Yesterday was a banner day for cybercriminals. A blog post from Riot Games founders Marc Merrill and Brandon Beck revealed an attack on League of Legends, one of the world’s most popular online video games. (It boasts more than 70 million registered users.)
The hackers stole approximately 120,000 salted (that is, randomly encrypted) credit card numbers, password hashes, usernames and e-mail addresses. Riot Games explained that only North American users who used their old payment system from before July 2011 might be affected, and added that players with easily guessable passwords are more vulnerable to account theft. Shocker.
“We are taking appropriate action to notify and safeguard affected players,” wrote Beck and Merrill. “We will be contacting these players via the e-mail addresses currently associated with their accounts to alert them. Our investigation is ongoing and we will take all necessary steps to protect players.”
Riot Games is implementing a host of new security measures to prevent future breaches, including requiring all North American users to change their passwords to stronger ones. They’re also developing features such as e-mail verification and two-factor authentication, which requires confirmation via e-mail or SMS text for account changes.
No hackers have claimed responsibility for breaching League of Legends, but this attack is one of many against online games in recent years. In July, Assassin’s Creed creator Ubisoft had e-mails and passwords hacked, and Riot’s European League of Legends players had account data compromised in 2012.
The companies’ continual response of the same prevention methods, adopting stronger passwords and further verification, needs a serious overhaul. Look how well it’s worked out so far.
DDoS bank robbers hack wire transfers, steal millions
League of Legends wasn’t the only high-profile security breach uncovered yesterday, and nowhere near the most expensive.
Avivah Litan, vice president and distinguished analyst at research firm Gartner, reported that at least three banks in the past several months that have fallen prey to “low-powered” distributed-denial-of-service (DDoS) attacks, losing millions of dollars.
In an interview with SC Magazine, Litan explained that hackers used the DDoS attacks to distract the banks, diverting their attention and resources while withdrawing millions of dollars through fraudulent wire transfers occurring simultaneously.
Litan, who published a blog post for Gartner last week warning about the misdirection of DDoS attack method during payment switches, declined to reveal the identities of the three banks but said the attacks were entirely financially driven.
“It wasn’t the politically motivated groups,” she said. “It was a stealth, low-powered DDoS attack, meaning it wasn’t something that knocked their website down for hours.”
The method by which the hackers gained access to the banks’ wire payment switches hasn’t been confirmed, but phishing e-mails may have been used to plant malware such as remote access Trojans and keystroke loggers on the bank staff’s machines.
In Dell’s SecureWorks Counter Threat Unit’s “2012 Threatscape Report,” the research team noted that cyber attackers have launched similar DDoS attacks through Dirt Jumper, a US$200 crimeware kit, in order to draw attention away from fraudulent transfers ranging up to $2.1 million. The FBI, the Financial Services Information Sharing and Analysis Center, and the Internet Crime Complaint Center issued a joint alert about Dirt Jumper last September.
As far as minimizing these types of threats, all Litan said was when experiencing DDoS attacks, financial institutions should “slow down” their money transfer systems.
If that’s the only solution a firm like Gartner can come up with, banks are in some serious trouble.
Patch up those holes in PuTTY
The Windows SSH client has four major flaws for bugs to exploit, so upgrade to version 0.63 before your systems are hopelessly infested. For more details on PuTTY vulnerabilities, read the full story.