taking more precautions. Still, I would like some more response.

<cite>StormCinder wrote:</cite><blockquote><cite>Garthan@Kithicor wrote:</cite><blockquote><cite>Vrelkyn@Venekor wrote:</cite><blockquote><cite>Garthan@Kithicor wrote:</cite><blockquote><p>Here's some information on who is responsible for stealing the passwords:</p><p><a rel="nofollow" href="http://isc.sans.org/diary.html?storyid=4139" target="_blank">http://isc.sans.org/diary.html?storyid=4139</a></p><p>It covers how to protect yourself, your servers and how it was exploited. Good read...</p></blockquote>Hey guys, if this thing only pulls passwords from IE post requests, it can't be getting passwords from launching EQ?  Or does the launcher use IE? </blockquote><p>Only a portion of the launcher is IE, and that's the part that displays info *AFTER* you log in. The launcher isn't going to compromise you, UNLESS you have a keylogger on your system, then it's not the launcher it's your system. A keylogger runs in the background and records every keypress and mouse click you do and what application it was done in. Then it transmits the data to the site that it was programmed to send your data to.</p><p>Basically for the moment if you block the IP listed in the SANS article your system will not transmit the data if it is infected with the virus. You will still need to confirm that you system is clean if you have doubts.</p><p><a rel="nofollow" href="http://www.safer-networking.org/en/index.html" target="_blank">Spybot Search and Destroy</a>, Norton Antivirus or similar virus software will help you determine if you have an issue. Just becareful when using Spybot to ensure you don't mess up your machine. Always use caution when using programs like Spybot because there is the potential of doing damage if you don't know what you are doing. If you have any questions about Spybot you can post on their forums. The latest versions of Norton also have a spyware/web surfing protection plug in (at least the corporate edition). Either way, as long as you have your Windows Update configured to update everyday as well as your antivirus software you can avoid things like this.</p><p>IE, is fine to use. Firefox has it's own security holes as well, no browser is 100% safe. Opera, Safari, Firefox, they all have holes and they all get patches pushed out for them. As long as you are responsible in your surfing you will be ok. IE 7 will warn you when sites try to run active content (ActiveX etc) for the most part. Using high security settings is always recommended for any browser. Using <a rel="nofollow" href="http://www.microsoft.com/technet/security/tools/mbsahome.mspx" target="_blank">MSBSA</a> to scan your system for vulnerabilities every once in a while is a good thing as well.</p></blockquote><p>I'd be less worried about the launcher, and more worried about these forums (which require your account username/password to login).  Nobody from SOE has commented on whether any of their sites were one of the 10,000 compromised.</p><p>SC</p></blockquote>This attack relies on a certain combination of software that is not used on any of the SOE servers. SOE runs software that cannot run on IIS, as such their sites are not among the ones infected. However I can't say anything about the ads that are displayed on some of the pages.

(( The reason you don't get instant response is this:What is stopping unscrupulous fakers from selling all of their stuff, giving the cash to Johnny the Guildmate, then claiming 'oh oh, someone hacked my account!"Then after their stuff is reinstated, Johnny gives back the money...(eh? They need to look into your character logs and see what really went on before they can take action. If known bot recipients get the money, they can act immediately, but if there is investigation required, expect to wait a while.)

<cite>-Arctura- wrote:</cite><blockquote>(( The reason you don't get instant response is this:What is stopping unscrupulous fakers from selling all of their stuff, giving the cash to Johnny the Guildmate, then claiming 'oh oh, someone hacked my account!"Then after their stuff is reinstated, Johnny gives back the money...(eh? They need to look into your character logs and see what really went on before they can take action. If known bot recipients get the money, they can act immediately, but if there is investigation required, expect to wait a while.)</blockquote>Well then it should be resolved soon, I wasn't even in the country the entire week it happened. I hope /crosses fingers <img src="/smilies/3b63d1616c5dfcf29f8a7a031aaa7cad.gif" border="0" alt="SMILEY" />

