Just do a quick google of 'flash exploit' and you will see a ton of ways banner ads are being exploited. It may not explain everything in detail, but it should give a good idea of how frequent and wide spread they are.
I googled and read several articles.
Some articles write that it was fixed by a patch already(as in withing a month or so), some write that windows with DEP on (it is on by default) will mitigate most if not all the damage even without a patch... Most respectible sites do not carry malicious banners, well, maybe they do slip once in a while, but its rather an exception then a rule. I do not think that this vulnerability would affect a large number of people. The number of people that got infected by this vulnerability and play WoW is even smaller. So I do not think this has anything to do with WoW accounts getting hacked. To add another argument to my reasoning, does anyone remember all those waves if trojan infections that infected millions of PCs in the past? Well, if we did not have an explosion of hacked WoW accounts then, why would anyone assume that this much smaller in scale vulnerability is responsible for increase in hacked accounts? I think we need to search for the reason somewhere else.
Infected flash banners, videos, etc is just one other way people are getting their accounts stolen. It is a combination of many different types of attacks. Many of which a typical player doesn't even understand, let alone know about.
Just for example, this website has had several instances of infected flash banner ads downloading trojans to users here. Google has had several instances of paid advertising links redirecting players to fake websites designed to look like blizzard website, wowhead, mmo-champion, etc.
Also we should not assume that every massive new story about a trojan making its rounds on the internet must equate to account hackers for a video game. Two seperate entities with very different goals from their respective hackings.
It's interesting how many of these "I was hacked!" stories include some phrase along the lines of "I know this 'cause I got an email from Blizzard."
I can't be 100% certain, but I'm *99*% certain Blizzard never sends any such emails. Think about it. Imagine if, every time you logged in from a different IP address, Blizzard's automated systems decided you were being hacked and shut down your account and sent you an email. Their tech support would be flooded with complaints if they did that.
So how many of you who knew your account was hacked because you "got a letter" clicked some link in that letter to "contact Blizzard" or "verify your email" or "re-enter your password" or any other such thing? (Or, hell, just opened the email in some mailer that renders HTML so Ghu-knows how many bugs and exploits could come through? Plain text, people! Plain text! It also makes phishing much more obvious, unless you think "www.blizzzard-accounts-security.com.ru" looks like a real address to you, in which case, you deserve what you get.)
Because when I look in my spam box, I see about 10-20 emails a week telling me "Your account has been hacked!", and if I was stupid enough to click on even one of them... it probably WOULD be.
Oh, you haven't been invited to the Cataclysm beta, either.
Just do a quick google of 'flash exploit' and you will see a ton of ways banner ads are being exploited. It may not explain everything in detail, but it should give a good idea of how frequent and wide spread they are.
I googled and read several articles.
Some articles write that it was fixed by a patch already(as in withing a month or so), some write that windows with DEP on (it is on by default) will mitigate most if not all the damage even without a patch... Most respectible sites do not carry malicious banners, well, maybe they do slip once in a while, but its rather an exception then a rule. I do not think that this vulnerability would affect a large number of people. The number of people that got infected by this vulnerability and play WoW is even smaller. So I do not think this has anything to do with WoW accounts getting hacked. To add another argument to my reasoning, does anyone remember all those waves if trojan infections that infected millions of PCs in the past? Well, if we did not have an explosion of hacked WoW accounts then, why would anyone assume that this much smaller in scale vulnerability is responsible for increase in hacked accounts? I think we need to search for the reason somewhere else.
Infected flash banners, videos, etc is just one other way people are getting their accounts stolen. It is a combination of many different types of attacks. Many of which a typical player doesn't even understand, let alone know about.
Just for example, this website has had several instances of infected flash banner ads downloading trojans to users here. Google has had several instances of paid advertising links redirecting players to fake websites designed to look like blizzard website, wowhead, mmo-champion, etc.
Also we should not assume that every massive new story about a trojan making its rounds on the internet must equate to account hackers for a video game. Two seperate entities with very different goals from their respective hackings.
Do you have any proof?
Again, hacking your PC just for a little chance that that PC actually belongs to someone who has WoW is a very very small possibility. Its like if you were trying to steal a car and instead of going to a mall, you go to a retirement house where even if someone does have a car, its so old, they will pay you to steal it. It just does not make sense. It makes more sense to steal accounts with phishing emails - its a LOT easier, its much more accurate and does not take that much time to setup.
