Symantec: 44 million MMO accounts stolen
We recently analyzed a new sample submitted to Symantec and came across a server hosting the credentials of 44 million stolen gaming accounts. What was interesting about this threat wasn’t just the sheer number of stolen accounts, but that the accounts were being validated by a Trojan distributed to compromised computers. Symantec detects this threat as Trojan.Loginck.
This particular database server we uncovered seems very much to be the heart of the operation—part of a distributed password checker aimed at Chinese gaming websites. The stolen login credentials are not just from particular online games, but also include user login accounts associated with sites that host a variety of online games. In both cases the accounts contained in the database have been obtained from other sources, most likely using malware with information-stealing capabilities, such as Infostealer.Gampass.
The article goes on to detail that while the vast majority of these accounts were targeting a Taiwanese MMO company, the researchers discovered 210,000 World of Warcraft accounts, 60,000 Aion accounts, and 2 million PlayNC accounts (which can be used to gain access to Guild Wars, Aion, Lineage 2 and City of Heroes).
The vast majority of RMT fraud I deal with in my day job originates from accounts that are stolen in this manner, usually from China.
(Side note to Symantec: account sales through sites like PlayerAuctions are a TOS/EULA violation for both World of Warcraft and Aion.)