Attempted Account Hack

[Nebu]

Hey everybody.
I did a pretty stupid thing today. There was a guy offering the NRF program on a german EU Forum, but he had a link to rapidshare instead of the homepage. It seemed fishy, so I downloaded the prog to check it with an antivirus and warn the others so they wouldnt downloaded. I did find a keylogger and deleted the files immediately, but it seems the damage is done. The hacker tried logging in to my EU account, but didnt get anywhere since I have a Gold Card. So they logged in to the EU page and wrote a support case saying that I lost my Gold Card and that I need a new one.
After seeing this, I immediately requested an account reactivation and made a new password. Then I updated the support case saying that I have not lost my Gold Card and that my account got hacked. My Gold Card is locked as the hacker attempted too many logins without the correct number.
Unfortunately, as if it wasnt enough, they managed to get into my email account and change my password. I am still logged on to the EU homepage, so they cant change the password there.
But now I am clueless, what next???

 

[Pheonix]

Ring MA and tell them to lock down the acount for the time being until you can get it sorted. maybe have a code word so that they can authenticate it is you, when you want to reactivate. Asking MA to change the email acount connected to the acount would help, though i dont know if they would do that, but maybe if you send them a copy of your birth certificate they would change it. just make sure that they know that you still have a gold card, so they make sure that the goldcard is not canceled from the acount

 

[whiteknut]

That sucks!! I would send support case to ask them to lock my account until i have send them photocopy of my ID.

 

[safara]

Sorry to hear this Nebu

If your gold card and account are locked for the moment, this is a good thing. No further harm can come of it I suppose.

Until you contact MA on Monday and go through the real ID thing to get your account unlocked again....

 

[LedEye]

cant you call them at supportcase?
Ok, seems like you dont live in sweden but it might be a smart thing to do because you have skills and lots of peds ingame in skills and so on..

 

[Frigid]

LOCK it down! It's better to NOT play than to have it hacked and stripped.

Issuance of Gold Card should require more than just a support case, I hope...

Good luck and kep us informed. How MA handles this sticky-wicket will speak volumes on how secure we really are.

 

[Solaris]

DAmn - thats mean!!

I would find that logger and get it deleated asap.

And then I would get totally paranoid and close all creditcards and subscriptions, as well as phoning supports to email-servers to block access for 48 hours, and then let you resign... after that Id have my computer wiped with something very strong. Like a total deletion of all drives.

Could you post some names maybe. Of the keylogger and program used. Im sure the anti-virus companies would love to get good hold of any info.

 

[Nebu]

cant you call them at supportcase?
Ok, seems like you dont live in sweden but it might be a smart thing to do because you have skills and lots of peds ingame in skills and so on..

This is my support case about it:
Note that the first part was NOT written by me, I have not lost the Gold Card.

27 Oct 2007 You wrote:
Hello.
I lost my gold card today. Could you do anything, so that i can buy new one ?

Best regards,
xxxxxxxx

27 Oct 2007 You wrote:
Hello,
it seems that someone has tried to login to my EU avatar with my account data. Because I have a Gold Card, they could not log in.
It seems they did log in to the EU page though, and wrote the above support case.
I have NOT lost my Gold Card. I reactivated my account already and changed my password, but I still cannot access EU, because my Gold Card is locked.
I have found a keylogger on my Computer which I removed.

I have tried to lock the account by attempting to log in a couple times with a wrong password, but it seems it only locks it for 30 minutes now.
I also dont think any harm can be done, as the Gold Card is locked.
I found this on the support page:

If you have forgotten the password and/or login, you may reactivate your account. If you cannot remember the Email address, you need to send us a copy of your passport together with the request that you want to reactivate your account. You also need to state a new Email address.
Please send this information to:

MindArk PE AB
Jarntorget 8
SE 413 04 Gothenburg
Sweden

As soon as we have changed your Email address, you will be able to reactivate your account.

Seems I will have to make a new email account after I have got rid of the keylogger and send them the info.

