My Account was Hacked :(

[Jussy]

Just a tidbit of info for the Quetz community, since I have know way of contacting my friend list people.

Either late Dec 3rd or on Dec 4th, my account was hacked using a virus called infostealer.gamania (a keylogger). PoL cannot reset my password because the people who did it changed it to their own credit card and password. They said they cannot give reset the password for me even with the card info I've used for 3.5 years and every single registration code, because it isn't in accord with their policy. (Their policy states that you must be able to give them account number, name, bday, first and last 4 card numbers, and street address.) I'm still trying to get it back.

The people who took my account moved my character to Asura, and there are two characters believed to be selling my stuff. Tamasa just popped on AH "coincidentally" right after I was hacked. Esanlu seems to have been involved with my account and someone else's.

[Jussy]

I suspect rmt because they sold a thf knife which i never owned, also they bought hi-potion tanks and ninjutsu elemental tools which suggest using my bst seals to for PCC or something... /cry

Okay, so I've talked to the PoL ppl 4 times today and the police twice. The first PoL instructed me to fill out some report online that is to be directed to the local police dept. Then I called back to get more info, and this PoL representative told me to avoid the online thing and to call the police directly. So the police sent an officer to my house and he explained to me that FBI handles cases of fraud etc, and that its too common of a deal for a local police dept to handle. He said that it should be PoL's responsibility to report this and investigate, not mine. So after he left, I called the PoL ppl back and this guy, in short, told me there was nothing he could do to get my account back and that it was my responsibility to keep my info secure, blablabla. He said there was nothing short of a California court-ordered subpoena (sp?) that would get them to give me the info to get my account back. So I called the police dept again and this guy was very helpful. He listened to the whole ordeal, and then told me he'd look into it and call me right back. He did, and told me that there was nothing they could pursue unless I had physical evidence of credit card use or ID fraud. So he advised me to call PoL again and to try multiple times til i found someone helpful, and to see what else they could do. First try (1/1 unlike Kirin!) I get a really helpful guy. He said that he got an email from his supervisor saying that if someone complained, claiming that their account was compromised, to have them submit main character name, server, linkshells, previous credit card info and address, and PoL registration number. (The crappy thing is that the representative before this said that nobody there, supervisors included, had access to past account info, only present.) I call BS. Oh, and of course, the guy pronouced my character's name as "Juicy?" So now, he's submitting this info to his supervisor, but has no idea when the supervisor will try to contact me, if at all. I'll give it a week-ish until I call back. My last stand is to push for ID fraud, given the hacker is operating the account with his credit card and address under my name and birthday.

[Jussy]

I called again to see if giving them the names of thost two characters that are suspected to have taken my stuff would get us anywhere faster. She told me the supervisor is handling several cases like mine, and that if anything changes (i.e. "Oh shi... this may be the real owner of the account! We may want to do something.") he will call me. She said that if/when I get my account back, that I should then take it up with a GM. So I'm just waiting on them to process this whole ordeal atm. I'm going to get on a friend's character (Claxton) here in a minute and see if I can talk to a GM now, to hopefully get a faster response.

[Jussy]

I made a list of about 50 items that I tracked and I checked the Dec 3rd-5th history under each name that popped up to look for patterns.

Okay, so I talked to a GM with Claxton and he said that he will flag the names to be looked in to. I made a breif STF report yesterday, but he told me to make a more detailed one to make it go faster. So I just did that. He also said he cannot reimburse any items traded or sold, only dropped ones. I estimated that the worth of all my gear, including Osode, and LS gil to be around 19M! /cry.

Here is the STF report for those interested in the nitty-gritty details. Don't laugh at my flatteringly persuasive appeals! lol:

Okay, I hope this doesn't get too long. I sent a message yesterday concerning my account being compromised (<insert account number here>). After speaking with a GM today, he instructed me to send a more detailed report in order to make your job smoother.
On either Dec. 3rd or 4th my account was believed to be hacked. Upon compromisation of my account, the culprit changed the credit card and street address information. Therefore, I am having much difficulty with the PlayOnline people. I researched items that I figured I would lose on ffxiah.com and came up with two names that could be involved: Tamasa and Esanlu. As I mentioned, my account was taken either late on the 3rd, or on the 4th, and magically the character Tamasa's first auction house appearance is on the 4th, and they have yet to sell an item that I did not already own. Here is a link showing this:

http://www.ffxiah.com/player.php?id=1095517

Esanlu is suspicious as well. If he is not involved with my account being hacked, then he could be suspected of robbing someone else's items. From Dec. 3rd to the Prism Cape sold on Dec. 5th, this character sold items that I owned as well, however the inconsistency is that Esanlu and Tamasa sold several HQ Staves that were the same. Here is a link to his auction house activity.

