Recent Hacking Attempt

[Dominus Arbitrationis]

https://arcengames.com/recent-hacking-attempt/

We will NOT attempt to get sensitive information from any users via PM.

[Cyborg]

Why would somebody do this? This is horrible. So sorry to hear it.

[x4000]

We really have no idea.  They didn't make any demands, they didn't end up defacing anything, and so on.  I'm presuming that they were either trying to steal steam keys or install malware on our customer computers or deface our steam pages, or similar.

I haven't been doing anything high profile enough to warrant this sort of attention lately that I can think of.  Valve says that this is not something they've seen apart from us.  So whatever it is, it's something targeted at just us (or me, I don't know).  I don't know if it is personal, or a target of opportunity, or what.

Possibly someone looking for mantis installs just happened to find us?  But then what they started doing was pretty specific, so I dunno.

[x4000]

For extra fun, I just noticed that the reason I've not been getting forum emails the last day or two is because he turned them all off.  Grah!

And things are still fouled up with my mantis account for mostly-unrelated reasons.  Well, I mean it's a downstream issue caused by having to do a bunch of password changes and whatnot, but still.

[TheVampire100]

Hackers sell personal information like e-mail adresses to shady companies, so these companies can send targeted ads to these people. It's a really disgusting buisness.
I don't say this was the target here because someone wouldn't go so far to get the information from the same person, it really looks like a personal attack but in many cases this is the intend.

[x4000]

The goal in this case was 100% clear to get access to our steam administrator privileges within Arcen.  That much we're very certain on, since that was attempted to be phished out of us.  But from there what to do... I'm less sure.  There's a limited amount of data one can get out of that sort of access, and certainly no customer data.

In a general sense I agree with you on the normal motivations, and we've fended off that sort of casual hacking before here as well as at past companies.  It happens.  The thing that made this one so freaky is that it went waaaaay beyond anything normal we'd ever seen in terms of the amount of effort being put in and the techniques being used.  I know a guy who runs a security consulting company, and it's the sort of thing he'd be doing if he's red teaming a client.

[z99-_]

Maybe he thought you had inside info on Half Life 3

[x4000]

Maybe he thought you had inside info on Half Life 3

*tents fingers* Ahahaha!  Then he looked in the wrong place...

*cough cough*

 

[eRe4s3r]

And this happened with Steam Guard on? If you answer that with yes, I'd call the police. There is no way a "random" hacker gets through 2FA on steam if your account security is hardened (ie, dev steam doesn't link to [email protected] for example, since a site email, stuff like the login code, can be very easily hax0red with a bit of social engineering if more people have access to the same mail account, obviously)

Am I right to assume this was the goal of the initial social engineering attack?

I think this is continuation of the front site deface hax from a few months ago, attackers will often probe 1 target where they had success as deeply as possible because it indicates lacking (or totally absent) security rules and awareness.

Of course, maybe the attackers should not target tech geeks huh. Should be very easy to trace down who tried to access your steam account. There is a login log somewhere in the depths of client settings in the steam client.

[Dominus Arbitrationis]

And this happened with Steam Guard on? If you answer that with yes, I'd call the police. There is no way a "random" hacker gets through 2FA on steam if your account security is hardened (ie, dev steam doesn't link to [email protected] for example, since a site email, stuff like the login code, can be very easily hax0red with a bit of social engineering if more people have access to the same mail account, obviously)

We are aware of how the attack played out, and have taken steps to prevent it from happening again. Valve was extremely helpful in this, and has provided us with the relevant logs.

Essentially, there was _very_ good social engineering done that resulted in the compromise. However, Valve is aware of the method of the attack and has taken steps to prevent another attack like this from occurring with us, and almost certainly with other people as well.

As for the other concern, no the accounts for Steam are not shared, and we practice giving people the bare minimum permissions that they need.

Am I right to assume this was the goal of the initial social engineering attack?

Yes, we believe that compromising the Steam account was the goal for the attack. Despite this, the attacker was unable to execute the final stages of his plan, and was unable to do anything with the Steam account.

I think this is continuation of the front site deface hax from a few months ago, attackers will often probe 1 target where they had success as deeply as possible because it indicates lacking (or totally absent) security rules and awareness.

We do believe that is the case. I have since gone in and fixed any flaws that we could find. If anyone knows of additional flaws, please send me a PM/email so they can be patched. You can also make a Mantis issue regarding it, but depending on the severity of the flaw that might end up being hidden from public view to prevent anyone from getting any ideas.

Of course, maybe the attackers should not target tech geeks huh. Should be very easy to trace down who tried to access your steam account. There is a login log somewhere in the depths of client settings in the steam client.