 

[Nebu]

DAmn - thats mean!!

I would find that logger and get it deleated asap.

And then I would get totally paranoid and close all creditcards and subscriptions, as well as phoning supports to email-servers to block access for 48 hours, and then let you resign... after that Id have my computer wiped with something very strong. Like a total deletion of all drives.

Could you post some names maybe. Of the keylogger and program used. Im sure the anti-virus companies would love to get good hold of any info.

I dont have any cc's registered on the EU page so I wouldnt worry about that.
Here's the keylogger, unfortunately its in german:

http://www.entropia-forum.de/modules.php?name=coppermine&file=displayimagepopup&pid=2078&fullsize=1

 

[Bones]

That really sucks mate ... are you sure they dont have your EntropiaForum password also?

How can anyone be sure you are who you say you are?



Bones

 

[Nebu]

That really sucks mate ... are you sure they dont have your EntropiaForum password also?

How can anyone be sure you are who you say you are?



Bones

I changed the password and email on almost everything I could think of after I couldnt get into EU. You are free to ask me a question only the real Nebu can answer tho

 

[tiebender]

filthy buggers

urgh, thats digusting. I hate petty snifferkids.
Good u have the gold card, glad u found the sniffer, please detail to the community how u detected the sniffer, so others may have a chance.
Personally, I just look in the registry under local_machine/software/microsoft/windows/currentversion/RUN, to see if any suspicious files have been added, then there is the start/run shortcut, and CTRL + ALT + DELETE to see any odd services surface. On occasions, I use a network packet sniffer, but that's mostly related to work.

This is also a public apology to RexDameon regarding my criticism of his postualte that all one needs is the players username & pass to get by the GoldCard system. I see no that by changing a players address and then ordering a new goldcard, one could access a players account.
I'm sorry RexDameon, I didn't think of this one, and in my defense, you didn't mention the details.


This also means that PilotPusher will have a hard time becoming a new standard.

https://www.planetcalypsoforum.com/forums/showthread.php?t=86196
I can only guarantee it is safe by my name and reputation, but I would very much like any experienced IT technicians to check it for keyloggers. I assure you there is none, but it scares me to think that the gold card is so vulnerable.


Tie <- surprised

 

[Kaiser]

No offense but it was not too bright to download this software to check for viruses. If you noticed it was fishy you should have stayed away from it and warned others. No need to verify that it is actually bad when anyone can go to the real site and get it.

Anyway, change your e-mail password to something random and write it down (do this on another computer). Then change your EU password (on another computer). Then reformat your drive and reinstall windows to make absolutely sure the keylogger is gone then most importantly DO NOT DO SOMETHING LIKE THIS AGAIN.

Sorry it happened in the first place but it wasn't too bright to download software you already found suspicious.

 

[Nebu]

No offense but it was not too bright to download this software to check for viruses. If you noticed it was fishyyou should have stayed away from it and warned others. No need to verify that it is actually bad when anyone can go to the real site and get it.

Anyway, change your e-mail password to something random and write it down (do this on another computer). The change your EU password (on another computer). The reformat your drive and reinstall windows to make absolutely sure the keylogger is gone then most importantly DO NOT DO SOMETHING LIKE THIS AGAIN.

Sorry it happened in the first place but it wasn't too bright to download software you already found suspicious.

I dont need you to tell me that. I have always been cautious with anything new, but, I have my weak moments
This time my attempt to help others has backfired.

tiebender, I dont think you can just change the adress and order a new Gold Card. You would either have to log on and buy it from the TT (which is impossible if the card is locked or you dont have it), or post your passport copy to MA and ask for a new one.

 

[DrPaddo]

Nebu this really really sux
Good for you that you use the GC system, once again its proven itself...

On (my) bright side:
OIL FOR GRABS @ THE OIL RIG !!!!!!

EDIT:
As I read on, I think you should Contact MA as one poster stated and tell them that ur going to send ur ID so they know about it and can send you a new GC perhaps ?

