Jump to content

- - - - -

Dec 13Th Incident - Official Response


328 replies to this topic

#121 Lin Shai

    Member

  • PipPipPipPipPipPipPipPipPip
  • 2,401 posts
  • Facebook: Link
  • LocationDenver, CO

Posted 13 December 2012 - 08:39 PM

View PostIwaslost, on 13 December 2012 - 08:30 PM, said:

So quick Google search makes it seem that MWO players are not the only people getting that weird email.


Oh my gosh, you mean ... people who steal email addresses and sell access to botnets to spam those addresses don't just take them from one small site?

Wow ... I'm ... amazed.

View PostTruePoindexter, on 13 December 2012 - 08:32 PM, said:

Funny how being right feels.


I think the problem may be you confuse "not knowing how things work" with "right". It would explain a lot.

#122 Iwaslost

    Member

  • PipPipPipPipPipPip
  • 236 posts

Posted 13 December 2012 - 08:45 PM

Oh I'm sorry I didn't realize we had a resident expert in everything here. Please continue enlightening us.

Edited by Iwaslost, 13 December 2012 - 08:48 PM.


#123 Dark Severance

    Member

  • PipPipPipPipPipPipPipPip
  • Knight Errant
  • Knight Errant
  • 1,151 posts
  • Facebook: Link
  • LocationPortland, OR

Posted 13 December 2012 - 08:46 PM

View PostLin Shai, on 13 December 2012 - 07:45 PM, said:

Fact: This site was compromised and was serving malware.
The site was not actually serving malware at all. What it does do is put in a redirect when it is injected into the forum header. Most sites, servers, bots notice this as an illegal redirect and then flags the website automatically as a possible site that may have malicious malware. The website if you scan, will show that is is clean and has been for at least 90 days.

What happened is quite common forum injection. Once the hole has been found they are quickly used on anyone with that same version forum. They add a redirect which takes them to a different website. This redirect is flagged by bots, making it up to admin/IT/webmasters to clear it after they've scrubbed the systems and did a double check to make sure. As long as you didn't click anything, download or install anything when it was redirected there was no harm of malware.

View PostLin Shai, on 13 December 2012 - 07:45 PM, said:

Fact: At the same exact time, MWO users, including myself, who run their own domains and have specific-use email aliases (That, no ... you could't "Piece together from what I post") received the exact same spam email to those aliases which no not receive spam because they aren't used anywhere else.
I do run my own domains, server and mail servers as well. I have access to 6 accounts that have access to MWO. One is gmail, one is through hotmail and the rest are through my servers. None of them received any spam. As a precaution I did scan the website and it was clean as well. I also had my friends double check theres. Nothing.

Just because some people, because it is some people and not a lot because they haven't filled the forums. Everyone who has posted have stated "Me and all my friends got the email", like suddenly that means there is another 1000+ users that have gotten it. Just because some people have gotten an email that is similar doesn't mean it is connected to this. Welcome to the Internet where a Phishing scam is emailed out literally every second by the thousands.

View PostLin Shai, on 13 December 2012 - 07:45 PM, said:

Fact: PGI says, "Nothing happened, move along".
PGI stated there was a forum injection venerability that was taken advantage of. It isn't their software. I know about this type of attack because I just got done scrubbing a IP.Board and a vBulletin board that I admin two weeks ago with the same thing.

#124 Iwaslost

    Member

  • PipPipPipPipPipPip
  • 236 posts

Posted 13 December 2012 - 08:58 PM

View PostDark Severance, on 13 December 2012 - 08:46 PM, said:

The site was not actually serving malware at all. What it does do is put in a redirect when it is injected into the forum header. Most sites, servers, bots notice this as an illegal redirect and then flags the website automatically as a possible site that may have malicious malware. The website if you scan, will show that is is clean and has been for at least 90 days.

