Popular Children's Web Site Under Attack by Identity Thieves

[Siouxper]

News story from Fox News:

You can take candy from a baby in cyberspace — and it's enough to make a grownup cry.

The popular Web site Neopets has a reputation for being kid-friendly and kid-safe. Owned by the media giant Viacom, Neopets lets its members — roughly 25 million people — "adopt" cyber pets and earn points by playing games to purchase items for them.

Nearly half of players are between the ages of 8 and 12, although some are as young as 6, and they communicate with each other while at play.

But Neopets has been hit by Internet pirates, according to Christopher Boyd, director of malware research at FaceTime Communications Inc., a California-based Internet security company.

The scam takes advantage of kids willing to pay big for a "magic paintbrush," the rare and pricey item that lets kids change their pets' colors.

They're sent a seemingly innocuous e-mail or private message on the Neopets bulletin boards telling them about a secret Web site (Neopets does not let users copy and paste links) that will let them make their own magic paintbrushes — without having to spend precious points for them.

But when the child browses to that third-party Web site, which may be spoofing the official Neopets look and feel, he or she is not actually downloading and installing a magic paintbrush, but malware — software created to damage or penetrate a computer system.

Not only does the child never get the anticipated paintbrush, the malicious software then is in place to wreak havoc with his or her parents' financial data by culling private information from the now-infected PC.

"I think it's despicable that someone would target little kids, but unfortunately, I'm not entirely surprised," comments Tela Durbin, a 33-year-old advertising copywriter in Cincinnati who blogs for the Working Moms Against Guilt Web site.

Passwords to banking sites, account information, Social Security and credit card numbers all become fair game.

"The overall aim is hoping a child's parent does [online] banking," says Boyd, a security expert. "The child is being used as a launch pad to get to the parent."

Boyd heard of the scam when a friend's child, a Neopet user, was sent the message and the parent asked Boyd to check it out.

Cara Reeves, a 32-year-old advertising copywriter in Cincinnati, has a 6-year-old who's a big fan of Webkinz, a Web site similar to Neopets, and was shocked to learn that her children could become targets of scammers.

"Although I'm usually in the same room or nearby when he's playing, I know he could easily click on something without my knowledge," she says. "Hearing about this scam makes me think I should be monitoring him more closely — or avoid 'kid-safe' community Web sites altogether."

Boyd, who blogged about the problem last week, says such ploys of offering "something for nothing," whether it's free gaming software or Web design software, all follow the same basic principles.

Once a curious surfer clicks on the link and downloads the malware, his PC is compromised, and the information on it is "sent back to base" for the bad guys to use as they choose, says Boyd.

Another security expert isn't surprised by the scam.

"Cybercriminals are looking to attack people where they gather and where they feel safe — and that defines our online social networks," says Marian Merritt, Norton Internet Safety Advocate at Cupertino, Calif.-based PC security giant Symantec.

For its part, Viacom says it is investigating.

"The blog post by Mr. Boyd was not an indictment of Neopets security practices, but rather one example of a 'social engineering' scam used by third parties to lure members of community websites to unaffiliated websites where they may be deceived into providing user name and password," Viacom said in a statement.

"Neopets values the security of our users and educates them about these types of scams. We aggressively investigate all reported instances of social engineering, phishing and any other attempts by malicious individuals to deceive Neopets members."

A Web of Deceit

While social networking sites such as MySpace, Facebook and Neopets spell out conditions against such practices and publicly warn users of the potential threats of infiltration, it's really up the user — or the user's parents — to watch out for sinister pop-ups and e-mails, says Boyd.

"People come up with the scams randomly," he says. "It's up to the people to monitor these things."

Kelly Land, a stay-at-home working mother from Asheville, N.C., points out that it's best to always be on your guard.

"The Internet is very much the Wild West," says Land. "You wouldn't have sent [Little House on the Prairie author] Laura Ingalls Wilder out in the middle of the night to fetch water from the river. Something terrible could have happened to her.

"It's the same with your kid. Don't just let them go out there and think everything will take care of itself and [that] your kid is smarter than a scammer. Odds are ... they are not. And the outcome could be absolutely devastating."

Symantec's Merritt says parents need to keep tabs on what their kids are doing online — even if it's a reputedly rock-solid safe site like Neopets.

"When your children are using social networks, remind them to be careful about who they add as a friend, show them how to set privacy settings to keep private information and photos away from the public, and make sure they know not to click on links or programs sent to them, even by their friends," she says.

The threat of malware isn't just isolated to one hacker stealing one person's information, say security experts. Devious software can sniff out passwords stored in browsers or word documents on a computer that hold personal information, and then pass this data along.

"The bigger issue with [the Neopets-based scam] is the botnet aspect of it," says Michael Fitzpatrick, CEO at NCX Group Inc., a California-based information risk management firm.

The installed malware, explains Fitzpatrick, not only steals personal data — it also lets the hacker "herd" the infected PC into a "botnet," a giant Internet-based virtual computer that can be used to send spam e-mail, attack other Web sites or pump out more malware, all without the rightful owner's knowledge.

While security firms like NCX and Symantec, which makes the well-known Norton anti-virus line of software, are always trying to improve their technology to combat the changing threats, it's an arduous and nebulous task.

"We have to get better on the defense each year," says Fitzpatrick. "It's a process that never stops."

Still, says Boyd, bringing attention to this particular scam means the bad guys will have to go back to the drawing board.

"Shining a light on these corners of the Web tends to make them scatter," he says.

Or, as Land puts it: "Being a cool, passive parent has never been so uncool."

