|
|
|
|
|
|
|
|
|
 Posted: Tue Mar 09, 2010 5:19 pm
****For New Information Check my last post on this page ALL TIMES POSTED ARE EASTERN**** Keep questions and comments in the thread if possible, some of the mods including myself are busy doing stuff outside Gaia sometimes. As some of you already know, a whole list of big name exchangers have been recently hacked and are trying to get all their things back. We are talking MILLIONS of gold in pure/items. You know those sexy '03 items that cost a deal with the devil to have? They had them. If you have been around the Exchange lately you may have seen a few threads with titles related to the hackings. This is a big deal, ya know? Anyway Below are a few threads that have some information in them, I will be pulling some of the actually useful information from them and will update the reserved posts below with what matters. For the time being hang in there and keep your account safe, how these hackings are happening is still to be figured out completely. I have my theory and I will post it soon. Update 3-10-2010 @ 8:20PMCryptex XIII I just found this in Madkool's thread in SF: (madkool was also hacked) Developer carbonphyber We closed a major security hole today. Please stop speculating about the vector of attack. If anyone has evidence that a specific marketplace page is being exploited. please PM me and I will make sure it's handled. BTW, the security hole we fixed was not related to marketplace but could easily explain the recent hackings. -----------------------------------------------------------------------------------------------
REPORT A HACKING TO GAIAHacking Thread in FeedbackQuote: ShoNuff217 Hi Everyone, This thread and others were brought to my attention today and I would like to let you know that we have been looking into this mass hacking already. Thank you all for being alert to this and we are investigating this issue. If you have noticed items and/or gold missing from your account or otherwise feel your account may be compromised, please file a hacking report. You can find the link at the bottom of the main forums page or by clicking on the link below: Submit a Hacking Report If you are no longer able to access your account at all, please use a secondary or mule account (not a friend or family member's account) to file a hacking report. Remember to keep your report ID number for reference and confirmation that your report was submitted. For more account safety information, please refer to our Safety Tips. Sincerely, ShoNuff217 Gaia Online Administrator Now onto what we know in the post below.
|
 |
|
|
|
|
|
|
|
|
|
|
|
|
|
Posted: Tue Mar 09, 2010 5:21 pm
What we know!Not much really, that is the scary part. The people that have had account issues haven't put their information into any of the many pop-up scripts. They haven't given out their passwords to anyone or anywhere either. So how is this happening?! Here is a posted theory... Quote: Bohemian Polka Guys. Hello. It's a script that's loose in the marketplace and also being used by people to steal passwords off from people on their friend's list. It's an updated version of an older script that mainly affects Firefox users. I'm only posting this so that the mods/admins might make use of it. But this time around it wasn't the fault of the users being targeted. Dead horse is dead. Make sense right? To a point, it still doesn't explain how they are getting your password. It is if we need another theory to coincide with that one.... OMG I HAVE A THEORY!!!!!!!!!!Supposedly this is affecting Firefox users, right? I haven't heard of it hitting people that use any other browser, well not yet that is. So here is what I think!
