Guns, lots of guns. Well, two., originally uploaded by Paperghost.

Next month – October 6th & 7th – I’ll be at the Sector.ca Conference, talking about a subject close to my heart: how lots of rather naughty people are using consoles to both cheat the system and attack other users, via spam, DDoS and account theft. Is it abstract extract time?

I think it is.

Game Over, Man: Gamers Under Fire – Chris Boyd

An exploration of security issues relating to consoles and their risks to both home users and the business environment. This will include issues such as custom built DDoS tools, social engineering of Microsoft support staff, account theft, the risk to businesses and personal tips to keep your own details secure. I’ll also examine the trade of stolen Xbox accounts in return for credit cards, how the rewards that companies give gamers make them targets because of inadequate privacy features and how free programs allow hackers to exploit profanity filters, paid content and even the profiles themselves.

As you may know, I’ve spent a lot of time digging around script kiddy forums. By and large, most of what I see isn’t very impressive. However, for a while now there’s been an interesting offshoot of hacking forums, with entire sections devoted to console hacks and attacks. There’s an impressive amount of technical
knowledge and skill going into the creation of hacking tools for
consoles, hacking the console itself and doing all sorts of horrible
things to the people that use them.

Some of the techniques used to turn an otherwise harmless lump of content restricted plastic – whose very soul is supposedly on the leash of the company who made it – into something you can spend all day annoying somebody with never fails to amaze me.

How many companies now have gaming / recreation rooms with a console just plugged in and left to its own devices? How many parents mistakenly think the worst thing that’ll befall their kid is seeing someone get their head blown off on GTA4?

They’re all accidents waiting to happen, and the general promotion of consoles as these “unhackable, unsinkable” battleships of gaming is something that needs to be examined in greater detail.

It’s not just PCs under fire anymore…

There’s a Windows Live ID phish doing the rounds at the moment, aimed at XBox gamers and their overwhelming desire to obtain free STUFF. Namely, XBox Live points. Here’s the site, which is located at mspsite.t35.com:

Free Microsoft Points Scam, originally uploaded by Paperghost.

It contains the usual nonsense designed to make the victim sit around doing nothing while the phisher changes their login information:

“This website uses an exploit found on the xbox live website. Using this exploit correctly means you can edit your amount of microsoft points on your account. As the flaw is on the Singapore websites, People living outside of singapore may need to wait up to 24 hours for there points…”

Once you enter the info, your account is as good as gone along with anything you have attached to it. If you think people don’t fall for things like this, here’s the proof:

Click to Enlarge

Chalk up one victim to the above site. There’s bound to be more…

Not so long ago, I wrote about XBox Live Chain Letter Spam, and how it suddenly seemed to be the cool thing to do. Well, here’s an interesting example of how unfounded rumours + pretty pictures = hours of wasted fun for all the family.

Halo 3 is one of the biggest titles on the XBox console – if you’ve never heard of the game, click here while the rest of us wait for you.

All done? Good.

One of the most intriguing features of the game is the ability to save screenshots & videofiles to allocated storage space provided by the game maker, then share those files with other gamers. It didn’t take long before people started to abuse this system through a combination of believing anything they were told and the desperation produced by wanting something (almost) nobody else has.

The rare item in question here would be Halo 3’s mythical “Recon Armor” – an insanely rare item given only to Bungee employees and people who perform near miraculous (or just stupidly impressive) feats ingame. To give you an idea of how coveted this ingame item is, here’s a 583 page thread (!) dedicated to finding out how to get your hands on it.

Anyway.

It didn’t take long before some jokers decided to make this armor the “feature” of endless chain letter spam taking advantage of the file sharing functionality.

Your XBox Live account can send and receive messages to other users, much like the PM system of a forum. Quite a lot of people – those who play Halo 3 all the time and those who have never touched it in their lives – will have been sent a message like this over the past couple of months, entirely out of the blue:

halrec3, originally uploaded by Paperghost.

Note at the bottom it says “Check out this film clip”. If you hit the “Go to” link, you’d sit through thirty seconds of pointlessness and wonder why you’d bothered, or (if the link was for an image) you’d be left with a pretty (but pointless) picture.

What were the film clips? Well, I can’t show you those but I *can* show you the image spam, and once you see them this will all make sense:

halrec4, originally uploaded by Paperghost.

“If you recommend this to 50 people, you get Recon Armor”.

As you probably already guessed, spamming these images to 50 people does NOT get you recon armor. It does, however, make you remarkably unpopular. There are a lot of variations on these image spam messages, here’s another one:

halrec5, originally uploaded by Paperghost.

“Recommend this to 100 people to get Crystal Armor”.

Well….as long as it’s crystal…..