Update on Account Stealing!

From the FFXIAH Staff =P

First off, I’d like to briefly comment on the FFXIAH Ad(s). Although annoying and unacceptable by our users & admins, I just wanted to be clear that adware/spyware from an advertisement does not equate to a key stroke logger capable of stealing FFXI accounts. I’m not saying it’s not possible either, in this case it is just very slim.

However, there is some news to report. FFXI ]]DO NOT USE SOMEPAGE[[ is confirmed to have a hidden iframe (0x0px) that contains malicious javascript. I only ask people with technical expertise to attempt to load the page at this time. The iframe loads a page from “miorsocft.com”, it should be easy to find. This script is being looked into by our dev team already and some volunteers. (I’ll post some screenshots later)


Despite the news above, we’ll still look into the ADs and have a full report on our website, because “account stealing capable” or not, we don’t want them installing annoying junk on your PCs

Source here (near the bottom).

So yea, to protect yourself, don’t visit somepage since its already compromised (And don’t be curious and check it out!). There’s also been speculation that the people who steal accounts are using a flaw in Real Player, so if you have it just uninstall it for now.


Last but not least, having a web server compromised is pretty bad. (Eg Somepage). I’ve also been getting random spam from Chinese IP addresses. So I’d like to remind those that own a website and forums that is related to FFXI to keep it secured ‘.’ At the very least, strong passwords for your server and update your software. As an administrator of web services, you hold a lot of information about people (especially if you run a forum), and having those compromised not only will leak personal information, but will allow an attacker to modify the website to something similar to somepage and hurt all those users.

In general, the attacker is using a flaw from both the server and client (Real Player) to make this happen. Therefore, please update your programs (like all of it), patch Windows (there’s a patch yesterday for both XP and Vista, do a manual Windows Update) and use a secure browser.

Social Engineering – Careful

FFXI Social Engineering

Scamming Accounts?

A few days ago, I got this from Darkblood. From what I know, this dude sold his account, transferred owner a few times and the most important part, I don’t know him. Apparently he got my email and is trying to lure me into entering their forums.

I’m sorry if I offended anyone but… Darkblood’s Linkshell (links to his FFXIAH Profile) has always been known to do shady things and this might be one of it. Also, I am not the only one who received this, and to the best of our knowledge, all of us never really signed up on his linkshell. So to people on Fenrir, please becareful. I opened it under a secure location and it is a URL directing me to their website forums (which could be a fake URL that directs you to a compromised page, not willing to test further).

I’m not sure, but if you were to contact me, why use your own forums? Why not use FFXIAH’s PM system, my Blog? In-game? Email reminding me to check PM on “their forums” sounds very suspicious to me. Plus why would someone PM me (a user who never really reads their forum) on that forum? lol

Just imagine if a website tell you to login, the password doesn’t work so you keep entering and entering more passwords just to see the private message, and they were actually logging all the passwords. GG, you just gave them tons of passwords to try.

Just be very careful ^^; Also, everyone should be reading up on this topic. Knowing the source of how accounts are being compromised is ways to prevent/avoid yours being taken away. We all love our 0’s and 1’s so lets safeguard it ^^;

Ninjar Edit: There’s a post on BG about how to safeguard your account. Read it!

17 Responses to “Update on Account Stealing!”

  1. Jowah says:

    Actually somepage had even some malicious script running months ago, wich could kill/dramatically slow down most PCs’ cpu…..and yeah I stopped using that fu***n site since then.

    That’s why I’m gonna get a lap asa again and surf ffxi related sites on there, since I don’t really trust most sites cept very few blogs.

    I guess wiki is OK, as long with FFXIAH.
    ALLA should be ok but I’m avoiding that at home, nothing to loose anyway (just some Kerb’ flamings, but w/e)

    Stupid people ruining our accounts D:

  2. eeto says:

    Actually cross-platform scripting has been tighten up and patched alot ever since IE6. Ever since the going down of Netscape, IE has been sloppy with their browser design and security audit. As emerging public awareness of security flaws that’s going on in IE, Firefox had it’s chance to win people’s hearts for a better browser (me being one).