I believe that this script that is causing all the hackings is working like this. Obviously someone is embedding the script somewhere, be it the marketplace, thread, signatures, ect. Users go to said page and trigger the script. If in fact it is exclusive to the marketplace, it is probably in their storefront and they are selling items cheap to draw people there. Once a user goes to make the purchase it is recording their keystrokes and logging them offsite for the taking. Although this doesn't explain why it is just Firefox users that getting hit. If this stretches beyond the Marketplace, then my 2nd theory is that the script is far more advanced than that and once it is triggered by the user going to the page it is reading your computers files and copying a specific Firefox log that holds your save password data. If memory serves me correctly the file is located here. C:-Users-xxxxxxxxxx-AppData-Roaming-Mozilla-Firefox-Profile-xxxxxxxx.default-signons.sqlite Signons.sqlite may be the target of the script and is being copied and loaded into the hackers firefox, giving them access to every password that you have saved. The above theory covers 2 grounds. -Why only Firefox users -How they got your password Anyone that is a bigtime Vender/Exchanger probably takes the time to snipe mispriced items in the Marketplace. That 1 second it takes to type your password in is pivotal when someone else is competing with you to get that 18k Mythrill Halo (believe me I missed that very item last week at that same price). Theories are theories and nobody is certain how the hackings take place other than the ones doing it.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Posted: Tue Mar 09, 2010 5:30 pm
Tips Tips TipsNothing is a surefire way to stay safe, being hysterical about things isn't the best route either. Also, It never hurts to have a hidden mule that NOBODY knows about. Just in case all your others are compromised and you need to post or submit a hacking report. 1. Update all Antivirus/Antispyware programs and do fresh scans. -Spybot Search and Destroy -Malwarebytes -Ccleaner All three are FREE and work wonders. 2. Watch what you are clicking on. -I have Gaia as my homepage and if I seemingly get logged out or have an unusual password request, I click Home. Better safe than sorry. 3. The Age Old Standard -Gaia never asks for your password, outside of the normal areas that is. (Normal areas = Marketplace when buying/selling, trades, Account settings, ect.) So don't put your password in any form of pop-up, don't give anyone your password, just use your head. 4. Smell something Phishy? -REPORT THEM. If you come across a thread with a phish pop-up and you aren't sure who is doing it, report the entire thread. If you would like to find the person that is in fact doing it below is an image of myself comparing the page source with the page to find the culprit.  Lastly, I still have faith in Firefox and I have since disabled the password save feature and cleared my saved list. Stay safe, don't lose everything you have to some Dickbag that doesn't have the brains to get it on his own.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Posted: Tue Mar 09, 2010 5:31 pm
Stay on topic please.
I will be deleting all posts on this issue that appear in the main forum area of the guild as well.
If you are new to the guild, read the posting rules as well.
There has been a good share of duplicate threads on the same subject.
Not to mention a bunch of threads with titles that do not say the items name.
I came across a Firefox addon for dedicated users like myself. It encrypts your keystrokes to hide them from keyloggers. Again nothing is 100% guaranteed to work. There is a downloadable version for all browsers if you go to the companies site, I am not sure if it is completely free or what.
KeyScrambler Addon for Firefox
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Posted: Tue Mar 09, 2010 5:37 pm
Oh I forgot to add something originally, since all these hackings have started I periodically have been taking a screen shot of my full inventory that also shows my gold and Gcash. Just in case. I also mouse over the time so the date displays as well. 3-10-2010 @ 2:50AM AVOID BUYING OR TRADING FOR HIGH PRICED ITEMS.Until Gaia comes out and says the everything is safe, Avoid any and all High Profile items. Chances are if it is too good of a deal to pass up, then you are in for more than you bargain for. If you choose to continue trading or buying expensive 2-3mil+ items, do so at your own risk. Nothing says hack me like a person shelling out valuable items or tons of gold for a Devil Tail or Nitemare Scarf. One of our guild members brought to my attention that certain listings on the marketplace may have a script hidden on the listings page. If you are actively purchasing things on the marketplace and the item page is taking extremely long to load compared to normal, please leave the marketplace immediately. If you are prompted to download anything when looking at the marketplace decline it and PM an Omni Mod that is online with the item that is causing this. If you are able, please screenshot and upload an image of the prompt to photobucket, I would like to have a reference image to post and do my own little investigating. If you haven't already please please please download Ccleaner. It is a free software that clears your computer of all temp files, browsing history, cookies, ect. Ccleaner Download LinkI HIGHLY recommend it and suggest that you run it when you close your browser and before you start it back up. Lunatic Lace Warning:
It appears that one of the two Devil Tails in the MP is, indeed, laced with phishing code, as it prompts users to download a php file even before loading the DT page. I've already contacted a moderator about this. Please be wary when searching for higher tier items on the MP. I was browsing the exchange earlier and came across someone selling some random junk, so I decided to click on their profile. When I was on their profile there was an image that was broadcasting an Malicious IP that was attempting to access my computer, GO FIGURE. I advise anyone that is reading this to DOWNLOAD MALWAREBYTES for some extra security. I was fortunate enough to have IP Protection(Malwarebytes Feature btw) enabled and it blocked them from accessing my computer. Once I was warned of the attempt, I did some research on the IP Address and found that it came from an image that was hidden on the profile page and was colored to match the background. I WILL NOT post who had this on their profile or what the image/IP/website was, I have reported the profile already. The owner of the profile acted oblivious to it when I questioned him in his thread and reluctant to change his profile to private/friends only. Below is an image of the Google Advisory page for the originating website of the image. Notice that all the information provided on the page is current as of 3-10-2010!  BE AWARE THIS WAS HIDDEN ON A PROFILE, IT COULD ALSO BE HIDDEN IN A POST OR MARKETPLACE STOREFRONT. THE IP ADDRESS WILL ATTEMPT TO INSTALL MALICIOUS SOFTWARE ON YOUR COMPUTER IF YOU ARE NOT AWARE OF ITS PRESENCE.
