Keylog Attack ~How My Story Ended~Follow

Hey guys, this is Hiro. As you may have heard, my character was keylogged last night, and I lost it while struggling to retain it. I'm going to give you all a rundown of what happenned:

Roughly 6PST(9EST), I, and as far as I know, everyone else on my server(Ramuh) and other servers did as well, received a tell from a person named "Themoonlight" saying "This is the gilsellers secret weebly.com/weebly/uploads/32641/mrwildrabbitradar.zip Enjoy"

I figured it was just a good video, perhaps some lame *** but funny pictures about gilsellers, so I checked it out. Anyhow it turned out to be a program. I deleted it, under the impression it could be a keylogger or something of the sort. I then checked my programs to see if anything had secretly installed itself, taking any precaution to be sure I wasn't compromised. I found nothing~

After checking my computer for problems, I went onto PlayOnline to change my password, as I know that even if someone keylogs your information, they can only get it once. Unfortunately, PlayOnline was doing server maintenance at this time, so no PW info could be changed.

I played around like normal until about 8:30PST, when I was kicked off my character, with the error being "You've been logged on by another terminal". At this point I knew what was happening, and spent the better part of the next 1:30 fighting back/forth with the hacker as a race to see who could change the PW first when the maintenance lifted. I had a friend of mine call a GM during this time to see if they could help me out in any way. I asked them to suspend my character, anything to help. but to no avail.

Around 9:45~10:00PST, the "Hacker" successfully changed the PW before me, and I lost my account. I contacted PlayOnline at 9:00AM PST when the opened the following day (Today), only to hear nothing can be initially done to get my account back. The "Hacker" changed the CC info to his own, so even with complete and total evidence that the characters pertaining to the account are my own, I cannot reclaim my account at this time.

Overall, this person was brilliant with their strategy. They waited until PlayOnline Registration Maintenance started, they sent the tell to EVERYONE on our server on at the time, possibly multiple servers, as bait for their trap. At this point even if you knew it was a keylogger (as I did), nothing could be done or helped. They then raced at maintenance lift to change the PW of these accounts, and permanently had access to them.

Now. the only way I can get my account back, is if PlayOnline gets proof that this wasn't an isolated incident. I don't expect everyone to do so, but anyone who doesn't mind, please call ( 858 ) 790 - 7529 (PlayOnline's official Help Office number)i f you received this tell on May 14, and just have them note this was sent to you also. That is all that needs to be done, and they claimed that if they get enough complaints about the issue, they will give accounts back to people with valid proof, CC, and character information.

This is all I can hope for~ Call me a @#%^ing idiot for even checking the file, that's pretty much how I feel. However immediately after checking the file, I knew what it was, but all the traps where in place, and their was nothing I could do. This was a hell of a plan, and it worked~

Note: I wasn't using windower and never ran the program. This is the first program I've heard of to-date that allows them to get information without the use of a 3rd Party program, or ever even running the program.


2nd Note: I was a 4yr Veteran, Ran a Dynamis and Salvage Shell, Sackholder in my HNM shell, and over 50% done with my Relic Weapon Spharai. I'd obtained Leathercraft100, completed pretty much all of the games missions, and had roughly 250+ Merits on my main character. I was cocky, but never rude. I was well liked on my Server and was quite happy with where I was in the game~ That was me, and I am gone~

Edit: Took off the Http://www, but left the remainder of the address up there, so you can give to the POL operator if you call. Thank you very much for your help~

Edited, May 15th 2007 12:45pm by Hiroleonheart

Edited, May 15th 2007 11:52pm by Hiroleonheart

@#%^ it, give me more info.. i'll call and say i got a freaking message just to help you out..

did it come from a tell, or what? give me everything you know and i'll call them up saying i got a message too.


Edit: I'm on the phone right now... on hold....

Edited, May 15th 2007 1:45pm by Reveez

Same thing happend on Hades server.
Alot of us got tells in Lower Jeuno.
I know it was alot of us because we were all shouting for everyone to NOT go to the site.
It was the same scam: "Gilsellers Secret".

There is, as far as I'm aware, one method of combating keyloggers.
You have your password saved on an auto-login setup. I know that only I use my PC to log into my account, and it's set on auto-login. There is no password typing for a keylogger to capture.

Anyways, this sounds like a pretty nasty situation. I expect with it being widespread, Square will have to act, re-examine all accounts transfered since the Registration Server went back up (which actually gives them a great time reference to work from), and go from there.

What time did this happen, out of interest? I saw nothing of this yesterday, since I'm on UK time.

You said you opened the file right? the program? Couldn't this have been avoided by not doing so? I am not blaming you, nor am I attempting to downplay the severity of what this person did as it is 100% reprehensible. I am trying to ensure that others can avoid this if possible however in the future. Did you go to it and open the program? Could others avoid this problem by not doing the same?

I am going to report it as soon as I log in today.
I would encourage everyone to do the same.

At the time, I figured it was just a "lone" person, or a few individuals trying to get the best on whomever would go to the site.
I never thought it would have been somthing so wide spread.

For that fact alone, I would encourage everyone to make a report (if you honestly got a tell from this character). They can look into it and verify that this was a multi-server “attack” against FFXI players. Hopefully, maybe they will be more flexible with helping our fellow players get their characters back. And just as important, hopefully this will help prevent future aggressions of the same nature…. Hopefully.

If it's been happening over the last two weeks, it explains this recent notice on the POL website;

This occured on the Ifrit server as well, mass /tell from a guy named Faste with that same exact message and url. I dont know how many ppl actually opened it, but im sure a few at least. There HAS to be some way PoL can trace this and hopefully fix it, considering it was a massive cross-server attack.


P.S. As much as the graphics suc, sometimes im really glad i play on ps2.

I heared about this in my LS as well. My first thought was "Who is dumb enough to go to a website from a tell from someone they don't know?"


Sorry Mate. I hate to see this sort of thing happen to people, but once burned you now know better.

People fall for phishing scams every day. People download keyloggers and spyware all the time. Maybe it's my inner skeptic, maybe it's the fact that I work in IT, but it boggles my mind how people can fall for these things.



Having said that, the next one that comes along I'm likely to click on like a monkey. :)

Again, by avoiding going to links and unzipping stuff you don't know, from someone you don't know.... couldn't you have avoided this?

Good luck getting your stuff back Hiro

-Mish

OMG DUDE....seriously I find a decent Dyn ls and this happens...

This is why people are not happy with the game, when the people who can help, GM's Tech support, do nothing to aid you, then pretty much tell you tough ****... Hope you can get on, Quisty and I look forward to doing more dyn's with y'all.

The message isn't limited to the "Gilseller's Secret."

I got a tell 2 days ago with the same website, saying "I'm quitting - <insertlinkhere> - Enjoy!~"

And yeah, it was the same person as was mentioned above by Smoothrunner, Faste