What happened is quite common forum injection. Once the hole has been found they are quickly used on anyone with that same version forum. They add a redirect which takes them to a different website. This redirect is flagged by bots, making it up to admin/IT/webmasters to clear it after they've scrubbed the systems and did a double check to make sure. As long as you didn't click anything, download or install anything when it was redirected there was no harm of malware.

I do run my own domains, server and mail servers as well. I have access to 6 accounts that have access to MWO. One is gmail, one is through hotmail and the rest are through my servers. None of them received any spam. As a precaution I did scan the website and it was clean as well. I also had my friends double check theres. Nothing.

Just because some people, because it is some people and not a lot because they haven't filled the forums. Everyone who has posted have stated "Me and all my friends got the email", like suddenly that means there is another 1000+ users that have gotten it. Just because some people have gotten an email that is similar doesn't mean it is connected to this. Welcome to the Internet where a Phishing scam is emailed out literally every second by the thousands.

PGI stated there was a forum injection venerability that was taken advantage of. It isn't their software. I know about this type of attack because I just got done scrubbing a IP.Board and a vBulletin board that I admin two weeks ago with the same thing.

Funny how people pretend to know what they're talking about.
Quick question: If they got the email from this site wouldn't everyone get the email not just some?
The snarkyness isn't directed at you Dark btw.

Edited by Iwaslost, 13 December 2012 - 08:59 PM.


#125 Solom Rembert

    Member

  • Pip
  • The Determined
  • 15 posts

Posted 13 December 2012 - 08:59 PM

"At no time were any databases containing personal information compromised. This includes e-mails and passwords."

Yeah right .. that somebody tried to access my email-account lately is totally unrelated to this i guess.

Last time that happend when the Neverwinternights2 Forum got hacked .. that is not commen.

Edited by Solom Rembert, 13 December 2012 - 09:05 PM.


#126 SonOfBDEC

    Rookie

  • 9 posts
  • LocationNorth Texas

Posted 13 December 2012 - 08:59 PM

Heh. I must say, thank you people for giving me a chuckle or 5 tonight, reading through this almost deserved a bowl of popcorn. Almost.

Anyways, on to more relevant stuff. Here's what I've gathered so far:

1) The MWO forums were hacked.
2) Shortly after, people received emails on their accounts that were used only for MWO, presumably being nearly impossible to guess from anything said on here.
3) People from other websites who had nothing to do with MWO also got emails, identical to the ones received after the hack.

Conclusion: Because of 1, 2 happened, but 3 happened, without being related. Therefore, the only logical answer to this is as follows: MWO is not the only place that got hacked. Some email addresses may have been leaked, others may not have, but as a whole, peoples emails WERE leaked, and it can be assumed that these emails are now on a spam list.

Now, I've changed my password, and I probably will again later on, too. But that's just being cautious, you can't blame someone for that.


In other news, did anyone actually READ the email? I laughed at how quickly it went from "Windows 8 is FAIL" to "Christmas is evil, don't pay for gifts, god forbids it, you are working for *****." Also, apparently "SANTA CLAUS is an anagram for *****." Now, unless I'm mistaken, an anagram is a rearrangement of the characters in a word/phrase to make a different word/phrase, correct? Then someone please tell me where the "Claus" fits into the anagram? B) Just saying, when they used flawed logic, making connections where they don't exist, and trying to convince others that they're right, I wouldn't have gone there in the first place.

#127 miscreant

    Member

  • PipPipPipPipPipPipPip
  • FP Veteran - Beta 1
  • 823 posts

Posted 13 December 2012 - 09:00 PM

I'm relieved that it's been found, is my work computer affected now? I accessed the site from work and Chrome warned me about a vulnerability, but I continued anyway.

#128 Iwaslost

    Member

  • PipPipPipPipPipPip
  • 236 posts

Posted 13 December 2012 - 09:06 PM

View PostSonOfBDEC, on 13 December 2012 - 08:59 PM, said:

Heh. I must say, thank you people for giving me a chuckle or 5 tonight, reading through this almost deserved a bowl of popcorn. Almost.