IF YOU NEED ANY HELP WITH MALWAREBYTES SETUP AND FEATURES, I WILL HAVE A THREAD IN THE SUBFORUMS WITH SOME IMAGES AND EVERYTHING YOU SHOULD NEED.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Posted: Tue Mar 09, 2010 5:47 pm
The best way to stay protected on Gaia is to check every link you see before clicking it, don't post clues on your profile, and make it very complicated. A good thing to do is make it an imaiginary word with a number combo like if your in school your locker combination biggrin And don't EVER put your password in places except for logging in, trading, buying in the marketplace, or gifting somebody. If anything else asks you for a password don't do it! Period.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Posted: Tue Mar 09, 2010 5:48 pm
|
|
|
|
|
|
|
|
|
|
Posted: Tue Mar 09, 2010 5:59 pm
I was reading Madkool's thread about it..
some script in the market..for one probable cause..
crap like I can do anything I've already been had. gonk
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Posted: Tue Mar 09, 2010 6:05 pm
Well like 2 moths ago I was victim of that script but 3 weeks later my stuff and gold was returned to me from Gaia admins
I love them
heart heart
And yes!!! I use firefox pirate
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Posted: Tue Mar 09, 2010 6:05 pm
Personally, I'm not vending with my mains right now. I have a nice little--"quest mule" I like to call. He use to hold stuff, but that has been transferred off. But he looks too poor for anybody to bother with.
I buy and sell. Wait a "cooling peroid" then transfer to another account--keeping the minimal on what I'm not calling my sacrificial mule. Paranoia? Yes, but I'm okay with that.
How much credit do you give to the rumour that it mainly affects mozilla users?
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Posted: Tue Mar 09, 2010 6:07 pm
I think the whole Firefox thing has been brought up for no reason since most users use either firefox of safari
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Posted: Tue Mar 09, 2010 6:08 pm
I'm just staying out of the MP and Exchange for right now, along with some other things I think might help:
-Changed avatar to something 'poorer' looking.(Though won't really help if you are already well know for being 'rich')
-Make sure all old topics in which you sold/asked for people to sell you expensive items are edited to say -Closed- as the topic and first post.
-Take down quest info where it shows how much gold you have
Along with the general 'be careful with where you type in your password' guidelines.
Though I don't think the main issue is from individuals pinpointing users but it's always better to be safe when there is such little information on what's going on.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Posted: Tue Mar 09, 2010 6:10 pm
I'm not well known, and I'm not THAT rich, but I'm probably gonna go on hiatus til this is solved. I've moved most of my expensive items that I care about over to a different account. But this whole thing really pisses me off. >.<
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Posted: Tue Mar 09, 2010 6:11 pm
I honestly wouldn't expect Gaia to do anything about it unless you're buddy-buddy with them or if you're a legend. Take it from someone who knows, sent in a report around 14 months ago, and I have lost my confirmation code due to the corruption of my hard drive. I did provide the username of the person who got me (they left the trade history) AND his main (extensive research) but nothing was done. ;_; I have been hacked before. It is terrifying to be logged out of your account, try to log back in, then you CAN'T. I sent an e-mail real quick then jumped on my mule to check my avi...well it was just what it looked like the day I joined Gaia, same for the gold amount. All in all, I lost (in today's values) almost 2 mil...I am just thankful I hadn't gotten too much yet. Anyways, this isn't about me. Just be wary. Great tip Alter, I personally use a series of numbers, two words that don't exist, then more numbers. NUMBERS ARE YOUR FRIENDS.
Right now I am not moving my items, as I personally know how to fight it and, if worst comes to worst, how to get them back.
@Kitty: Thought they got you at first. Good precautions. 3nodding
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Posted: Tue Mar 09, 2010 6:12 pm
If you're really worried about being targeted, dressing down will help. Very simple inexpensive avis.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