Again, hacking your PC just for a little chance that that PC actually belongs to someone who has WoW is a very very small possibility. Its like if you were trying to steal a car and instead of going to a mall, you go to a retirement house where even if someone does have a car, its so old, they will pay you to steal it. It just does not make sense. It makes more sense to steal accounts with phishing emails - its a LOT easier, its much more accurate and does not take that much time to setup.
LoL a little chance to see an advertising banner that injects javascript code installing a keylogger/trojans on to thousands of machines and none of those people play WoW, for your information they target more than wow they also target bank passwords, email passwords,CC numbers,online game account usernames and passwords, stock market accounts and more.
This has happens hundereds of times even on search engines such as yahoo,google, also allakazam, facebook, curse gaming and hundreds more sites including farmville this vector has the potential to harvest a huge amount of sellable information.
want proof just google keyloggers in allakazam/curse gaming ads they have a wow site wait, why would anyone that plays wow go to a wow site [sarcasm].
Atm even windows is NOT safe hackers are using windows exploits to bypass av's read about it here:
I'm not stupid, I only check my email if I'm expecting something. I don't download third-party anything (curse included), and I don't give anyone my blizzard/battle.net information.
Now then. How the hell did someone get my information??
I was hacked 4 days after resubscribing. I logged in one afternoon to find my character nude and moneyless.
Even after nagging Blizzard about the situation, I hadn't heard back from them.
Like I said, I'm not stupid. But hackers will hack.
Again, hacking your PC just for a little chance that that PC actually belongs to someone who has WoW is a very very small possibility. Its like if you were trying to steal a car and instead of going to a mall, you go to a retirement house where even if someone does have a car, its so old, they will pay you to steal it. It just does not make sense. It makes more sense to steal accounts with phishing emails - its a LOT easier, its much more accurate and does not take that much time to setup.
I'm not really sure where the disconnect is at.
When account thieves can manage to get an infected banner ad on an mmo site, there is a pretty good chance they are going to get many people with wow accounts (or whatever they happen to be targeting).
The same holds true for search results that return paid advertising links that lead to infected websites.
Yes phishing emails are effective and easier, but why would thieves limit themselves? Why not take multiple approaches that confuse users and leave the theives methods undetected?
Again, hacking your PC just for a little chance that that PC actually belongs to someone who has WoW is a very very small possibility. Its like if you were trying to steal a car and instead of going to a mall, you go to a retirement house where even if someone does have a car, its so old, they will pay you to steal it. It just does not make sense. It makes more sense to steal accounts with phishing emails - its a LOT easier, its much more accurate and does not take that much time to setup.
LoL a little chance to see an advertising banner that injects javascript code installing a keylogger/trojans on to thousands of machines and none of those people play WoW, for your information they target more than wow they also target bank passwords, email passwords,CC numbers,online game account usernames and passwords, stock market accounts and more.
This has happens hundereds of times even on search engines such as yahoo,google, also allakazam, facebook, curse gaming and hundreds more sites including farmville this vector has the potential to harvest a huge amount of sellable information.
want proof just google keyloggers in allakazam/curse gaming ads they have a wow site wait, why would anyone that plays wow go to a wow site [sarcasm].
Atm even windows is NOT safe hackers are using windows exploits to bypass av's read about it here:
Again, hacking your PC just for a little chance that that PC actually belongs to someone who has WoW is a very very small possibility. Its like if you were trying to steal a car and instead of going to a mall, you go to a retirement house where even if someone does have a car, its so old, they will pay you to steal it. It just does not make sense. It makes more sense to steal accounts with phishing emails - its a LOT easier, its much more accurate and does not take that much time to setup.
I'm not really sure where the disconnect is at.
When account thieves can manage to get an infected banner ad on an mmo site, there is a pretty good chance they are going to get many people with wow accounts (or whatever they happen to be targeting).
The same holds true for search results that return paid advertising links that lead to infected websites.
Yes phishing emails are effective and easier, but why would thieves limit themselves? Why not take multiple approaches that confuse users and leave the theives methods undetected?
Can you provide proof that infected banner/ad on a major legit website resulted in hacked accounts? Because what you guys are discussing is possible in theory, but any decent website will scan/review the add And you can't inject java into images. You "might" be able to do that with Flash vulnerability, which does not exist anymore, which was patched very fast. So yeah, it is possible to get infected by a banner hack from a legit website, but the possibility is so remote, its not worth mentioning. If you think the possibility is not so small, please provide proof.
Right now i'm receiving AT LEAST 1 phishing email a day. These emails are more and more convincing each time. They are basicly copying official Blizzard email. I guess someone who's not careful could easily click the link provided and have is account compromised very quickly.