Anyways, on to more relevant stuff. Here's what I've gathered so far:

1) The MWO forums were hacked.
2) Shortly after, people received emails on their accounts that were used only for MWO, presumably being nearly impossible to guess from anything said on here.
3) People from other websites who had nothing to do with MWO also got emails, identical to the ones received after the hack.

Conclusion: Because of 1, 2 happened, but 3 happened, without being related. Therefore, the only logical answer to this is as follows: MWO is not the only place that got hacked. Some email addresses may have been leaked, others may not have, but as a whole, peoples emails WERE leaked, and it can be assumed that these emails are now on a spam list.

Now, I've changed my password, and I probably will again later on, too. But that's just being cautious, you can't blame someone for that.


In other news, did anyone actually READ the email? I laughed at how quickly it went from "Windows 8 is FAIL" to "Christmas is evil, don't pay for gifts, god forbids it, you are working for *****." Also, apparently "SANTA CLAUS is an anagram for *****." Now, unless I'm mistaken, an anagram is a rearrangement of the characters in a word/phrase to make a different word/phrase, correct? Then someone please tell me where the "Claus" fits into the anagram? B) Just saying, when they used flawed logic, making connections where they don't exist, and trying to convince others that they're right, I wouldn't have gone there in the first place.

It read like a schizophrenics ramblings.

#129 Konflict

    Member

  • PipPipPipPipPipPip
  • 336 posts
  • LocationCalifornia

Posted 13 December 2012 - 09:11 PM

I use Comcast email and then outlook on a Windows 8 system. I checked both my Comcast and outlook emails & spam folders I have nothing about this email. How ever in the middle of all this I did get a defender pop up and looking at its logs I see what is shown. I take it this came from the forums here and defender snagged it.
Posted Image

#130 Chronojam

    Member

  • PipPipPipPipPipPipPipPipPip
  • 2,185 posts

Posted 13 December 2012 - 09:19 PM

I can report that several email accounts with oddball/nondictionary names, that were created explicitly for MWO training purposes and gimmick drop compositions (all commando, etc) and were never used anywhere else, all received that Windows 8 bizarro email with the link to pages full of malware.

The odds off these random letter/number/nonsense-word combinations at various domains getting somehow randomly generated by a spammer's automailer, all within the same 24 hours, is very suspicious. The only thing that links them all is their use at this particular site.

It's just mathematically unlikely that they were all somehow reached through some other common place of use (as many were used nowhere else), and mathematically unlikely that they were all somehow autogenerated and hit within the same time period as the breach here. Occam's razor, baby.

#131 Chronojam

    Member

  • PipPipPipPipPipPipPipPipPip
  • 2,185 posts

Posted 13 December 2012 - 09:26 PM

View PostDark Severance, on 13 December 2012 - 08:46 PM, said:

PGI stated there was a forum injection venerability that was taken advantage of. It isn't their software. I know about this type of attack because I just got done scrubbing a IP.Board and a vBulletin board that I admin two weeks ago with the same thing.

That was about a month ago, November 11 or 12 or so; a page I administer was hit in the first wave before a patch and mitigation strategy was published.

You can find the November 13 blog post at the IPS dev site detailing a few fixes that can minimize the impact of similar intrusions if they should occur again. It is currently December 13.

#132 TruePoindexter

    Member

  • PipPipPipPipPipPipPipPipPip
  • 2,605 posts
  • Facebook: Link
  • Location127.0.0.1

Posted 13 December 2012 - 09:28 PM

View PostIwaslost, on 13 December 2012 - 08:58 PM, said:

Funny how people pretend to know what they're talking about.
Quick question: If they got the email from this site wouldn't everyone get the email not just some?
The snarkyness isn't directed at you Dark btw.


Logic - it's what makes the world function.