    The scary part about this whole thing is, fan sites might be in high risk now. They usually won’t be equipped with the latest patch or security protections; (heck, i’m just trying to run a forums and it’s so troublesome.) But anyhow, things don’t look promising now with these stories. It’s obviously a boundary out of SE’s reach and it’s up to players to protect themselves without knowing where the arrow’s coming from, or when is it coming.

    Maybe we should teach the public to install firewalls.

  3. Strawberrie says:

    The sad thing about all this is that the Intrusion Detection Software on my system shows that this site is attempting an IE based buffer overflow whenever I check it out. You aren’t hosting any ads off your page, so is it a bug in your code or something else?

  4. Aramina says:

    Ok, so it’s totally /emo, but I was reading Melphina’s post and I saw the stuff about Moonbank and Sunbank.

    Of course, curiosity being what it is, I cranked up Firefox and checked out Moonbank on Odin.

    It turns out that the Noble’s Tunic that my good friend bought for me as a “quitting FFXI” present from him was bought from Moonbank. He had no way of knowing this and I treasure it greatly as a gift from a friend, but it makes me feel very bad to know that this was quite likely something that belonged to another player who had their account stolen and raped.

    I almost want to get rid of it, but don’t feel like I can because of how I got it.

    I wish I could get deployed to destroy RMT and not Iraq, but since the gov’t probably doesn’t have much interest in rolling a tank through IGE Headquarters, I don’t see that happening.

    As someone so rightly said in one of the many many replies to that Alla post, I’d much rather deal with RMT bot fishers than RMT attacking the playerbase, even if it means higher prices at the Auction House. Theres always stuff that I want that I’ll not be able to afford, and so I’ve learned to be happy with what I can get and work for what I want, but to lose my time and effort would really really hurt and I’d probably just quit playing at that point.

  5. Veve says:

    Maiev, I am scared now T_T

  6. Maiev says:


    I don’t run ads (although someone suggested it awhile ago), but then I only do this as a pure entertainment so no, don’t have them and don’t plant them xD. I was tempted to due to the clicks, but I debated over it and meh, I don’t want to see RMT advertisements beside little Onions… its kinda wrong :/

    The script might be the front page slide show on the right. If you disable it, it will jus display a loading thing that’s all. Its just a little bit fancy and lol for 1st time visitors. Nothing important really goes there.

    @ Aramina

    You shouldn’t sell it regardless imo. You had no way to know where it came from when you received it. Afterall its a kindness from a friend, who also didn’t know Moonbank was some sort of hacking of other players’ item. Put it this way, if your friend didn’t buy it, someone else would have bought it.

    I havta agree, farming gil is much better than jacking people’s account. In the end it puts all of us at risk. Okay it might be harder to buy something you like but meh… better than seeing accounts going poof.

    It all comes down to people who RMT. No demand in gil farming. No farming needed. Those that really buys gil are hurting everyone.

    @ Veve

    I’m scared too :/ , I stay logged in now (not that it does anything), but even when I’m not playing ._.

    @ Everyone Else

    There’s a good post on BG about how to safeguard your computer from these things and future attempt. Yes, its quite a lot of crap to install, but in the end it protects you.

  7. Etain says:

    It took 2 sweeps of Adaware and Ccleaner on my home PC to get whatever crap was on there off. -.O

    Even here at work- 21 items: 10 registry, 2 files, 9 cookies.

    First thing I did was log into 360 and change my POL password.

    I am now completely, and totally paranoid, as I do a LOT of mindless websurfing when I’m bored/suffering from insomnia.

    *puts on her foil hat*

  8. Etain says:

    Oh, and for the record, Darkblood is the player formerly known as Arthanian.

  9. Veve says:

    I did the same thing as Etain and will most likely end up using my new computer for FFXI only ! (Something is wrong here, no?)… I guess I’ll hook up my old computer in a dark room I guess, just to check my e-mails and surf sometimes :/

  10. Maiev says:

    Well playing on separate PC is also nice, that way your other programs aren’t lagging your gaming pc ^^; apparently me doing it this way also offers some security benefit :O!