<p>SOE's websites are safe to browse.</p><p>Spybot has a thread going that is tracking this attack with a lot of useful info on who what and where:</p><p><a href="http://forums.spybot.info/showthread.php?t=25519" rel="nofollow" target="_blank">http://forums.spybot.info/showthread.php?t=25519</a></p>

<p>My account was just hacked, All my gear from the last 4 years that was sellable completely gone! The only thing I can look back on and say "I should have done" that might have prevented this was ...last week I got a email from SoE that stated, here is your username request.  I looked at the email and sure enough all my usernames where listed.  However I did not send any requests. The email went on to say if I was not the one that requested this information disregard this email.  I figured it's no big deal since the email went to my email address and I am fairly certain my systems are not compromised.  Well high insight I should have called SoE and let them know I received that email.  </p><p>Because as of last night 03/21/08 I logged out of Eq2 around 7:45 and 8pm pst..logged back into Eq2 03/22/08 11:45am pst and instead of being in KoS I was standing in big bend Naked, Homeless and penniless. I immediately checked all my other characters and of course every single one that had anything sellable was the same way Naked, homeless and penniless.  So I logged into my second account ...yes I duel box from time to time and my son plays this game also.  Guess what, that account is stripped clean also.  My second account was not a major concern for me since most of those characters are new and it is mainly for my son to play on. But my main account !!! Now that hurts, 4 Years down the drain and now I am rendered useless, there is no real way for me to recover after a loss like that as there is no mobs I can fight naked that will yield me any gear to get back on track. Even worse thing is that I am prepaid for a frigging year, and even if I were to bounce back and spend another year trying to re-attain some semblance of my former glory it might just happen again !!!</p>

<span>This is rediculous</span>

<p>What tic's me of the most is that I run a multitude of antivirus and antispyware programs.  I run Symantec antivirus corporate (memory resident) and scan every night, The shield 2008 (none memory resident to avoid conflicts with Symantec) and scan using it once a day manually, I run spybot 1.5.2, AGV Anti-spyware 7.5, Comodo Boclean 4.25, Uniblue spyware eraser. all of which I run every day or night. some at night when I leave my store and some at startup when I open my store.  Fyi only computer I play games from is my store computer and I am the owner operator no employees.  Anyway none of these programs are catching any irregularities on my systems.</p> 

<cite>JWinnard wrote:</cite><blockquote><p>My account was just hacked, All my gear from the last 4 years that was sellable completely gone! The only thing I can look back on and say "I should have done" that might have prevented this was ...last week I got a email from SoE that stated, here is your username request.  I looked at the email and sure enough all my usernames where listed.  However I did not send any requests. The email went on to say if I was not the one that requested this information disregard this email.  I figured it's no big deal since the email went to my email address and I am fairly certain my systems are not compromised.  Well high insight I should have called SoE and let them know I received that email.  </p><p>Because as of last night 03/21/08 I logged out of Eq2 around 7:45 and 8pm pst..logged back into Eq2 03/22/08 11:45am pst and instead of being in KoS I was standing in big bend Naked, Homeless and penniless. I immediately checked all my other characters and of course every single one that had anything sellable was the same way Naked, homeless and penniless.  So I logged into my second account ...yes I duel box from time to time and my son plays this game also.  Guess what, that account is stripped clean also.  My second account was not a major concern for me since most of those characters are new and it is mainly for my son to play on. But my main account !!! Now that hurts, 4 Years down the drain and now I am rendered useless, there is no real way for me to recover after a loss like that as there is no mobs I can fight naked that will yield me any gear to get back on track. Even worse thing is that I am prepaid for a frigging year, and even if I were to bounce back and spend another year trying to re-attain some semblance of my former glory it might just happen again !!!</p></blockquote>petition immediately. Your case seems an obvious one for help from the gms!