#133 Chronojam

    Member

  • PipPipPipPipPipPipPipPipPip
  • 2,185 posts

Posted 13 December 2012 - 09:37 PM

View PostIwaslost, on 13 December 2012 - 08:58 PM, said:

Quick question: If they got the email from this site wouldn't everyone get the email not just some?

Quick answer: No

I can provide a long answer if you're interested.

#134 Ter Ushaka

    Member

  • PipPipPipPipPipPipPip
  • 600 posts
  • LocationGnomeregan, Dun Morogh

Posted 13 December 2012 - 09:43 PM

I request a long answer.

#135 Adrienne Vorton

    Member

  • PipPipPipPipPipPipPipPipPip
  • 3,535 posts
  • LocationBerlin/ Germany

Posted 13 December 2012 - 09:47 PM

View PostSonOfBDEC, on 13 December 2012 - 08:59 PM, said:



." Also, apparently "SANTA CLAUS is an anagram for *****." Now, unless I'm mistaken, an anagram is a rearrangement of the characters in a word/phrase to make a different word/phrase, correct? Then someone please tell me where the "Claus" fits into the anagram? :)

lol, funny...well it doesn´t fit for the simple reason that santa only means "saint", and St.Claus originates from an bishop or some church guy from medieval europe who was one of the "nice guys"...so they say at least

the association with that CocaCola guy is another story though B)

Edited by Adrienne Vorton, 13 December 2012 - 09:49 PM.


#136 Hikaru Shizuka

    Member

  • PipPipPipPipPip
  • The Defiant
  • The Defiant
  • 188 posts
  • LocationVancouver, BC

Posted 13 December 2012 - 09:51 PM

Just for the record, I recieved the same Windows 8 e-mail, though that was over a week ago.

#137 Chronojam

    Member

  • PipPipPipPipPipPipPipPipPip
  • 2,185 posts

Posted 13 December 2012 - 09:55 PM

View PostTer Ushaka, on 13 December 2012 - 09:43 PM, said:

I request a long answer.

Spam's not the huge problem it used to be, mostly because a lot of systems have been set up to curb the spread. A lot of servers will punt out known spam to a folder you probably never check, schedule it for deletion in a trash can immediately, or never even bother notifying end users that the fraudulent message has arrived. Only the IT department for the organization might even be aware that the spam ever happened if they're checking the logs. Some companies and organizations may inform you that you received spam, but make you go so far as to open a trouble ticket with the helpdesk to get at it-- and who the **** would bother?

To make this a longer answer, whenever email addresses or credit card numbers for that matter are stolen (the site was using a third party to process payments, so that's not a risk here) there's not even a guarantee the attacker will get around to using yours or is even planning on using the full set of data themselves versus selling portions of the list to others, but that's security through obscurity which is incredibly unreliable so don't count on it ever. For example, there's even a chance a completely different set of email addresses (than those that got the Windows 8 spergout) could get offers for CHEEP VIAGRAAA! in a day or so if they're lucky.

#138 MavRCK

    Member

  • PipPipPipPipPipPipPipPip
  • Bad Company
  • Bad Company
  • 1,375 posts
  • Google+: Link
  • LocationMontreal - Vancouver

Posted 13 December 2012 - 09:56 PM

^ thumbs up - thanks for the information.

#139 Minsc

    Member

  • PipPipPipPipPipPip
  • Bad Company
  • Bad Company
  • 463 posts
  • LocationOhio, USA

Posted 13 December 2012 - 09:59 PM

I did some checking around, apparently players from other games such as the secret world are getting the email from emails setup only for that game, similar to some people here on MWO. It seems it is more large scale than the conspiracy theorists here are making it out to be.

I would still advocate changing your password, but that is my own personal paranoia telling me to do so.

#140 Trickster Fox

    Member

  • PipPipPip
  • 62 posts

Posted 13 December 2012 - 10:26 PM

Just for the record I got the spam mail also, it was in my spam folder from this morning...

changing password





10 user(s) are reading this topic

0 members, 10 guests, 0 anonymous users