Sophos Cloud Optix
A high stakes online poker player says that an unknown hacker used a malicious image file to compromise his account and empty of it of more than $100,000 in winnings – the latest in what players say is a string of scams.
The player, who uses the handle _MicahJ_, claims that he was lured into a trap by a fellow member of a twoplustwo forums to an online poker game to size up his online holdings.
That user then sent an email containing a malicious image file that installed a keylogging Trojan on his system. The attacker then emptied the account of over $115,000 in poker winnings over three days.
“I knew I shouldn’t have opened it but didn’t think until after the matter. I contacted others on suspected scamming but couldn’t get anything done until it was too late,” he wrote.
According to the user, who did not immediately respond to requests for comment, the hacker – using the handle highgrind22 – gained access to an account at the website Lock Poker for three days. During that time he made small transfers out of the account to an account linked to a yahoo.com email address. The attacker also played in high stakes games, losing around $80,000 to another player.
The post, on Saturday, elicited hundreds of responses from twoplustwo users, most online poker players themselves. The ensuing conversation has become something of an online ‘whodunnit,’ with players attempting to uncover the identity of the attacker, and others stepping forward to clear their name from the scandal.
The list of suspects includes a twoplustwo forum member who uses the handle WHITNEYDOH, and who made tens of thousands of dollars in online winnings playing against what _MicahJ_ claims was a hacked account. After briefly having his account suspended by Lock Poker, however, that user was reinstated and claims innocence.
It is not known for sure if _MicahJ_ was the victim of a malicious software attack and, if he was, what kind of malware was used.
In posts to twoplustwo he claims to be a Mac user, which means that any malware used would have to work on that platform. Also unclear is whether Lock Poker provides any insurance for online holdings, or any monitoring to prevent sudden and unexplained account-to-account transfers.
LockPoker declined to comment. “We cannot disclose any findings of any investigation for privacy and security concerns,” the company said in an email to Naked Security. “Rest assured, we put a significant amount of time, resources and technology in minimizing the chances of fraud occurring.”
Online poker forums are a popular target for hackers, given the large sums of money that change against online gaming. In fact, twoplustwo was a victim of a hack in April that reportedly compromised the accounts of forum members.
In March, 2011, a 29 year-old man received two years in prison for hacking into a computer server, stealing and then laundering 400 billion virtual poker chips from the online gaming firm Zynga worth an estimated $12 million.
Past attacks, however, have focused on online poker platforms as much as players.
In 1999, researchers (including Adobe’s security boss Brad Arkin) famously identified an off-by-one error in a shuffling algorithm used by the Web site PlanetPoker.
That allowed the researchers to predict the outcome of supposedly “random” virtual deck shuffles used on the site.
Poker player image from Shutterstock.
According to Micah on 2+2, it was a file with .exe ending (bankstatement.jpg.exe) which he openened in his Windows emulator.
That sounds most likely.
We have seen malware attacks spread via boobytapped image files before (exploiting vulnerabilities), but it's more common for malware to be spread using the old double-extension trick.
Your second paragraph makes me wonder whether I was mistaken to enjoy your irony, in the first.
I haven't seen the user transaction for opening an Exe in a Windows emulator under Mac OS, but I'd guess there's an opportunity to realise what you're doing and cancel.
Regardless, what appears to be being suggested is a Windows Exe which, running within the emulator, is able to install a key-logger on the host Mac OS. This would be similar to a virus breaking out of your test lab. VM to infect its host system. Probably not impossible but quite far into the impressive end of attack crafting.
I wonder if it's time for Microsoft (or some third party who can program a lot better than I) to build in a warning whenever a file has two extensions, each of which are three characters, and the last of which is executable.
Knowledgeable people are not normally hoodwinked by it (though anyone can be caught off-guard), but it's too much to expect that all users need to know how extensions work, how one can be hidden and not the other, and so on.
This isn't exactly Microsoft's problem (I'm laying no blame here), but I do see an opportunity for them to improve security by turning the file name red or having a pop-up warning when such a file is double-clicked (obviously with a "Don't show this again" check box too).
— Gavin
Doesn't help though that say in windows 7 for example by default the file extension is hidden in windows explorer. So it would be easy for users to see .jpg and not the .exe after and not think twice. I really think this dumbing down of the user experience is bad for security.
Speaking as someone on a pension who has to survive on a low income, I find it hard to feel any sympathy for anyone who has that kind of money to waste on gambling and is then stupid enough to click on things they shouldn't. 'So sad, too bad' is my feelings on the matter.
That's pretty crazy. I don't know why he would keep that kinda money on any online site.
But the thing sounds kinda fishy. He probably wanted to do some high stakes betting, so he "sent" it to a fake account and this was his backup plan.
I would advise anyone who does regular financial transactions online to educate themselves to the world of online hacking, scams and such.
And to remember that gambling is an extension of the Art of War… and he got taken down in a black op.
Knowledge is power as they say.