<p><b> Wow if you think this is still a small issue look below and then ask yourself have you checked your company march madness pool yet  ?????</b></p><p><b>a big reason to make sure all your stuff is updated,  will it prevent it probably... but one never knows how this will mutate itself in the coming weeks </b></p><p><b>Malicious site: MSNBC Sports compromised</b>1- <a href="http://www.websense.com/securitylabs/alerts/alert.php?AlertID=848" target="_blank" rel="nofollow">http://www.websense.com/securitylab...php?AlertID=848</a>March 18, 2008</p>

I did send a petition as soon as I logged in today an realised what had happened. Thank god I didn't have access to my guild bank! however I do not expect a response being it is the weekend. Also from what I have read so far from other post SoE is being less than responsive or proactive on this issue.

Are there any good free firewall/virus programs out there or it is best to put out the money for something like Mcaffee?

<b>Avast </b>has a free-for-personal-use version of their corporate virus protection software.  Good stuff.

Well just got both my computers back from the local computer repair store, aside from a low threat cookie (doubleclick) both my systems are clean. So somehow whom ever is stealing account passwords is going it without the aid of a key logger.  The only other way I can think of is that whom ever is doing this intercepts the packets once they are beyond my firewall/spyware  and antivirus or they are being leaked internally from SoE itself, at least thats what my local guru mentioned. Personally I dont know what to think. So far only my EQ2 accounts have been victimized. I play WoW, Lotro, Tabula Rasa, CoH/CoV and Anarchy On-line none of those accounts have anything missing and whats strange is that  in terms of wealth WoW, Lotro, and AO I have small fortunes on...Hell AO I own my one city.

<cite>JWinnard wrote:</cite><blockquote><p>My account was just hacked, All my gear from the last 4 years that was sellable completely gone! The only thing I can look back on and say "I should have done" that might have prevented this was ...last week I got a email from SoE that stated, here is your username request.  I looked at the email and sure enough all my usernames where listed.  However I did not send any requests. The email went on to say if I was not the one that requested this information disregard this email.  I figured it's no big deal since the email went to my email address and I am fairly certain my systems are not compromised.  Well high insight I should have called SoE and let them know I received that email.  </p><p>Because as of last night 03/21/08 I logged out of Eq2 around 7:45 and 8pm pst..logged back into Eq2 03/22/08 11:45am pst and instead of being in KoS I was standing in big bend Naked, Homeless and penniless. I immediately checked all my other characters and of course every single one that had anything sellable was the same way Naked, homeless and penniless.  So I logged into my second account ...yes I duel box from time to time and my son plays this game also.  Guess what, that account is stripped clean also.  My second account was not a major concern for me since most of those characters are new and it is mainly for my son to play on. But my main account !!! Now that hurts, 4 Years down the drain and now I am rendered useless, there is no real way for me to recover after a loss like that as there is no mobs I can fight naked that will yield me any gear to get back on track. Even worse thing is that I am prepaid for a frigging year, and even if I were to bounce back and spend another year trying to re-attain some semblance of my former glory it might just happen again !!!</p></blockquote>So that makes two of us.Logged out lat night in Temple Street and Kunzar Jungle.  When I logged in this morning in Big Bend it was like OMG.  Why do I have a toon and Inn in Big Bend?  House was cleaned as well as bank.Logged in my main toon and it was an even bigger OMG.  There I stood in all my naked glory in Neriak.  At least not Big Bend but the 5 room house was looted clean of any valuable item as well as my bank and broker.   As I spoke with guildies and told them what ha happened one of the leaders gave me some armor and 2 swords and a bit of plat to get new jewelery.  As I was browsing broker aother OMG hit.  Guild Bank!  Holy Crap Batman......lucky that i had no access to GB4 as all plat was there but the other  were cleaned of anything of value.To my knowledge....I do not visit many sites other than here, guild forums and blogger.  Use Firefox not IE.  All updates are current, spyware and anti-virus installed and current.  ??  Two petitions filed on 2 accounts but it is the weekend so I really expect no response untill tomorrow.