Can you provide proof that infected banner/ad on a major legit website resulted in hacked accounts? Because what you guys are discussing is possible in theory, but any decent website will scan/review the add And you can't inject java into images. You "might" be able to do that with Flash vulnerability, which does not exist anymore, which was patched very fast. So yeah, it is possible to get infected by a banner hack from a legit website, but the possibility is so remote, its not worth mentioning. If you think the possibility is not so small, please provide proof.
Jimmy, I am not sure what more you need to understand this. For whatever reasons you have convinced yourself that something like this is nearly impossible, when in fact it is a commonly accepted situation in security circles.
Google the term 'zero day exploit' if you think something is patched fast enough. Likewise I assume when you googled 'flash exploit' you did see that these types of exploits are not 1 time occurances nor limited to just flash player.
Here are some links to sites that I hope you find legit that have indeed had security issues or discuss security issues in this regard. Some deal with flash exploits, some phishing, some account hacking, but the point is the diversity and different avenues of approach that hackers are using.
P.S. Yes there is proof that these attacks did target and steal gaming accounts including world of warcraft. Just read the articles if you don't believe me.
Right now i'm receiving AT LEAST 1 phishing email a day. These emails are more and more convincing each time. They are basicly copying official Blizzard email. I guess someone who's not careful could easily click the link provided and have is account compromised very quickly.
Yup. I got one today saying something that I accessed my account from several different IPs and it was locked. In order to unlock it I had to click on a link to verify my ownership and unlock it... The thing is, I just changed my address today, so I fell for this for just 1 second, before the system admin in me yanked me by my ear: " why is this email in spam folder?" - check the links, they do not link to blizzard, check the headers, email was sent from hotmail. I imagine anyone with just basic computer knowledge would fall for this easy. And you don't need such clever means to infect computers like hacked banners, flash vulnerabilities, windows vulnerabilities, hacking unsecured routers, or whatever else people blame these days except themselves. Nope, its never their fault.
Jimmy, I am not saying the phishing attempts don't make up the majority of security flaws. I personally think they do make up the mother load of cases where people have their account stolen. Like you suggest, most people have a hard time admitting to themselves that they did something wrong.
It just is not the only method that thieves are employing.
Can you provide proof that infected banner/ad on a major legit website resulted in hacked accounts? Because what you guys are discussing is possible in theory, but any decent website will scan/review the add And you can't inject java into images. You "might" be able to do that with Flash vulnerability, which does not exist anymore, which was patched very fast. So yeah, it is possible to get infected by a banner hack from a legit website, but the possibility is so remote, its not worth mentioning. If you think the possibility is not so small, please provide proof.
Jimmy, I am not sure what more you need to understand this. For whatever reasons you have convinced yourself that something like this is nearly impossible, when in fact it is a commonly accepted situation in security circles.
Google the term 'zero day exploit' if you think something is patched fast enough. Likewise I assume when you googled 'flash exploit' you did see that these types of exploits are not 1 time occurances nor limited to just flash player.
Here are some links to sites that I hope you find legit that have indeed had security issues or discuss security issues in this regard. Some deal with flash exploits, some phishing, some account hacking, but the point is the diversity and different avenues of approach that hackers are using.
P.S. Yes there is proof that these attacks did target and steal gaming accounts including world of warcraft. Just read the articles if you don't believe me.
I followed several link, don't have time to check the rest, sorry . Curse web is a major site, I visited it daily back in 2009 when I still played WoW. As someone there mentioned Firefox + NoScript + NoFlash + AdBlock Plus = Win , I don't have NoFlash and NoScript, so I guess just Firefox+AdBlock Plus is enough to ignore this threat.
WoW post says they already have the fix (upgrade flash player http://blogs.adobe.com/psirt/2008/05/potential_flash_player_issue.html). So who got infected? People with outdated flash, and weak security. I think people are to blame here, although I agree - major sites like WoW forum or curse need to do a better job at filtering out bad advertisements.
PS: both links are old, 2009 and 2008. Anything more recent? the flash vulnerability issue was fixed in version 9.0.124.0, which was in August 2009 i believe.
Jimmy, I am not saying the phishing attempts don't make up the majority of security flaws. I personally think they do make up the mother load of cases where people have their account stolen. Like you suggest, most people have a hard time admitting to themselves that they did something wrong.
It just is not the only method that thieves are employing.