I'd rather pay the 20 bux then to lose my *fill your items here*

 

[Snabble]

there is a program floating around on torrents that claims it enables one to get unlimited peds in the game
From what i hear you run the program and it asks you to log onto entropia Your login and password and when you click login it actually send this password and account to the guys email who wrote the program
that sounds more like what happened

if you have a keylogger on your system so what if its not configured to send the data to a web addy or email it just saves the results on your computer

you need a keylogger and a program that send the data to a location
i dont see how you could have been hacked unless you actually ran a program and entered your name and password

 

[Jamhot]

Can;t a friend buy GC for you and forward it on for you to activate? Just a thought.

All the best mate i hope this sh!t gets sorted for you man.

Jamhot

 

[Nebu]

there is a program floating around on torrents that claims it enables one to get unlimited peds in the game
From what i hear you run the program and it asks you to log onto entropia Your login and password and when you click login it actually send this password and account to the guys email who wrote the program
that sounds more like what happened

if you have a keylogger on your system so what if its not configured to send the data to a web addy or email it just saves the results on your computer

you need a keylogger and a program that send the data to a location
i dont see how you could have been hacked unless you actually ran a program and entered your name and password

They keylogger was in the RAR file of the NRF program that was modified by someone. I didnt extract the file, but it was extracted in a temporary file already so the keylogger started working and sent my password to the hacker.

Can;t a friend buy GC for you and forward it on for you to activate? Just a thought.

All the best mate i hope this sh!t gets sorted for you man.

Jamhot

My GC is all right, except that its locked because the hacker attempted to log in too many times without the right code. So noone can log in to EU with my avatar until I send my real life ID to MA and ask them to change my email adress and unlock the GC.

 

[Moonfish]

You will be fine Gold cards Rock

Telephone them Monday Morning..

Phone number you will find on there site.

Good Luck
Moonfish

 

[jupiajo]

They keylogger was in the RAR file of the NRF program that was modified by someone. I didnt extract the file, but it was extracted in a temporary file already so the keylogger started working and sent my password to the hacker.

I don't get it.

 

[waperboy]

Not that I doubt you, but seriously - there is no way that a keylogger can be activated just by being uncompressed from a rar archive. No harm can come from uncompressing archives. The file must have been executed somehow.

Don't mean to bash here, I'm sorry to hear that you got hacked. One always thinks "It doesn't happen to me, I know what I'm doing". Makes one think about all the times I just enter my name and password without another thought about it...

It's best to give MA a phonecall - this is no everyday-support case.

By the way, what's a NRF program?

/Waperboy

 

[ThunderCat]

im a bit confused here.
The keylogger had to get ur username and pw only if ud had logged in after u downloaded it,did u really download it and then log in ?

 

[Nebu]

im a bit confused here.
The keylogger had to get ur username and pw only if ud had logged in after u downloaded it,did u really download it and then log in ?

Downloaded, removed, logged in. Seems the second part went wrong.

 

[Midori Fairlona]

By the way, what's a NRF program?

No Resources Found

A tool for recording mining runs and making skill files that you can upload to Entropedia.

 

[Dorsai]

Regardless as to all the other comments, this case does expose one potential weakness with the gold card system, that has nagged at the back of my mind for a while.

Lets assume someone gets hold of a UID and PW, but not the gold card and reader.

Step one. Log into the EU web-page, and change the address.

Step two. Reguest a new card and reader, as "the dog ate it".

Step three. Activate the new card on reciept.

Step four. Rob the account.

How to avoid?

If you try and log into Eu's page you need your gold card number to do anything other than ask for a new card to be sent to the already registered address.

 

[Naomi]

damn

Nebu, I hope you'll get things sorted out. Do you by any chance remember the avatar, or the person, or the email address your contact had? Mbe you have an IP where you downloaded the proggram from?

