Computer Crime Research Center


MSN Hacked in Korea

Date: June 05, 2005
Source: Red Herring

Security expert says the attack that brought down MSN in Korea wasn’t after financial data.

The hacker attack that shut down Microsoft’s Korean MSN site was designed specifically to steal passwords to a popular online game called Lineage, not to collect credit card numbers or other private info, according to the researcher who reported the problem to Microsoft.

Dan Hubbard, the senior director of security and technology research at Websense, a digital security company, said he notified Microsoft about the problem on Tuesday, two days before the site went dark because of a string of malicious software code, known as a malcode for short.

“The malcode is designed just for the game,” said Mr. Hubbard, who said the attack could have targeted financial data instead. “It could have been more criminal. The damage could have been worse than what it was.”

Microsoft hasn’t released any details about the nature of the Korean attack but said it does not know of any customer impact resulting from the incident.

On Friday, Microsoft said it would test MSN sites hosted in other parts of the world. The Redmond giant is working with law enforcement officials, but said it has yet to determine what authority would have jurisdiction.

Lineage and other multiplayer network games are popular in Korea. Lineage once counted 10 million registered users, with 100,000 playing at the same time (see Coming to America).

The attack came as MSN formally launched a Chinese-language web portal with content from Chinese partners. The Korean site was hosted by a third party that Microsoft has not identified, but the Chinese site is the product of a joint venture with Shanghai Alliance Investment. The company is looking to get a piece of the growing online search market in Asia (see Google and MSN Do China).

Routine Scanning

Mr. Hubbard said Websense’s scanners discovered the code on the Microsoft site as part of their routine review of the Internet. “We mine millions of web sites each day and have security web-crawlers looking for malicious codes,” he said. “We have a list of high-profile web sites. Of course, anything with the name Microsoft triggers an alarm.”

The attackers disguised the malicious file by wrapping the active ingredients, Visual Basic and Java Script, into a text file that was then disguised as a .gif file, according to Mr. Hubbard. He said consumers who have the latest antivirus updates would face only a minimal risk of infection.

But even computers with the most up-to-date patches would still be vulnerable to users who elected to run the code after receiving a security prompt. “The code wouldn’t run automatically,” he said. “The original way the site was attempting to infect users was through one of three Internet Explorer vulnerabilities, which have all been patched.”

Harvesting gaming passwords is not a new threat, according to Eugene Kaspersky, the noted virus researcher behind Kaspersky Lab. Players of networking games often set up virtual economies to buy and sell capabilities within the game. Popular targets have included games such as Legend of Mir and Gamania, as well as QQ, a large instant-messaging client.

“Attackers are using the web more and more as an infection method in addition to email,” said Mr. Hubbard. “In the past, email worms were by far the most popular way to infect people.”

Microsoft sites have been hacked before. When the Internet worm “Code Red” tore through servers worldwide in the summer of 2001, at least one un-patched Microsoft server became infected, said Marc Maiffret, a security specialist with eEye Digital Security. “They don’t always practice what they preach when it comes to patching,” he said.

There’s a good chance that someone got into the site through an un-patched vulnerability, said Mr. Maiffret, whose company sells software that blocks attacks on systems that don’t have all their patches up to date.

“If you’re of the anti-Microsoft clan, as opposed to just turning Microsoft against you by posting ‘F-U Microsoft’ on their web site, it would be more damaging to get their user base ticked off at them,” said Justin Bingham, a security expert at Intrusic. “You’ll have a really high success rate as well. It’s not like you’re doing it to Slashdot or something, where you have sophisticated users who stay up to date on their patches.”

Add comment  Email to a Friend

Discussion is closed - view comments archieve
2009-06-21 18:57:56 - bu ne a.q yusuf
2009-02-18 07:22:27 - msn kırma dogan
2008-11-26 16:55:43 - üae cigdem
2008-09-05 15:04:17 - slmmm yaaa bana çok acil yönde msn... MeTe
2008-06-05 03:09:23 - bu msn neyi sakın kırma burak
2008-05-30 13:49:19 - YA LUTFEN YARDIM MSN KIRMAK... GIOKSEL
2008-05-16 19:38:50 - SAlam [email protected] Hamza
2008-04-07 16:27:07 - selam nasılsın umarım... sen bitin
2008-04-05 10:36:19 - herhalde diyar
2008-03-23 07:12:12 - no duygu
Total 51 comments
Copyright © 2001-2013 Computer Crime Research Center
CCRC logo