Oh yes I definitely agree with that. There are a number of new postings blaming Blizzard for hacked accounts. People do not realize that Blizzard can afford to employ highly skilled admins that would protect the integrity and security of the data, so that if a hack does happen somewhere, 99.9% chance is it on the user side, not Blizzard. I would estimate that 90% of hacked accounts result from phishing, 9.5% from vulnerabilities like flash/windows/IE and 0.5 actuall hacks like packet manipulations, brute force attacks on accounts/routers. Those numbers are my opinion and I can only back them up with a 10year experience as a intermediate system admin ( I did not study to be a system admin, so I do not consider myself a pro).
EDIT: to be absolutely clear on the point im trying to make, i'm not saying that flash vulnerabilities and such do not result in hacked accounts. I am saying the likelyhood of such a theft is very unlikely.
EDIT #2: here is a screenshot I found about a true hack (from the 0.5% category) that happened in Aion. Please note that only 90 characters were affected by this hack. I don't know how many people play Aion, but 90 hacked characters (not even accounts) is a very very low number. http://img14.imageshack.us/img14/6616/ticket2o.jpg
Just do a search for flash exploit and you will have all the answers you need. There was just a zero day exploit on June 6th for flash and adobe reader. link So even people with the most up to date flash and adobe were vulnerable for who knows how long.
The point is that even the most security minded people are vulnerable. It isn't just limited to people that click links in emails and don't update their computers with the latest security patches.
Jimmy, I am not saying the phishing attempts don't make up the majority of security flaws. I personally think they do make up the mother load of cases where people have their account stolen. Like you suggest, most people have a hard time admitting to themselves that they did something wrong.
It just is not the only method that thieves are employing.
Oh yes I definitely agree with that. There are a number of new postings blaming Blizzard for hacked accounts. People do not realize that Blizzard can afford to employ highly skilled admins that would protect the integrity and security of the data, so that if a hack does happen somewhere, 99.9% chance is it on the user side, not Blizzard. I would estimate that 90% of hacked accounts result from phishing, 9.5% from vulnerabilities like flash/windows/IE and 0.5 actuall hacks like packet manipulations, brute force attacks on accounts/routers. Those numbers are my opinion and I can only back them up with a 10year experience as a intermediate system admin ( I did not study to be a system admin, so I do not consider myself a pro).
EDIT: to be absolutely clear on the point im trying to make, i'm not saying that flash vulnerabilities and such do not result in hacked accounts. I am saying the likelyhood of such a theft is very unlikely.
EDIT #2: here is a screenshot I found about a true hack (from the 0.5% category) that happened in Aion. Please note that only 90 characters were affected by this hack. I don't know how many people play Aion, but 90 hacked characters (not even accounts) is a very very low number. http://img14.imageshack.us/img14/6616/ticket2o.jpg
Ok so the fact I trolled in the WoW forums saying blizzard was giving my email away, and that I got a blue response saying that he had several sites where I posted in blogs with the same email as my account should mean that my email is really protected in the databases and absolutely no blizzard employee has access to account emails which he could sale for 1cent each to a gold selling company...
500 000 emails = 5000$....
The moment 1000 people get hacked, its probably more than rentable for the gold company. 1000 idiots isn't hard to find, just walk near your home and speak to teens. Find 1100 and you win, at least 1000 will be complete idiots.
Blizzard security is shit. They care about profit, like every company out there. They can restore your account if you're hacked, which is less costly than hiring a security team/firm and fix the code used.
First off i dont even play WoW, but as soon as i signed up for Star Craft i started getting emails THAT DAY saying my wow acount was being compromised and i needed to click the link to remake my password.
also was getting emails saying my acount was being suspended and i needed to click the link to reactivate it.
there is a seriously leek in blizzard when it comes to the security of our email addresses.
Just do a search for flash exploit and you will have all the answers you need. There was just a zero day exploit on June 6th for flash and adobe reader. link So even people with the most up to date flash and adobe were vulnerable for who knows how long.
The point is that even the most security minded people are vulnerable. It isn't just limited to people that click links in emails and don't update their computers with the latest security patches.
Thnx for the link. Flash vulnerability was fixed in 6 days, on June 10, 2010. That being said, a decent browser with AddPlus, noflash would completely prevent this. If you did get infected, a second line defence would be your firewall, which should prevent any unauthorized communication with the hacker. I am beginning to feel paranoid about flash now... Maybe I should permanently turn it off.
Ok so the fact I trolled in the WoW forums saying blizzard was giving my email away, and that I got a blue response saying that he had several sites where I posted in blogs with the same email as my account should mean that my email is really protected in the databases and absolutely no blizzard employee has access to account emails which he could sale for 1cent each to a gold selling company...