<p>This is purely conjecture, but I subscribe to a conspiracy theory every once in a while:</p><p>All weekend long our guild as been frantic, having had 5 or six members' accounts hacked - one was hacked twice, guild bank (1,2,3 - but not 4 - were cleaned out... twice).  The common theme between them all?  They all swear the only sites that they visit are our guild forum, SoE forum and EQ2 Players.  SoE forums are still up... our guild site is still up (not to mention the hundreds of people who DO NOT use our forums that still had their accounts hi-jacked)... EQ2 Players is down... EQ2 Players has been inaccessible for quite some time... I'm not sayin' anything, but I'm just sayin'.  I think SoE might be best served actually telling us what is going on as opposed to keeping quiet about everything and point fingers at everyone else.</p>

<p>More sites are being added to the list of sources of the keylogger:</p><p><a rel="nofollow" href="http://www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20080320" target="_blank">http://www.shadowserver.org/wiki/pm...lendar.20080320</a></p><p>People might want to just stay away from most sites for a few weeks just in case:<a href="http://forums.spybot.info/showpost.php?p=174107&postcount=9" rel="nofollow" target="_blank">http://forums.spybot.info/showpost....107&postcount=9</a></p><p>"March 18, 2008 - "... the official Web site of MSNBC Sports has been compromised with malicious code. This same attack has compromised dozens of other high-profile sites such as ZDNet, archive.org, wired.com, and history.com. We have notified the owners of MSNBC of the malicious content on their site. This attack has been discussed in our previous blog*. <i>It is important to note that the hub site that is hosting the malicious JavaScript is currently down..."</i></p><p>Most recent info from safer-networking.org:</p><p><a href="http://forums.spybot.info/showthread.php?t=25519&page=2" rel="nofollow" target="_blank">http://forums.spybot.info/showthrea...?t=25519&page=2</a></p><p>"Yet another large-scale attack involving <i><u>SQL injection</u> is targeting servers running PHPBB</i>. This attack injects HTML code that loads a malicious JavaScript file from 'free.hostpinoy.com'. Reports indicate that this attack is much more prevalent, perhaps because of the ubiquity of PHPBB. Over <u>150,000 pages may be affected</u>. Note again, however, that the number of unique servers compromised may be far less. In previously observed cases, over 5000 pages have been affected on a single domain. At the time of writing, most of the sites hosting the exploits or malicious JavaScript are down, but <u>they may come back online at any time</u>. Administrators are advised to audit their web services to ensure that no exploitable flaws exist in the publicly exposed scripts and that the latest versions are installed. Network admins are advised to <b>block access to '2117966.net' and 'free.hostpinoy.com'</b> at the gateway."</p>

FYI, just got off the phone with SoE CS, appearantly they do not have the controls to help anyone with this issue and said that only the In-games GM's / petition system will beable to address this issue. So at this point since I already sent a petition I have to wait I guess.