http://www.ffxiah.com/player.php?id=1094053&sid=28

My character (I assume after it was looted) was moved to the Asura sever from Quetzalcoatl. There the culprits proceeded to buy items that I previously owned. This is another reason I assume my equip/items were looted on Quetzalcoatl. This is also another reason why I assume I was hacked by RMT-related people (Due to the cross-server collaboration.) The link showing my character's Asura auction house history follows:

http://www.ffxiah.com/player.php?id=1094864&sid=28

Among the items on this site purchased that I already owned, or owned an HQ version of are: Mamushito +1, Amemet Mantle, Evasion Torque, Scorpion Harness, and Fuma Sune-ate.

It may be a good idea to research what characters my character (Jussy) was involved with immediately after server migration on Asura. There may be more dirty crooks to be found there.

Thank you for handling these kinds of issues. You guys are heroes for those of us who really enjoy playing with as greatly reduced RMT-activity as possible. I hope I have supplied enough information to aid you in catching these guys. It's sickening how they take people's years of hard work on FFXI and then throw it all away to make a quick buck somewhere... truly sickening.

If you happen to need more information that you believe I may help you with, my e-mail is Jussy_003@hotmail.com. I've estimated that I will have lost around 19M in gil. According to current RMT prices on various sites, this is close to $1000 worth of items lost. And to farm that back (50k/hour) it's an estimated 380 man-hours lost. Please catch these selfish people!!

[Jussy]

So... I went to Wal-mart and bought a new Norton software disc for both my PCs. When it did a scan it found Infostealer.gamania (A malicious trojan virus that records passwords and keystokes) To anyone not using anti-virus software, or really crappy kinds (like the free stuff) I'd suggest paying $70 to get the real deal.

[Jussy]

There is a person on Blue Gartr forums who is organizing a list of players who've recently been hacked. He believes it happened to multiple players between 2-3AM on Tuesday.

Hope this helps man. :/

http://www.bluegartrls.com/forum/vie...hp?f=2&t=27042

[Naelli]

Esanlu is suspicious as well. If he is not involved with my account being hacked, then he could be suspected of robbing someone else's items. From Dec. 3rd to the Prism Cape sold on Dec. 5th, this character sold items that I owned as well, however the inconsistency is that Esanlu and Tamasa sold several HQ Staves that were the same. Here is a link to his auction house activity.

Esanlu is a hume female with a black pony tail. I saw "her" stand outside Port Jeuno while she traded Thewolf's gear. Sandy Aketon and nothing else on.

I think some of the gear sold off is yours and Thewolf's, He had 8/8 HQ staff and a Genie weskit. Plus whatever else the creeps stole of his melee gear. idk.

[Jussy]

To address what Zylia was talking about, selling characters/items onine is not illegal, it is only against policy. SE cannot sue you for example if you sell your character on eBay, the just retain the right to suspend the account. Therefore, it does have monetary value.

[Blackmagik]

oh my, that sucks, hmmm 3rd party programs 4tl?

[Jussy]

I am calling PoL for like the 6th time Monday to see if I can speak to a supervisor directly, and to see if I were to fly to California if presenting my ID (which would prove ownership) would get my account back. The people who took my account have commited fraud now since they are operating it and a credit card under my name and birthday. I can't believe PoL employees are allowed to let that continue. So anyway, if neither of these work, I'm hitting up the police station for the 3rd time.

[Jussy]

oh my, that sucks, hmmm 3rd party programs 4tl?

I have windower on my laptop, but rarely use my laptop over my desktop. Also, I have not downloaded it in over a year. How my account was compromised is not the issue; how to get it back is. Please stay on topic.