500 000 emails = 5000$....
The moment 1000 people get hacked, its probably more than rentable for the gold company. 1000 idiots isn't hard to find, just walk near your home and speak to teens. Find 1100 and you win, at least 1000 will be complete idiots.
Blizzard security is shit. They care about profit, like every company out there. They can restore your account if you're hacked, which is less costly than hiring a security team/firm and fix the code used.
Green text: wouldn't that mean that someone got your email from those blogs and phished it? And no, an employee would not be able to get 500,000 emails. Maybe they can see email of the client who just called them, but they cannot see it in bulk. So, if your theory was correct, they would have to talk to 500,000 clients and record each email on a piece of paper. Of, that employee would have to mindlesly keep searching for made up first name/last name hoping to get a match - a decent interface would not even allow to get a result from such a generic input. CSR software I designed would require an exact match on: first name, last name, DOB or ID number, phone or client id number.
That is right over 200 apps are vulnerable to remote code-execution attacks that exploit a bug in the way the programs load binary files for the Microsoft operating system.
That is HUGE that means anything from flash to video could be used for remote code execution and all those authors will have to patch their program.
And this 5 million websites were effected im sure a lot of wow players ended up at some of those which are Wow blogs
I have software at work that can read stored user names and passwords for all sites stored on all browsers , using javascript a hacker could read your files while visiting his website and they gather data from your system and keep a log.
It is best use use a password manager that has strong encryption such as roboform.
Movies used to inject malware exploit still exists here:
Email is no longer safe hackers have found a way to spoof vaild id headers so well in fact that hackers are sending emails to domain registrars changing ownerships and stealing domain names and yes they are checking id headers and everything so even mail that looks legit you cannot be sure it was sent by them or not.
All hacker needs is an account at that mail provider.
Originally posted by Astro6 Zero day threats are real they exist always as new ones are patched other are found like the following which is current: http://www.theregister.co.uk/2010/08/20/windows_code_execution_vuln/ That is right over 200 apps are vulnerable to remote code-execution attacks that exploit a bug in the way the programs load binary files for the Microsoft operating system. That is HUGE that means anything from flash to video could be used for remote code execution and all those authors will have to patch their program. And this 5 million websites were effected im sure a lot of wow players ended up at some of those which are Wow blogs
I think you are trying to make a huge problem from a little one. This problem effects in a very limited scenarios. For example, all users that are NOT part of the network and have a firewall, will not be effected by this. Most regular users are not part of the network. The attack would have to come from a PC located on internal network in order to bypass external firewall. quote "The bug allows attackers to execute malicious code on Windows machines by getting the media player to open a file located on the same network share as a maliciously designed DLL file" So basically the malicious code already has to be there on a network computer to infect the other PC.
Interesting exploit... quote from the link "This attack cannot be used to steal passwords unless the page with the forms is on the same website for which a password has been saved.". And then again, this attack can be made only by going to a bad site. Don't go to bad sites = don't get hacked.
Originally posted by Astro6
I have software at work that can read stored user names and passwords for all sites stored on all browsers , using javascript a hacker could read your files while visiting his website and they gather data from your system and keep a log. It is best use use a password manager that has strong encryption such as roboform.
Firefox encrypts passwords. Just protect password manager with a master password and you are safe.
Originally posted by Astro6
Movies used to inject malware exploit still exists here: http://blog.trendmicro.com/trojanized-mov-files-faq/ Email is no longer safe hackers have found a way to spoof vaild id headers so well in fact that hackers are sending emails to domain registrars changing ownerships and stealing domain names and yes they are checking id headers and everything so even mail that looks legit you cannot be sure it was sent by them or not. All hacker needs is an account at that mail provider.
Nobody is disputing that you can't get hacked. You can. But why are you posting all of this? Why are you saying "If you leave your car keys in, your engine running, your door open, your car in a seedy neighborhood and you go shopping for 5 hours then when you return you find your car stolen." is that that unusual? I mean, basically what you are saying "If you go to hacker's house, prepare to be hacked." we get it. That's why most people don't do that.
I have software at work that can read stored user names and passwords for all sites stored on all browsers , using javascript a hacker could read your files while visiting his website and they gather data from your system and keep a log. It is best use use a password manager that has strong encryption such as roboform.
Originally posted by jimmyman99
Firefox encrypts passwords. Just protect password manager with a master password and you are safe.
The encryption is weak the program i use to recover forgotten passwords in all browsers picks up all passwords even if you use a master password.