  11. Aramina says:

    I can’t lie, I’ve thought about buying gil in the past. Went so far as to see how much it cost and everything. I was barely able to play for a while due to RL time constraints, and it seemed like I’d never get to my goals.

    Then I woke up and decided that I’d rather have the worst gear ever and a clean conscious than buy gil.

    I agree, the problem is in the people who buy it, and I’m glad that I’m not one of them. I’ve been working on Crafts, and leveling BST is definitely helpful in that you keep all of your seals and drops, and it is a solid job for farming. Mine’s only 63, but I look forward to time spent killing Sprinklers and Groundskeepers and keeping all of the shards to use to make Cermet Chunks.

    About the Noble’s, I know that what you say is true, but I still think about it. Now, just hop over to Odin and help me with that SOB Shen (He’s royally screwed me twice, think I’ll post about my WHM/NIN gear pursuits and successes/failures) so i can get m Reverend Mail and forget about the “hot” Noble’s that i have.

  12. Maiev says:

    I’d have to say buying gil is tempting, since most people that plays this game do have a life outside and… have disposable income.

    During the times when the economy is inflating, everyoone’s dream seems suddenly impossible to achieve. At one point I even thought that this game is no longer playable if you don’t pour real money into it. Its kinda like real money virtual money = Play this game. That was also when another MMO (I forgot which one), allows you to buy virtual currency officially from the developer.

    The feelings of accelerating against others is often what most people desire in a virtual world, but whenever you think about the cost per gil and the risk you have to take, its not worth it at all.

    Regardless, we now see the effects of gil buying. I just hope people that buys gil think a few more times now. Not only they are visiting a RMT-owned website that can put their account to risk, but how they are really destroying the game by doing so.

  13. Oman says:

    “SiteAdvisor” from McAfee might help abit and is free :D.

    It will warn you if it thinks the site u about to visit is not save. The siteadvisor website even allow you to do a background check if you are uncertain about the site u gonna visit.

    . . . . I dont work for them . .. Orz

  14. Veve says:

    I have a question… I logged back into the LS Community a while ago to turn my profile to “all public” to make it viewable in FFXIAH. Now all considered, should I go back and disable that or just stay away from the ls community now? Change password? Turn off the feature in ffxiah as well? Change my Pol password again (don’t they keylog your action of changing your password as well?)??

  15. Maiev says:

    Um… I know we are all a little more paranoid about this whole thing (I even deny to even talk to RMT)

    If your PC aren’t cleaned, then you are already in trouble by logging in (since entering LS community requires your PW). The thing you need to do is ensure your PC is cleaned :3 by scanning it with an Antivirus. I do not think the AH profile has anything to do with all the hackings.

    Keyloggers is like someone standing beside you physically, watching exactly what you type. (the record all keystroke that you type). Just use a strong Antivirus and you’re fine sweetie! (I suggest kaspersky, its been tested to be the antivirus that catches the most virus out there).

  16. Maiev says:

    Check for this annoying bug: C:Windowssystem32CMCFG3.dll

    Kaspersky/AVG can detect it, but not remove it.

    Seems like something new.

    Trojan.Win32.BHO.abo is the trojan name for it.

    Source: BG Forum http://www.bluegartrls.com/forum/viewtopic.php?f=2&t=27042&st=0&sk=t&sd=a&start=840

  17. Aramina says:

    There’s always the hot topic of sanctioned gil sales from SE…

    I’m not really sure if that would solve anything or just create more problems, but it’s something to think about. I can see more negative than positive really, but again, it’s a point to ponder.

    I wonder how often players have taken the time to put together well-thought plans of what could be done to improve life in Vana’diel and then presented those proposals to SE? I mean, at the corporate level, SE should be doing this internally, but of course we outside people all have our opinions, and maybe someone out there has a really good and creative solution that SE might take seriously.

    Also, can you post a link to AVG somewhere? I know I’ve seen links to it before, but my connection in Iraq was hit by a spell of Suckga III and I d/c a lot and lose track of where I saw things.


Leave a Reply