My Neteller & PokerStars accounts compromised - already lost over $1100

shadesofgrey · #81 (**permalink**) 01-05-2007, 01:26 AM

Quote:

Originally Posted by Zentish

I keep thinking through the vector of your credential compromise, and the simplest explanation would seem that someone got your P* credentials and worked backwards to your netteller account.

I have to assume that the P* client encrypts all it's internet traffic and the only way for someone to obtain your credentials is at one end or the other, your PC or the P* servers.

If the P* authentication systems were compromised, your account and $1000 would be small time compared to what someone could go after. So again, everything points to it being on your side of things.

Your computer and network appears to be secure, although there are a lot of ways these scumbag bot nets can hide themselves on a windows box. Is it possible that you logged on to P* from some other computer or on some other network? Are there other computers on your network that may be compromised?

I remember a while back I wanted to test the security level of poker rooms.. I ran a packet sniffer on all the traffic sent to and from P* to see if login info or card info was being transmitted unencrypted. P*'s was fine, pokerroom was not. Pokerroom sent login and password in a packet unencrypted.... I dropped pokerroom like a rock.

So I think P* is fairly secure. Jambys problem has got to be local....

The fact that her PC looks solid is whats scaring me. obvious good firewall... i snitched nill from jambys IP address. all ports stealth. there's something local to her PC. id like to figure this out / without getting it. period.

Jamby, before you read the rest.... I offer you help beyond this point.

Jamby, In truth, right now, i'd be reinstalling the whole OS. you've been comprimised. not sure how, but for sure it happened.

my money is on an email distro of nasties. not a phishing scam....THIS IS SPOOKY! Its probably all over IRC.

Two last thoughts, its late & im going to vegas tomorrow

Check your keyboard and mouse plugins... make sure there's no HW inbetween.

Jamby, how do you do email? what program? think lists, buyers, sellers, anyone who could also be infected and passing it on?

PM me your email address... i'll send you a google invite.... or anyone else who wants one... ive got over a hundred available.

Going to bed & Going to vegas tomorrow!!

jamby · #82 (**permalink**) 01-05-2007, 08:31 AM

No, I've never logged onto P* from any other computer and these are the only two computers on my network that have P* client software. The other laptop is my partner's and it has never been used for any kind of poker or money transfer.

Quote:

Originally Posted by Zentish

Is it possible that you logged on to P* from some other computer or on some other network? Are there other computers on your network that may be compromised?

WolfPack · #83 (**permalink**) 01-05-2007, 08:34 AM

I don't think NT could have been compromised from someone accessing her P* account.

NT has not only a password, but a pin number and I don't see how someone could get the pin number from P* account, even if they both used the same password.

jamby · #84 (**permalink**) 01-05-2007, 08:38 AM

Google's what I use already. Thanks anyway though.

If it's local it doesn't really make sense that the offender's IP is in Arkansas does it?

Enjoy LV - I hope you get lucky there. Thanks for all your help.

Quote:

Originally Posted by shadesofgrey

IJamby, how do you do email? what program? ... PM me your email address... i'll send you a google invite.... or anyone else who wants one... ive got over a hundred available.
... Going to bed & Going to vegas tomorrow!!

jamby · #85 (**permalink**) 01-05-2007, 09:22 AM

I heard from Betway today regarding the $300 that went to them. The perpetrator's IP address is: 82.2.232.170.

Here's their response. Real helpful.

Your Netelleraccount have been used on this registration, and the IP adress is:
82.2.232.170

please note that he lost all the funds in Poker and we can not retrieve that money back to you.

Regards,
Betway.com Ltd

Nexttime · #86 (**permalink**) 01-05-2007, 09:37 AM

Quote:

Originally Posted by jamby

My P* and NT passwords were the same. Conceivably, he could have hacked into NT, checked the history for transactions, saw P* and tried the obvious. He then drained my P* account. That's what the P* folks think happened anyway. They weren't suspicious because there were no logon failures when he logged in there and he transferred the funds out the same way they had gone in. No red flags at all. Their conention is that the folks at Betway and ParadiseBet should have used the same precautions and matched the funding source with the account.

Umm.. Don't you have to login with a username, password and a backup id on neteller? The password might have been the same as P* but the P* doesn't use a pin code, right?

Nexttime · #87 (**permalink**) 01-05-2007, 09:39 AM

Quote:

Originally Posted by jamby

I heard from Betway today regarding the $300 that went to them. The perpetrator's IP address is: 82.2.232.170.

Here's their response. Real helpful.

Your Netelleraccount have been used on this registration, and the IP adress is:
82.2.232.170

please note that he lost all the funds in Poker and we can not retrieve that money back to you.

Regards,
Betway.com Ltd

nslookup 82.2.232.170

Non-authoritative answer:
170.232.2.82.in-addr.arpa name = cpc1-seve1-0-0-cust169.popl.cable.ntl.com.

Authoritative answers can be found from:
232.2.82.in-addr.arpa nameserver = dns2.ntli.net.
232.2.82.in-addr.arpa nameserver = dns1.ntli.net.
dns1.ntli.net internet address = 62.253.162.237
dns2.ntli.net internet address = 194.168.4.237

A cable modem at ntl.com

jamby · #88 (**permalink**) 01-05-2007, 09:42 AM

True enough.

Quote:

Originally Posted by Nexttime

Umm.. Don't you have to login with a username, password and a backup id on neteller? The password might have been the same as P* but the P* doesn't use a pin code, right?

Harlequin011 · #89 (**permalink**) 01-05-2007, 09:47 AM

Shades,

It's possible that either P* or Neteller themselves were compromised without Jamby's PC being breached. Possible brute force or something.

Like she said, she hasn't logged into P* for 9 months. That would mean that whoever got this info has probably been sitting on it for 9 months. That seems a little odd to me.

Unless a hash was obtained and it was run against a cracker... That would make sense for the long delay. Do you know what encryption is being used?

Good on you BTW for finding out who protects there traffic.

WolfPack · #90 (**permalink**) 01-05-2007, 10:07 AM

damn, not only is the guy a crook, but a donk as well. He lost $300 in a day.