I saw this interesting conversation posted on a Diablo III fansite today and it has a lot of relevance to Information Security. The interview is around the act of gold farming, or using automated bots to find massive amounts of in-game gold and items that can then be sold for cash. But at one point the conversation goes into how online game accounts are compromised.
The gold farmer claims that most game account compromises come from one source - forums. Attackers compromise a fan forum site and get the username, email and passwords (or hashes). These credentials are then used to attempt to log into the game, as well as email accounts, PayPal, banks, credit cards and other online services. The entire process of checking accounts is automated through tools. These accounts can then be either used by the original criminals or sold to other criminals.
See below for the relevant text or see the entire interview with a Diablo III gold farmer.
The gold farmer claims that most game account compromises come from one source - forums. Attackers compromise a fan forum site and get the username, email and passwords (or hashes). These credentials are then used to attempt to log into the game, as well as email accounts, PayPal, banks, credit cards and other online services. The entire process of checking accounts is automated through tools. These accounts can then be either used by the original criminals or sold to other criminals.
See below for the relevant text or see the entire interview with a Diablo III gold farmer.
MeD: Do you have any information on the account hacking that people are reporting even with having the authenticator?
Farmer: Yeah, I know everything about that.
MeD: Would you be willing to share that information with us?
Farmer: They don’t hack the computers, the passwords.
MeD: When you say they don’t hack the computers, they don’t have the player’s computers or they don’t hack Blizzard’s computers?
Farmer: They hack forums and such and take the same email and password and test it on Blizzard.
MeD: That’s what I thought. And that is testament to all of you guys out there who are using the same email and password for forums and such for your game.
Farmer: If they have 1 million stolen emails and passwords they might get 1% to 10%
MeD: What type of websites are targets for this?
Farmer: Diablo websites or Blizzard in general.
MeD: So you are talking about Diablo fansites that have forums that you know have been succesfully hacked these and get the log ins and passwords.
Farmer: Yeah, correct, it’s easy.
MeD: And in the forums of BLizzard are you able to get anything out of there?
Farmer: No. Blizzard is bullet proof, logically.
MeD: I ran forums quite a while ago and we had 130k+ members and we had issues with hack attempts at our forum accounts quite often. We were very puzzled about it. There was one time when they got everyone’s log in and password but they didn’t log into anyone’s forum account. Do you suppose that when they got into our forums do you think they were just looking to match up
Farmer: Yeah. They used it to try on people, mail and Blizzard and such. It’s called combo.
MeD: Is that a mispronunciation of your program or is that what it’s actually called?
Farmer: Nah. It’s made to make combo lists.
MeD: We reset everyone’s password, we did that for them. We were worried they were trying to hack into the forum accounts. This was many years ago by the way. What I didn’t realise then but I’m realising now is that this was all about accessing the game accounts and it had nothing to do with our forums. I bet that alot of these forums that are getting compromised are getting compromised over and over again. Would you say that is correct?
Farmer: Yeah and Paypal and banks, Facebook and so forth and small percent Russian spammers.
MeD: They are testing this against multiple things, they are not just testing this against Diablo account they also test against Paypal and their bank log ins.
Farmer: They test it against everything and sell it.
MeD: How much do they sell these for?
Farmer: It depends on what’s on them.
MeD: 10c an account, $10 an account? Do you know the range there?
Farmer: ??? Doesn’t sell.