[Demetrik]

Sooo feel you where your coming from SE customer service is horrible in my own opinion. This is how I got them to help me out.
my xbox encountered thoose nasty red rings of death.... but my ffxi account was linked to my xbox so even with a new xbox SE did not want to assign my character to my new xbox live account . So i give SE a call and there customer service rep hung up on me twice for my persistance, whenever you ask for a manager they'll say that you have to write them a letter blah blah blah. So after about the 5th time i called and let them know where i was standing I was still turned down.

Call SE headquarters!! and let them know about the way you've been treated!! ask to speak to a manager at their corporate office!!. If you attempt the customer service theyll just blow you off. After i spoke with a higher up manager at their corporate location in SoCal he lit a fire under their asses and guess what now they have the access to do whatever i wanted. Dont mess with the little man. My character was restored within the hour and I vowed to shoot myself then call those morons again. Hope this was of some help to you

[Jussy]

Sooo feel you where your coming from SE customer service is horrible in my own opinion. This is how I got them to help me out.
my xbox encountered thoose nasty red rings of death.... but my ffxi account was linked to my xbox so even with a new xbox SE did not want to assign my character to my new xbox live account . So i give SE a call and there customer service rep hung up on me twice for my persistance, whenever you ask for a manager they'll say that you have to write them a letter blah blah blah. So after about the 5th time i called and let them know where i was standing I was still turned down.

Call SE headquarters!! and let them know about the way you've been treated!! ask to speak to a manager at their corporate office!!. If you attempt the customer service theyll just blow you off. After i spoke with a higher up manager at their corporate location in SoCal he lit a fire under their asses and guess what now they have the access to do whatever i wanted. Dont mess with the little man. My character was restored within the hour and I vowed to shoot myself then call those morons again. Hope this was of some help to you

Hey thanks a lot! A flame of hope! Do you still have this number?

[Jussy]

So here is what I am submitting to the comments and suggestions people. For those willing to lend a hand, I intend to make a revised version that other people can copy and paste to submit. I have finals to study for at the moment, so it might be a couple of days.


Hello, I am registered with PlayOnline, and I am an avid Final Fantasy XI player. Due to the difficulties I have encountered after my account was compromised, I have a few policy suggestions that I would like to share. I am the owner of account number ********.

Problem:
Late December 3rd or December 4th, my account was hacked by a virus called “infostealer.gamania”. I have made seven or eight calls to the PlayOnline representatives, who unfortunately can do almost nothing due to “policy.” Currently, it is PlayOnline’s policy for an account owner to provide the following before resetting a password: account number, name, birth date, first and last four digits of the current credit card, and street address. For basic policy procedure such as forgotten passwords, providing the above information is adequate. However, in cases of hacked accounts, this is not enough. In the event of compromised accounts, it should naturally follow that a different procedure should be taken in order to verify the identity of the person on the other side of the phone. This is due to the fact that the personal information of a compromised account is normally changed after it is acquired. The issue is that PlayOnline IDs and passwords have too much influence over establishing rights to an account. I have four suggestions for modifying PlayOnline’s current password reset policy.
1) A proper account owner could verify ownership via registration codes.
2) A proper account owner could verify ownership via previous credit card information.
3) There could be a more involved procedure for changing personal information.
4) There could be optional password protection via telephone.

Solutions:
1) PlayOnline could require account information that is harder to steal, for example, registration codes. Registration codes cannot be as easily leaked because they are only entered once. The most important thing however, is that registration codes can only belong to one user, and in order to be stolen, it must be physically taken, rather than virtually as we see in on-line crimes. To take it further, since registration codes could still be leaked and used maliciously, PlayOnline could additionally require the credit card information that was being used when the registration code was submitted via the PlayOnline account.

2) This proposal would effectively make account-stealing more difficult is that an account owner could verify ownership via previous credit card information. I propose that providing the full credit card and street address information that was used on the account prior to its alleged hacking to be a sufficient replacement for the current first and last four digits and address. This would allow more extensive account security for those of us who have been your customers for years. These RMT and hackers are the bad guys, we account users are the victims, and PlayOnline representatives are supposed to be the good guys. However, when victims call in complaining about bad guys, the good guys can do nothing because of a flawed policy. This leads to PlayOnline being viewed as having very poor customer service. Also, hackers do not operate within policy procedure, so, in cases where hacking is involved, why should PlayOnline? It’s an obvious barrier in getting these problems solved. One may say: “Well, following policy faithfully is what makes PlayOnline different from hackers.” This is a very admirable and true answer. However, my point is that because these bad guys have no policy constraint, the policy of PlayOnline must be flexible so that it can affectively combat complicated issues. The logic I am promoting is “If the enemy uses bullets, you buy Kevlar vests, and if the enemy uses armor-piercing ammo, you take appropriate measures to combat it.” However, the logic that I see from current PlayOnline representatives is “We built armor. The enemy uses armor-piercing ammo, but our policy doesn’t allow us to upgrade, I’m sorry.”