<cite>Jesdyr@Unrest wrote:</cite><blockquote><cite>Spyderbite@Venekor wrote:</cite>There has been an extremely large increase in compromised accounts. This post tells me it is as bad as it seemed to be. At this point my best guess is actually a problem at SoE that they will never admit too. Most likely having to do with LoN  ... ok that is just because I hate LoN <img src="/eq2/images/smilies/8a80c6485cd926be453217d59a84a888.gif" border="0" alt="SMILEY<img src="/smilies/8a80c6485cd926be453217d59a84a888.gif" border="0" alt="SMILEY" />" />  ..  </blockquote>I suspect it is not a problem with Sony's security.  It is a problem with everyone's security.People need to learn that, when they get email, they do not click on links.  Ever.  Even if it is from the company you think it is.  Go open a browser and type the URL of your bank in there or use a bookmark you made to reach it.  Every day people fall for what has become called 'phishing' techniques.Also, visit <a href="http://getfirefox.com/" target="_blank" rel="nofollow">http://getfirefox.com/</a> and install Firefox.  Use it.  Don't use IE, which allows "ActiveX" controls to run on your computer.Firefox allows Java and Javascript, out of the box.  Javascript is, for better or worse, pretty much necessary for a modern web browser.  However, ActiveX is a security hole waiting to happen.  ActiveX can easily install software on your computer you don't know about, and never would have installed.  Since Firefox does not run ActiveX controls, this removes one entire attack vector.Lastly, many stolen credit card numbers are released by real sites.  For years, a very popular merchant site allowed retrieval in HTML or CSV (for spreadsheets) format.  The HTML required a passwod, while the CSV did not.  So, going to <a href="http://some-foolish-merchants-site.com/admin/purchases.csv" target="_blank" rel="nofollow">http://some-foolish-merchants-site....n/purchases.csv</a> would return every single credit card number in use on that site.  It didn't take the criminal element long to discover this, and it didn't take long for the software to be patched.  The problem is, there were over 10,000 installations of this software, and even if 90% upgraded, 10% never would.In a modern, internet-based world, you have to be careful who you choose to release any personal information to.  After all, who here has given their Social Security Number (for those of us in the US) to their power company, phone company, or ISPs?  Why do you think you must?  Was it because they asked for it?  I don't give my SSN out to these places.  Ever.  They have no legal need for it, other than a credit check, and paying a small deposit is acceptable to me rather than having some company with an unknown IT security track record have my personal information.I'm not paranoid.  I do computer security for a living.  I know what's out there, and I know I don't know it all.

<p>I believe people are also being infected that use Firefox.</p><p>The US Government has a nice little write up on how to secure your browsers:</p><p><a href="http://www.us-cert.gov/reading_room/securing_browser/" rel="nofollow" target="_blank">http://www.us-cert.gov/reading_room...curing_browser/</a></p>

<p><span style="color: #330099;font-family: comic sans ms,sand;"><b>So 3 weeks ago my account was hacked and i watched on my father n laws account as all my toons were taken to big bend stripped and logged into someones house. So a week later after 30 petitions were sent from friends guildmates about my account i get my mains items back but my other toons were still stripped. I added a better firewall and virus protector to my account and now 3 weeks later i goto log on and my password was changed and so My father n law calls sony and as i log on my account has been hacked again. People can say oh you must have shared your account info with someone. IM sorry but i dont share account info with strangers so the whole you have given your account info to someone is crap. So now here i sit with my main stripped again and it still hasnt been fixed from the first time. this is just crazy. </b></span></p><p><b></b></p>

<cite>Chomsky@Unrest wrote:</cite><blockquote><p>This is purely conjecture, but I subscribe to a conspiracy theory every once in a while:</p><p>All weekend long our guild as been frantic, having had 5 or six members' accounts hacked - one was hacked twice, guild bank (1,2,3 - but not 4 - were cleaned out... twice).  The common theme between them all?  They all swear the only sites that they visit are our guild forum, SoE forum and EQ2 Players.  SoE forums are still up... our guild site is still up (not to mention the hundreds of people who DO NOT use our forums that still had their accounts hi-jacked)... EQ2 Players is down... EQ2 Players has been inaccessible for quite some time... I'm not sayin' anything, but I'm just sayin'.  I think SoE might be best served actually telling us what is going on as opposed to keeping quiet about everything and point fingers at everyone else.</p></blockquote>Funny that you would mention that as I had the same thoughts.  Even more so after having a hard time accessing EQ2's character page.  It seems taht Big Bend tends to be the focal point for these things.  I guess because of the short/quick access to bank, vendors and housing.  I was thee last night and I quit counting after seeing over 30 level 1 toons entering town, running to bank, meeting another toon and then logging.I would like to think that if many people mention Big Bend taht <i>someone</i> in SoE's company could do, watch or stop this stuff.