Using a zero day exploit it bypasses the firewall if the firewall is software based, software firewalls can be bypassed by many methods.
More information on how unsafe old browsers are a lot of people use outdated browsers this is a danger to your security.
Some of it seems to be coming from infected banner adds (flash and java) on mods sites etc. Virus scanners don't seem to pick up on it so the only way is to block them entirely.
Comments
Infected flash banners, videos, etc is just one other way people are getting their accounts stolen. It is a combination of many different types of attacks. Many of which a typical player doesn't even understand, let alone know about.
Just for example, this website has had several instances of infected flash banner ads downloading trojans to users here. Google has had several instances of paid advertising links redirecting players to fake websites designed to look like blizzard website, wowhead, mmo-champion, etc.
Also we should not assume that every massive new story about a trojan making its rounds on the internet must equate to account hackers for a video game. Two seperate entities with very different goals from their respective hackings.
What he said...
I am the type of player where I like to do everything and anything from time to time.
http://en.wikipedia.org/wiki/Holodomor - pre-WW2 genocide.
Do you have any proof?
Again, hacking your PC just for a little chance that that PC actually belongs to someone who has WoW is a very very small possibility. Its like if you were trying to steal a car and instead of going to a mall, you go to a retirement house where even if someone does have a car, its so old, they will pay you to steal it. It just does not make sense. It makes more sense to steal accounts with phishing emails - its a LOT easier, its much more accurate and does not take that much time to setup.
I am the type of player where I like to do everything and anything from time to time.
http://en.wikipedia.org/wiki/Holodomor - pre-WW2 genocide.
LoL a little chance to see an advertising banner that injects javascript code installing a keylogger/trojans on to thousands of machines and none of those people play WoW, for your information they target more than wow they also target bank passwords, email passwords,CC numbers,online game account usernames and passwords, stock market accounts and more.
This has happens hundereds of times even on search engines such as yahoo,google, also allakazam, facebook, curse gaming and hundreds more sites including farmville this vector has the potential to harvest a huge amount of sellable information.
want proof just google keyloggers in allakazam/curse gaming ads they have a wow site wait, why would anyone that plays wow go to a wow site [sarcasm].
Atm even windows is NOT safe hackers are using windows exploits to bypass av's read about it here:
http://www.theregister.co.uk/2010/08/18/windows_code_execution_vuln/
I'm not stupid, I only check my email if I'm expecting something. I don't download third-party anything (curse included), and I don't give anyone my blizzard/battle.net information.
Now then. How the hell did someone get my information??
I was hacked 4 days after resubscribing. I logged in one afternoon to find my character nude and moneyless.
Even after nagging Blizzard about the situation, I hadn't heard back from them.
Like I said, I'm not stupid. But hackers will hack.
I'm not really sure where the disconnect is at.
When account thieves can manage to get an infected banner ad on an mmo site, there is a pretty good chance they are going to get many people with wow accounts (or whatever they happen to be targeting).
The same holds true for search results that return paid advertising links that lead to infected websites.
Yes phishing emails are effective and easier, but why would thieves limit themselves? Why not take multiple approaches that confuse users and leave the theives methods undetected?
Funny post.. "want proof of what I am saying? Find it yourself!".
I am the type of player where I like to do everything and anything from time to time.
http://en.wikipedia.org/wiki/Holodomor - pre-WW2 genocide.
Can you provide proof that infected banner/ad on a major legit website resulted in hacked accounts? Because what you guys are discussing is possible in theory, but any decent website will scan/review the add And you can't inject java into images. You "might" be able to do that with Flash vulnerability, which does not exist anymore, which was patched very fast. So yeah, it is possible to get infected by a banner hack from a legit website, but the possibility is so remote, its not worth mentioning. If you think the possibility is not so small, please provide proof.
I am the type of player where I like to do everything and anything from time to time.
http://en.wikipedia.org/wiki/Holodomor - pre-WW2 genocide.
Right now i'm receiving AT LEAST 1 phishing email a day. These emails are more and more convincing each time. They are basicly copying official Blizzard email. I guess someone who's not careful could easily click the link provided and have is account compromised very quickly.
Jimmy, I am not sure what more you need to understand this. For whatever reasons you have convinced yourself that something like this is nearly impossible, when in fact it is a commonly accepted situation in security circles.
Google the term 'zero day exploit' if you think something is patched fast enough. Likewise I assume when you googled 'flash exploit' you did see that these types of exploits are not 1 time occurances nor limited to just flash player.
