http://www.symantec.com/connect/blogs/44-million-stolen-gaming-credentials-uncovered
In previous blogs, Symantec has highlighted threats that steal user data. We recently analyzed a new sample submitted to Symantec and came across a server hosting the credentials of 44 million stolen gaming accounts. What was interesting about this threat wasn’t just the sheer number of stolen accounts, but that the accounts were being validated by a Trojan distributed to compromised computers. Symantec detects this threat as Trojan.Loginck.
This particular database server we uncovered seems very much to be the heart of the operation—part of a distributed password checker aimed at Chinese gaming websites. The stolen login credentials are not just from particular online games, but also include user login accounts associated with sites that host a variety of online games. In both cases the accounts contained in the database have been obtained from other sources, most likely using malware with information-stealing capabilities, such as Infostealer.Gampass.
So, picture this: you are a bad guy and have created or purchased a botnet. You have targeted online gaming websites and now have 44 million sets of gaming credentials at your disposal.
Now it’s time to turn those gaming credentials into hard cash. But how do you find out which credentials are valid and thus worth some money? Three options come to mind:
1. Log on to gaming websites 44million times!
2. Write a program to log in to the websites and check for you (this would take months).
3. Write a program that checks the login details and then distribute the program to multiple computers.Option one naturally seems next to impossible. Option two is also not very feasible, since websites typically block IP addresses after multiple failed login attempts. By taking advantage of the distributed processing that the third option offers, you can complete the task more quickly and help mitigate the multiple-login failure problems by spreading the task over more IP addresses. This is what Trojan.Loginck’s creators have done.
Most botnets have the ability to download and run files, so why not push a custom piece of malware to each bot? The malware could log on to the database and download a group of user names and passwords in order to check them for validity.
If the Trojan succeeds in its task of logging in, it will update the database with the time it logged in and any user credentials (such as current game level, etc.) before moving to the next user name and password. The attackers can then log on to the database and search for the valid user name and password combinations.
The database in question currently holds approximately 17GB of flat file data. The particular sample we analysed attempted to validate passwords for Wayi Entertainment, but there are credentials for at least 18 gaming websites in the database.
Just how valuable is a database of this sort? While it can be extremely difficult to evaluate a database of this kind, there are legitimate websites out there that focus on the buying and selling of online accounts. Using figures from some of these sites, the table below tries to detail a range of possible prices. The cheapest accounts most likely contain a single character named something like “Mediocre Tom,” whose only weapon is a rusty old spoon. In contrast, an expensive account will typically contain several powerful characters with names like “Warlock, Bringer of Death” who is adept with the “Lethal Lance of Loki.” These prices are the requested value, not the value received:
Gaming account
Type of account # of accounts in database Value range Online market valuation
World of Warcraft MMORPG ~210,000 $35-$28,000 www.playerauctions.com
Aion MMORPG ~60,000 $150-$1420 www.playerauctions.com
PlayNC* Online game publisher ~2 million
$6-$2855 www.gamewar.com
Wayi Entertainment Online game publisher ~16 million Unknown –(*PlayNC is an online service provided by NCsoft, the game publisher that develops a number of popular online games such as Lineage II, Guildwars, and City of Heroes. NCsoft’s online gaming system is set up around one login account that is shared by various games.)
It’s worth noting that the actual buying and selling of accounts is typically banned by many online gaming and hosting sites, as evidenced by the terms of their EULAs. The online auctions that enable users to sell accounts, such as at playerauctions.com, are legitimate websites that attempt to protect the buyer and seller against fraud through the use of escrow. We have only used these sites to put rough market values on the accounts, and have no evidence that these sites have traded stolen accounts.
As always, Symantec recommends that you keep your definitions up to date in order to ensure protection against new threats. As an added precaution, if you are in possession of a gaming account from one of the websites listed above, an update of your password would not go amiss.
loading…
Comments RSS
Entries RSS
Subscribe by Email
While impressive, the insider information, is what the people are missing and thus bloating the actual value of the database.
WoW accounts, unverified, sell for about $3 each. What ends up happening, is that a gold farmer in China, will buy a list of accounts, and then depending on the characters and items on the account, either use the account to hack farm, which uses a game hack, to allow them to farm around 5k gold a day, or they will sell all the items, trading their gold to their delivery accounts. Once the gold is all traded, they will then begin advertising in game.
Accounts which aren’t active, either get added to a list to check later, or have stolen credit card numbers made to pay for the accounts. Then used to farm or take gold and advertise.
If accounts are used to hack farm, then they will usually get banned within 3 days.
These accounts rarely make it up onto auction sites. It’s usually safer to sell to farmers, and farmers will take all accounts.
Now before you assume that the company you are using to buy gold from, doesn’t support and promote account hacking, let me assure you that most sites do. However there is an extent do which they do. Some sites sell stolen gold, but don’t farm the gold (no real way of knowing where it comes from). Some sites sell botted gold (a lesser evil). Some sell gold, they themselves farm. Some of course sell gold that they farm, and advertise in game. These sites buy stolen accounts. There is another type, they buy the accounts, and hack farm on them, but don’t advertise. They seem like legit sites, but aren’t. Which sites do this? From experience, and trying to sell legit accounts in mass, I have been told that IGE and WoWMine (plus all their other subsidiaries), hack farm, but don’t advertise in game. This makes them seem more legit, and raises their profits to the roof, since they charge more (making them seem legit).
I can assure you that UberWoW.com doesn’t advertise in game, nor do we hackfarm. But we can’t know that the gold, comes from botters or account hackers – however we have never had a customer’s account suspended or banned, which leads me to believe that we sell botted gold.