Yep, I pulled _all_ of our logs and combed through them looking for any access to Chris' accounts or another Staff Member's accounts. We also got the IP that the attacker used to log in with from Steam.


To conclude, we have done extensive investigating and determined the IP that was used to access each service, when they accessed them, and how they got access.

[WolfWhiteFire]

To conclude, we have done extensive investigating and determined the IP that was used to access each service, when they accessed them, and how they got access.

Can you use that to try to find out who was the hacker and what they were trying to do? Also do you plan on getting the police involved? I really don't get why anyone would do this, but I feel you should definitely try to get the police involved if they aren't already, considering the lengths taken to try to get whatever they were after and the possibility that this isn't the first time the person did a hack attack on this company.

[x4000]

To conclude, we have done extensive investigating and determined the IP that was used to access each service, when they accessed them, and how they got access.

Can you use that to try to find out who was the hacker and what they were trying to do?

The short answer is no, unfortunately. Without getting into details of their exploit it's hard to explain how they covered their tracks.  If we were countersecurity experts (we are not) and had an active live packet sniffer to our server (we do not) or some sort of honeypot set up (no comment), then potentially we could backtrace the user.  But suffice it to say that proxies and VPNs make that sort of thing pretty futile unless you're the NSA, anyway.

[x4000]

And this happened with Steam Guard on? If you answer that with yes, I'd call the police. There is no way a "random" hacker gets through 2FA on steam if your account security is hardened (ie, dev steam doesn't link to [email protected] for example, since a site email, stuff like the login code, can be very easily hax0red with a bit of social engineering if more people have access to the same mail account, obviously)

This again is something I can't comment too directly on, but it was a midlevel attack by someone clever.  They got by the 2FA despite us not doing anything stupid (our bases were fully covered on that front), but they managed to use some excellent trickery to get what they wanted anyhow.  The 2FA actually is what saved my butt to some extent, because as soon as a change was made I got pinged and leapt to deal with it.  Part of it was that I got doxxed, but none of my personal systems or truly personal info was uncovered in that so far as I know.

Basically: knowing what I do now, I could pull this attack off against any other indie developer I wanted to, presuming that I found a weakness in some random service on their servers (doesn't matter what).  But that said, the other end has been hardened against this, so I think if I tried to do this I'd wind up falling into a honeypot belonging to Valve now, to be honest.  I have no idea, but I suspect so, anyway.

It was an interesting experience, anyhow.

[zespri]

Basically: knowing what I do now, I could pull this attack off against any other indie developer I wanted to, presuming that I found a weakness in some random service on their servers (doesn't matter what).  But that said, the other end has been hardened against this, so I think if I tried to do this I'd wind up falling into a honeypot belonging to Valve now, to be honest.  I have no idea, but I suspect so, anyway.

It was an interesting experience, anyhow.

I've been here 7 years... I think I own 5 copies of some Arcen games and more than one of each individual ones (was buying bundles and such and given the keys away to support the company).
Always admired the honesty and perseverance of Chris. Agreed / supported most of what has been written, discussed.

Still, I can't shake "security by obscurity" feeling. Detailing exactly how hacker social engineered his way to a steam account should actually help people, not put them in danger. Because exploit is now known and taken care of by Valve themselves. It would help people would might would otherwise face a similar threat elsewhere in future. So why cannot this be explained or talked about? If you want to help these indie developers not to fall into the same trap, why would not you explain what exactly the trap is?

[Dominus Arbitrationis]

Still, I can't shake "security by obscurity" feeling. Detailing exactly how hacker social engineered his way to a steam account should actually help people, not put them in danger. Because exploit is now known and taken care of by Valve themselves. It would help people would might would otherwise face a similar threat elsewhere in future. So why cannot this be explained or talked about? If you want to help these indie developers not to fall into the same trap, why would not you explain what exactly the trap is?

I can't speak for Chris, but the reason why I don't want to disclose the exact details is because while this exploit may be patched, a particularly clever person could probably come up with a new attack based off this one. In addition, if we expose this issue, then Valve can't catch someone who tries this again. As it stands, they are aware of the issue and probably watching out for this again.

While I would love to openly address the issue, there are flaws with that. Not to mention, I like to respect privacy, even that of the "big boys". So, I don't want to detail their failings due to people getting the wrong idea. If Valve said that we could mention it, I would openly address it. Steam is the major way we sell the games. Annoying them just isn't good business sense. Do I think it would annoy them? I'd like to say no, but you can never be sure, so we should err on the side of caution.