Here are some links to sites that I hope you find legit that have indeed had security issues or discuss security issues in this regard. Some deal with flash exploits, some phishing, some account hacking, but the point is the diversity and different avenues of approach that hackers are using.
http://www.curse.com/articles/curse-en-news/526956.aspx
http://www.virusbtn.com/news/2008/05_29.xml?rss
http://www.macnn.com/articles/08/05/28/widespread.flash.exploit/
http://www.mmorpg.com/discussion2.cfm/thread/168754/page/1
http://forums.ddo.com/showthread.php?t=242978
http://www.macworld.com/article/133616/2008/05/adobeflash.html
http://forums.worldofwarcraft.com/thread.html?topicId=6864486401
http://n4g.com/news/463165/world-of-warcraft-hacked-via-adobe-flash-exploit
http://www.darkreading.com/security/management/showArticle.jhtml?articleID=211201099
I hope this answers any questions you have.
P.S. Yes there is proof that these attacks did target and steal gaming accounts including world of warcraft. Just read the articles if you don't believe me.
Yup. I got one today saying something that I accessed my account from several different IPs and it was locked. In order to unlock it I had to click on a link to verify my ownership and unlock it... The thing is, I just changed my address today, so I fell for this for just 1 second, before the system admin in me yanked me by my ear: " why is this email in spam folder?" - check the links, they do not link to blizzard, check the headers, email was sent from hotmail. I imagine anyone with just basic computer knowledge would fall for this easy. And you don't need such clever means to infect computers like hacked banners, flash vulnerabilities, windows vulnerabilities, hacking unsecured routers, or whatever else people blame these days except themselves. Nope, its never their fault.
I am the type of player where I like to do everything and anything from time to time.
http://en.wikipedia.org/wiki/Holodomor - pre-WW2 genocide.
Jimmy, I am not saying the phishing attempts don't make up the majority of security flaws. I personally think they do make up the mother load of cases where people have their account stolen. Like you suggest, most people have a hard time admitting to themselves that they did something wrong.
It just is not the only method that thieves are employing.
I followed several link, don't have time to check the rest, sorry
. Curse web is a major site, I visited it daily back in 2009 when I still played WoW. As someone there mentioned Firefox + NoScript + NoFlash + AdBlock Plus = Win , I don't have NoFlash and NoScript, so I guess just Firefox+AdBlock Plus is enough to ignore this threat.
WoW post says they already have the fix (upgrade flash player http://blogs.adobe.com/psirt/2008/05/potential_flash_player_issue.html). So who got infected? People with outdated flash, and weak security. I think people are to blame here, although I agree - major sites like WoW forum or curse need to do a better job at filtering out bad advertisements.
PS: both links are old, 2009 and 2008. Anything more recent? the flash vulnerability issue was fixed in version 9.0.124.0, which was in August 2009 i believe.
I am the type of player where I like to do everything and anything from time to time.
http://en.wikipedia.org/wiki/Holodomor - pre-WW2 genocide.
Oh yes I definitely agree with that. There are a number of new postings blaming Blizzard for hacked accounts. People do not realize that Blizzard can afford to employ highly skilled admins that would protect the integrity and security of the data, so that if a hack does happen somewhere, 99.9% chance is it on the user side, not Blizzard. I would estimate that 90% of hacked accounts result from phishing, 9.5% from vulnerabilities like flash/windows/IE and 0.5 actuall hacks like packet manipulations, brute force attacks on accounts/routers. Those numbers are my opinion and I can only back them up with a 10year experience as a intermediate system admin ( I did not study to be a system admin, so I do not consider myself a pro).
EDIT: to be absolutely clear on the point im trying to make, i'm not saying that flash vulnerabilities and such do not result in hacked accounts. I am saying the likelyhood of such a theft is very unlikely.
EDIT #2: here is a screenshot I found about a true hack (from the 0.5% category) that happened in Aion. Please note that only 90 characters were affected by this hack. I don't know how many people play Aion, but 90 hacked characters (not even accounts) is a very very low number. http://img14.imageshack.us/img14/6616/ticket2o.jpg
I am the type of player where I like to do everything and anything from time to time.
http://en.wikipedia.org/wiki/Holodomor - pre-WW2 genocide.
Just do a search for flash exploit and you will have all the answers you need. There was just a zero day exploit on June 6th for flash and adobe reader. link So even people with the most up to date flash and adobe were vulnerable for who knows how long.
The point is that even the most security minded people are vulnerable. It isn't just limited to people that click links in emails and don't update their computers with the latest security patches.