3) With the current PlayOnline policy, hackers only need to have the ID and password in order to take entire control of an account. Because of this fact, they can too easily gain what one of your representatives called “rights to the account.” I believe that other measures should be taken to ensure that these “rights” are not exchanged so easily. These measures would create more account security for the real owners while increasing the difficulty of hackers and RMT to keep acquired accounts. My proposal has two suggestions. The first suggestion is that the existing full credit card number (or perhaps the first and last four, as is current policy) should be submitted along with the new credit card information when a user attempts to change the credit card information. This would be similar to how you change passwords on other online accounts such as email. In these instances they make you provide the old password when changing it to a new one. The second suggestion is that upon credit card changing, an email should be sent to the user outside of PlayOnline’s account that requires activation before the new credit card takes effect. This would slow hackers by forcing them to have information outside of PlayOnline to do their dirty work. Simply put, ID and passwords have too much power within one’s PlayOnline account, and are insufficient in verifying the identity of the account’s true owner.

4) Another measure that could be taken is optional password security via PlayOnline representatives on the phone. This would offer a method of account security free from internet hacking. By this process, an account user who is able to verify his identity as the appropriate owner of the account could submit a password on the telephone with a representative that would either give him or her full access to the account’s information in the event that he or she believes the account to be compromised. Also, verbal password authorization could be optionally chosen for those account owners who wish that there information never be allowed to be changed via online means. According to this process, anything changed would have to be done over the phone.

Conclusion:
Thank you for reading my proposal. It is my wish that you put as much effort into affecting some type of policy change to benefit your PlayOnline account users as I have in recovering my account from its hackers. I have not yet recovered my account, but am taking every measure humanly possible in doing so. I can only hope that a future policy change will alleviate your employees current restraints so that I may once again roam the world of Vana’diel with my friends without having to repurchase all of the game discs and re-leveling my character. Starting over from scratch is not an option for me. It would cost too much, and be too depressing to repeat almost 300+ hours of work. Many users have enjoyed your game for years, and desire to use it for entertainment for more years to come. In light of this it is truly sickening to think that hackers are so easily able to steal our accounts and “gain rights” to them without immediate resolution by the actual owners or PlayOnline representatives. These malicious hackers must be stopped, or at least slowed, and I am sure that the aforementioned proposals can effect this.

The Special Task Force stated in one of their recent reports that RMT activities have declined, and that their gil reserves have been greatly reduced and are having a much harder time staying in business. There is no doubt in my mind, that if at least one of the measures I have suggested are taken, that these RMT companies will have exponentially more difficulty in plaguing the Final Fantasy XI game environment. Thousands of us play your game and work diligently to create our characters and enjoy their experiences. We utilize teamwork, imagination, logic, and, above all, a lively spirit when we strive to master the game that your company has created. It is my sincerest request that you approach the above account-hacking issues with the same attitude, and solve this so that many of us in your game community may reacquire our accounts and continue to make memories with our friends online.

Sincerely,
My Name

[Antionliner]

Hi folks,

I belong to a computer security forum called AntiOnline. A thread was posted today regarding getting trojans from a FFXI related website. I thought that the information might be of interest to you guys.

http://antionline.com/showthread.php?t=276318

I am not sure if it will accept that URL being as how I only just joined.

If not then if you go to AntiOnline and look for a thread called "Google adsense banners" in the sub-forum "Newbie Security Questions".

The problem certainly seems to exist on the FFIXAH site if not others.

Not only might there be some hijacked adverts, but there is an XSS (cross-site scripting) exploit there as well.

I thought you might be interested?

My personal thoughts would be to use FireFox with the "Adblock" and "Noscript" plug-ins.

Also check out an Australian software house called DiamondCS. They have a number of free security products. I would suggest that you take a look at "RegistryProt" and "Process Guard"

Cheers,

Johnno