I just wanted to update everyone that reads this thread.  The SoE support team IMO is AWESOME!!! I called SoE CSR and got my accounts secured, than tech support responded to my petition the very next day and escalated it to the in-game GM staff.  A few days later an all is right as right can be!  They have been so helpful in getting me back to my former glory! I totally expected much less help than I received, I mean common its a big game with lots of people who also have important issues that need to be resolved.  I was so impressed with the efficiency of the  entire process.  Thank you very much for how quickly you got everything taken care of for me an all the help to all those involved!

<cite>Grishim@Mistmoore wrote:</cite><blockquote>I just wanted to update everyone that reads this thread.  The SoE support team IMO is AWESOME!!! I called SoE CSR and got my accounts secured, than tech support responded to my petition the very next day and escalated it to the in-game GM staff.  A few days later an all is right as right can be!  They have been so helpful in getting me back to my former glory! I totally expected much less help than I received, I mean common its a big game with lots of people who also have important issues that need to be resolved.  I was so impressed with the efficiency of the  entire process.  Thank you very much for how quickly you got everything taken care of for me an all the help to all those involved! </blockquote>Please tell me the steps you took to change this around. I do not have any key-loggers on my machine, I have never given out a password, no one (besides myself and, now, the hacker) has ever logged into my account. My email was never compromised. I don't know how they got access to all 3 of my accounts unless it was tied to the credit card on the account.

<cite>susanjjacobs wrote:</cite><blockquote><cite>Grishim@Mistmoore wrote:</cite><blockquote>I just wanted to update everyone that reads this thread.  The SoE support team IMO is AWESOME!!! I called SoE CSR and got my accounts secured, than tech support responded to my petition the very next day and escalated it to the in-game GM staff.  A few days later an all is right as right can be!  They have been so helpful in getting me back to my former glory! I totally expected much less help than I received, I mean common its a big game with lots of people who also have important issues that need to be resolved.  I was so impressed with the efficiency of the  entire process.  Thank you very much for how quickly you got everything taken care of for me an all the help to all those involved! </blockquote>Please tell me the steps you took to change this around. I do not have any key-loggers on my machine, I have never given out a password, no one (besides myself and, now, the hacker) has ever logged into my account. My email was never compromised. I don't know how they got access to all 3 of my accounts unless it was tied to the credit card on the account.</blockquote>Have you run tests for keyloggers?  They can be quite tricksey...I would suggest doing an in game Petition to be honest... be respectful and you may be amazed at how nice they can be!

<cite>Karimonster wrote:</cite><blockquote>So please for the love of God someone translate it into "Dumb Blonde" so I can understand what's going on, how to protect my machine, and what to do in case of a hacked account without any confusing jargon that can be passed on to my guildmates...please <img src="/eq2/images/smilies/3b63d1616c5dfcf29f8a7a031aaa7cad.gif" border="0" alt="SMILEY<img src="/smilies/3b63d1616c5dfcf29f8a7a031aaa7cad.gif" border="0" alt="SMILEY" />" /></blockquote>Some hackers have infected web sites with a password detection tool. Not SoE's website, and not just shady websites, but normal websites that have failed to patch a certain security hole. The password detection tool is automatically downloaded when you surf the site with a web browser without the latest security updates. It has been set to steal passwords for online games, which has led to a wave of compromised gaming accounts. What you can do to protect yourself, in order of importance:<ol><li>Make sure you have Windows Update turned on (in the Control Panel). Let it download updates for you in the background, and install them as soon as you can (you'll get a little Windows Update icon in your taskbar when they're ready to install).This will take care of most potential threats, since they use <i>known vulnerabilites</i> for which <i>there are already fixes</i>.</li><li>Have antivirus software installed and updated. There are very good antivirus programs that are free for personal use, like <a href="http://www.avast.com/" rel="nofollow" target="_blank">Avast</a>. And there are others you have to pay for, which are actually quite bad, like Norton.</li><li>Don't download free programs that advertise themselves through banners and pop-up windows - they're usually adware and spyware.</li></ol>There are other things you can do, like installing firewall software and an adware/spyware remover, but I'm trying to keep it simple so people can remember and follow the advice.