Ok so the fact I trolled in the WoW forums saying blizzard was giving my email away, and that I got a blue response saying that he had several sites where I posted in blogs with the same email as my account should mean that my email is really protected in the databases and absolutely no blizzard employee has access to account emails which he could sale for 1cent each to a gold selling company...
500 000 emails = 5000$....
The moment 1000 people get hacked, its probably more than rentable for the gold company. 1000 idiots isn't hard to find, just walk near your home and speak to teens. Find 1100 and you win, at least 1000 will be complete idiots.
Blizzard security is shit. They care about profit, like every company out there. They can restore your account if you're hacked, which is less costly than hiring a security team/firm and fix the code used.
First off i dont even play WoW, but as soon as i signed up for Star Craft i started getting emails THAT DAY saying my wow acount was being compromised and i needed to click the link to remake my password.
also was getting emails saying my acount was being suspended and i needed to click the link to reactivate it.
there is a seriously leek in blizzard when it comes to the security of our email addresses.
Thnx for the link. Flash vulnerability was fixed in 6 days, on June 10, 2010. That being said, a decent browser with AddPlus, noflash would completely prevent this. If you did get infected, a second line defence would be your firewall, which should prevent any unauthorized communication with the hacker. I am beginning to feel paranoid about flash now... Maybe I should permanently turn it off.
I am the type of player where I like to do everything and anything from time to time.
http://en.wikipedia.org/wiki/Holodomor - pre-WW2 genocide.
Green text: wouldn't that mean that someone got your email from those blogs and phished it? And no, an employee would not be able to get 500,000 emails. Maybe they can see email of the client who just called them, but they cannot see it in bulk. So, if your theory was correct, they would have to talk to 500,000 clients and record each email on a piece of paper. Of, that employee would have to mindlesly keep searching for made up first name/last name hoping to get a match - a decent interface would not even allow to get a result from such a generic input. CSR software I designed would require an exact match on: first name, last name, DOB or ID number, phone or client id number.
I am the type of player where I like to do everything and anything from time to time.
http://en.wikipedia.org/wiki/Holodomor - pre-WW2 genocide.
Zero day threats are real they exist always as new ones are patched other are found like the following which is current:
http://www.theregister.co.uk/2010/08/20/windows_code_execution_vuln/
That is right over 200 apps are vulnerable to remote code-execution attacks that exploit a bug in the way the programs load binary files for the Microsoft operating system.
That is HUGE that means anything from flash to video could be used for remote code execution and all those authors will have to patch their program.
And this 5 million websites were effected im sure a lot of wow players ended up at some of those which are Wow blogs
http://www.theregister.co.uk/2010/08/17/net_sol_tainted_widget/
Browsers are NOT safe NEVER save usernames and passwords they can be stolen, this is how many email accounts and online game accounts are stolen.
http://blog.trendmicro.com/blackhat-2010-broken-browsers-malware-fingerprinting-and-exploits-made-easy/
I have software at work that can read stored user names and passwords for all sites stored on all browsers , using javascript a hacker could read your files while visiting his website and they gather data from your system and keep a log.
It is best use use a password manager that has strong encryption such as roboform.
Movies used to inject malware exploit still exists here:
http://blog.trendmicro.com/trojanized-mov-files-faq/
Email is no longer safe hackers have found a way to spoof vaild id headers so well in fact that hackers are sending emails to domain registrars changing ownerships and stealing domain names and yes they are checking id headers and everything so even mail that looks legit you cannot be sure it was sent by them or not.
All hacker needs is an account at that mail provider.
I am the type of player where I like to do everything and anything from time to time.
http://en.wikipedia.org/wiki/Holodomor - pre-WW2 genocide.
Originally posted by Astro6
I have software at work that can read stored user names and passwords for all sites stored on all browsers , using javascript a hacker could read your files while visiting his website and they gather data from your system and keep a log. It is best use use a password manager that has strong encryption such as roboform.
Originally posted by jimmyman99
Firefox encrypts passwords. Just protect password manager with a master password and you are safe.
The encryption is weak the program i use to recover forgotten passwords in all browsers picks up all passwords even if you use a master password.
Using a zero day exploit it bypasses the firewall if the firewall is software based, software firewalls can be bypassed by many methods.
More information on how unsafe old browsers are a lot of people use outdated browsers this is a danger to your security.
http://www.symantec.com/connect/articles/password-management-concerns-ie-and-firefox-part-one
If you plan on keeping an old browser use a password manager with strong encryption.
Some of it seems to be coming from infected banner adds (flash and java) on mods sites etc. Virus scanners don't seem to pick up on it so the only way is to block them entirely.