cancel
Showing results for 
Search instead for 
Did you mean: 

Advice for dealing with a sticky hacking situation

N/A

Advice for dealing with a sticky hacking situation

The long and short of it is, I help to run a small forum for a popular online game. In recent months, several forum members have had their game accounts stolen and re-sold to other players. Over the weekend the site admin was provided with clear evidence that it's actually one of the joint administrators of the forum who's behind it - using registration details to break into webmail accounts to gain access to the game account payment information in order to re-set the password and prevent the rightful 'owner' access to it. Obviously we've contacted the company who operate the game with the information, but they have been unwilling to accept screenshots as valid evidence in the past, so who knows whether they'll accept this as evidence.

He has had access to IP and email addresses for every forum user. It appears that there is one specific free webmail service which he has been successful in breeching - as all of the accounts that were stolen were registered on the forum using email addresses from the same webmail provider.

He doesn't know he's been caught yet. We're trying to protect ourselves before setting an irate hacker on the loose.

I'm wondering if anyone can help me brainstorm all the bases that need covering before we ban this [insert descriptive expletive of choice here]. The forum itself is the LEAST of our concerns. I'm more concerned about personal attack on forum members computers and webmail accounts. Obviously, advising them against using that particular service is a given, and removing email and instant messenger info from viewable profiles. (That's the problem with this person being an administrator - he could see everything whether it was public or not. :?)

As far as personal computer security, what sort of problems/attacks could we be running into and is a personal firewall and AV/Anti Spy enough? (And I wish they'd give us more than 8 characters for our PlusNet passwords. Yes, I've voted.)

Thanks in advance.
5 REPLIES
N/A

Advice for dealing with a sticky hacking situation

My personaly polinion would be to contact the police.

Your administrator is breaking the Computer Misuse Act 1990, which includes unauthorised access to computer programs or data, unauthorised access with a further criminal intent, unauthorised modification of computer meterial (ie, origrams or data).

These normaly apply to attempts of hacking, but they are also applied to employees and/or customers that have access to the data via legal means, and the Data protection Act doesn't apply.

As the DPA does not apply to hobby forums (you may need to calrify what your forums are for, and who has access to them), so the Computer Misuse Act applies instead.

Your administrator has effectivly commited several offences.

Inclucing unauthorised access to data on your forums. Although they have legal access to it for the purpose of operating the forums, this is the sole purpose of the access. Taking it for purposes off-site would be deemed illegal.

The above may be hard to proove, if you do not have a clear policy in place, ragarding what is deemed authorised use.

They are however commiting the offence of obtaining services by deception. They are using data to impersonate another person, for which they have no authorised access.

This should be raised with the company they are doing this too, which is a email service I understand from your post.

This comes back to your own site. If access to the data is not set out in a policy as unauthorised, they could be cimmiting the offence of unauthorised access with further criminal intent (obtaining services by deception).

I am unsure CAB (Citizens Advice Bureau) will be any help, due to the nature of the issue, but it can't harm in asking them.

Otherwise, speak to the police, who are duty-bound to investigate.
N/A

Advice for dealing with a sticky hacking situation

I would say the data protection act could apply as the data should be held securly which it isnt. The problem is academic as it take 6 months for the Data protection act to do anything.

The danger could be that most people keep the same password and use it for lots of accounts. This being the case if he has the passwords he could access ebay paypal and many other acounts
N/A

Advice for dealing with a sticky hacking situation

I don't think it was a case of getting passwords (which most forums either use one-way encryption, or store hashed copies), but using the details people provided on the forums, includng email addresses, to request new passwords and such.
N/A

Advice for dealing with a sticky hacking situation

Quote
I don't think it was a case of getting passwords (which most forums either use one-way encryption, or store hashed copies), but using the details people provided on the forums, includng email addresses, to request new passwords and such.


Basically that's it in a nutshell. I'm not the site owner, but the site owner is handling contacting the appropriate authorities.

The problem is, we're a tiny little forum in the grand scheme of things. And we're doing our best to get the attention of two huge companies that have millions of users. We have our suspicions that the information is being gained from the webmail accounts but zero solid evidence. So there is not much we can accomplish there. The game company also has millions of users and don't like to take action based on screenshots or evidence obtained outside of the game environment as they are regularly presented with 'evidence' that has been doctored.

So we're doing the 'right' thing, but eventually we're going to have to ban the corrupt administrator. When we do, the hacking site he's affiliated with could potentially have it's community of 15k people after us. The admin in question has access to all profile info and individual IP addresses are viewable to all administrators.

The big fish can look out for themselves, the forum can be backed up and rebuilt repeatedly if necessary. It's all the little fish on the forum and their own security that I'm worried about. He's stealing the accounts of people who call him 'friend'. If he's capable of having that on his conscience, then if we cost him HIS account, if the game company or the webmail company start questioning him, if the hacking group he's a part of is passed any of the information he's collected from our members --- then I'm worried about Denial of Service attacks, intrusions, email bombing, viral attacks --- launched against specific users.

This isn't a forum troll, this is a nasty piece of work. Sad And I'm just wanting to try and find out what to do if we find ourselves targeted further. Is there any damage control we can do beforehand? Are the freeware security products out there going to be able to handle a determined hacker? Or just better than nothing? I know very little about hackers and what they're capable of, I'm a little bit concerned with the prospects of having 15k of them after 100 specific individuals, simply because we trusted the wrong person. :?

Thanks again.
N/A

Advice for dealing with a sticky hacking situation

The only advice I can give is that you report this cracker to the appropiate authorities (be aware that the police often need to be pushed to do things - especially when they don't understand the law that has been broken - I once had a police officer tell me to contact plusnet to get details of another ISP's customer, but that's another story) and warn any potential victims. Contact your hosting provider and give them a warning too as you don't want to be charged for the extra bandwidth if he does launch a DoS attack. As for mailbombing etc, there's little you can do about mailbombing specifically, but you can warn other users not to open attachments from people they don't know and if possible to not use an insecure client such as outlook (preview pane + scripting = bad). People should also refresh their IP if it's dynamic, and if actually attacked on a static IP, contact their ISP to get a new one.

Hope this helps