As a warning, you should never click on any suspicious links. Cookie grabbers and malware could potentially be placed in user-editable areas, such as userlookups, shops, etc. Always be careful when browsing the site, and report anything suspicious immediately. An antivirus software will NOT protect against cookie grabbers, but it may protect against the malware. The Firefox add-on NoScript may protect against cookie grabbers (be sure to set Neopets.com to "Allow). We have heard that CGers may be placed in the fake reply boxes in Neoboard posts.

[Lee]

I love how the Webkinz CEO subtly bashed Neopets for being a community. Excuse me as I waste my money on Webkinz now.

Valid point, but this has been going on for quite a while, even if it wasn't just to steam financial data.

[shapu]

The main problem, as I see it, is that Neopets is so big and has so many user-editable areas. It's almost impossible to police them all.

Siouxper's general warning to not click on links you don't know from people you don't know is always good advice.

[Siouxper]

Nearly a dozen people from the BD Chat (all of them, I know very well) have been CGed and iced very recently (within the past day or two), and this problem seems to be escalating very quickly. I strongly urge everyone to avoid user-editable pages when possible, because a few people have reported being CGed even with NoScript installed.

[shapu]

I'm curious what the exploit is this time. It was only two years ago that there were a rash of CGs popping up in user shops, the trading post, and lookups, and I had thought TNT put the clamp on them fairly quickly (though certainly not quickly enough).

So how are these yahoos getting around it this time?

[Lee]

No idea. I was cookie grabbed even with no-script and being extremely safe around the site.

It's really unfortunate that people would go so far to cheat on a (kids) online pet game. Unless we are talking about the information thieves that are out for bank info, it is just pointless. If you are really paranoid about cookies (which you should), check out this Firefox add-on. Anything is worth a shot to protect your hard work.

[Siouxper]

Many people from the Spotlights/Galleries chat have been CGed when a person with a CGer in their gallery asked for the gallery to be rated. I saw at least 2 people with CGs in their galleries last night, and TNT took a ridiculous amount of time to freeze them (I think it was about 10 hours for one person).

Edit to add:

I am appalled at TNT's dodgy answer to the question regarding the Fox News article. They completely deny the existence of cookie grabbers. This is just ridiculous.

We’re going to hand this one over to Lawyerbot.

As you know, Neopets security is as active as always, so no reason to be scared. You may have heard about some recent news in the press which has led to some confusion about Neopets’ actual security policies and measures. To be clear, Neopets actively restricts users from entering third party website URL links on its message boards or Neomails. In fact, we take substantial preventative measures to prevent the kinds of scams described in the news. Since scammers who want to trick you into visiting their websites can’t post their links they will try to trick you into pasting third party urls in your browser to get you to visit another website with promises of free Neopoints, free paintbrushes, etc. but most users recognize these as scams. We warn users about these scams on the Wall of Shame (http://www.neopets.com/wallofshame.phtml) and we remind you never to share your password with anyone. Internet safety is very important to us and we appreciate users’ help in reporting scams and spreading the word about internet safety. As we often say, be aware that if someone is trying to tell you their site is related to Neopets to trick you into giving out your account information, don't give any information at all and don't download anything they may ask you to. This is true anywhere on the Internet, always check with your parents first before visiting or downloading from a website you don't know. Always remember: if something seems too good to be true, it probably is.

If you see what you suspect may be a scam, please let us know! Just go to http://www.neopets.com/autoform_abuse.p ... use=report when you are logged into your account and give us as much information as you can. We’ll look into it right away!

[Siniri]

That's been TNT's position all along -- they officially deny that their security has ever been compromised, and claim that users only lose their accounts by giving info to "third-party sites" (and not ever through neopets.com). I'd be appalled, but I'm too jaded with TNT at this point to care.

[unspecialfish]

How do you spot one? How do you know you have one? How do you get rid of it?

[metalmario]

Nothing pops up when you go to a page with a cookie grabber, so you just have to use your instincts. If anything seems off, immediately change your password. I believe you are also supposed to clear your cookies, but I'm unsure what exactly that's supposed to do since they already have your information. Otherwise just avoid user-editable pages for now if you can (ex, someone random-neofriended me yesterday, usually I click their lookup but this time I did not, just rejected it), and set a PIN for everything. PINs are immune to cookie grabbers. Then the only damage they can do is by posting bad stuff on your lookup or the boards, getting you frozen... but at least you'd have a chance of recovering all of your NP/items/pets if you plead your case that you were hijacked!

[Siouxper]

If you have NoScript installed, a popup from NoScript will appear, telling you that the CG was blocked. If you don't have it installed, there is no way to tell until it is too late.

As for a virus, I haven't heard of one downloading onto the computers of users for a while, but it is still possible. To fix this, you should regularly scan your computer for viruses, and have a good firewall in place.

[UsernameTwo]

I'm wondering - is there anyway to know if a lookup I was just on is CG bugged? If you view the source code, should it show anything suspicious? (I know you won't want to post the coding here if it is visible, but maybe a keyword I would recognize?)

[Siouxper]

I personally don't know of a way to spot it in the code, but there probably is a thing you can spot. To view the coding that the user personally put in their lookup, view the source, press Ctrl + F, and type in "User Lookup:" (without the quotes, of course). Then, you might be able to spot suspicious coding that shouldn't be there.

[unspecialfish]

Okay I just downloaded those two add-ons recommend on this page. Thank you very much! (I rarely go on user content pages, but you can never be too careful elsewhere)

How do I set up NoScript? It's blocking basically everything on Neopets...

[Siouxper]

Click on the icon in the lower right of your screen and allow neopets.com. Most sites won't appear properly until you allow them.