Ppl are there other ways to track the bad guys? Mbe if we can get the IP, and sent it to MA, that they can sort things out.

Best regards
Naomi

 

[Satans]

Hey everybody.
I did a pretty stupid thing today. There was a guy offering the NRF program on a german EU Forum, but he had a link to rapidshare instead of the homepage. It seemed fishy, so I downloaded the prog to check it with an antivirus and warn the others so they wouldnt downloaded. I did find a keylogger and deleted the files immediately, but it seems the damage is done. The hacker tried logging in to my EU account, but didnt get anywhere since I have a Gold Card. So they logged in to the EU page and wrote a support case saying that I lost my Gold Card and that I need a new one.
After seeing this, I immediately requested an account reactivation and made a new password. Then I updated the support case saying that I have not lost my Gold Card and that my account got hacked. My Gold Card is locked as the hacker attempted too many logins without the correct number.
Unfortunately, as if it wasnt enough, they managed to get into my email account and change my password. I am still logged on to the EU homepage, so they cant change the password there.
But now I am clueless, what next???

LOL That hacker was stupid. Lucky for you.

I ment... that hacker locked gold card and did not change EU web pass...

 

[Nebu]

Regardless as to all the other comments, this case does expose one potential weakness with the gold card system, that has nagged at the back of my mind for a while.

Lets assume someone gets hold of a UID and PW, but not the gold card and reader.

Step one. Log into the EU web-page, and change the address.

Step two. Reguest a new card and reader, as "the dog ate it".

Step three. Activate the new card on reciept.

Step four. Rob the account.

How to avoid?

If you try and log into Eu's page you need your gold card number to do anything other than ask for a new card to be sent to the already registered address.

I think I said that once, but I was too lazy to look for the according info on the support page. So here it goes again: You need to send them your real life I.D. per post in order to get a new Gold Card if you loose the old one:

Since the Gold Card System is meant to offer you the highest security possible, we cannot remove your Gold Card unless you send us a copy of your passport or other internationally aknowledged identification document to verify yourself as the true holder of the Entropia Universe account. Such documents should be sent by regular mail or fax to:

MindArk PE AB
Customer Service Department
Jarntorget 8
SE 413 04 Gothenburg
SWEDEN

FAX: 46-31-136016

What happens if I lose my card?

If you loose your Gold Card, we will de-activate your Gold Card (see above) to enable you to buy a new card. Please note that the Gold Card should be seen as a valuable item so it is your responsibility to treat it accordingly.

Nebu, I hope you'll get things sorted out. Do you by any chance remember the avatar, or the person, or the email address your contact had? Mbe you have an IP where you downloaded the proggram from?

Ppl are there other ways to track the bad guys? Mbe if we can get the IP, and sent it to MA, that they can sort things out.

Best regards
Naomi

The admins of the german Forum should have the IPs. I am not sure about it but they might be checking the case with the german authorities as PWsniffing is illegal.

 

[Recoda]

Wow, I can't believe this happened to you. I hate it when these things happen. Either way, I'm glad you're a gold card owner, and I hope that the e-mail account wasn't that important, as it would be a shame to loose some important contact because the account was stolen.

I hope everything gets sorted out though, but give Mindark a call to fix it all as fast as possible, their number is: +46 31 - 60 72 60. They'll probably ask you to send in a copy of your birth certificate before they can do anything though, but I'm sure you'll be able to work it all out.

 

[Kaiser]

there is a program floating around on torrents that claims it enables one to get unlimited peds in the game
From what i hear you run the program and it asks you to log onto entropia Your login and password and when you click login it actually send this password and account to the guys email who wrote the program
that sounds more like what happened

if you have a keylogger on your system so what if its not configured to send the data to a web addy or email it just saves the results on your computer

you need a keylogger and a program that send the data to a location
i dont see how you could have been hacked unless you actually ran a program and entered your name and password

Actually even if stores on your local machine only, if a trojan is running that allows them access to your machine (not hard to do) they can still read it.