How I would steal your bankroll (long)

[Sotiria]

Cliff notes at bottom

This stuff is obvious to some of you, but, clearly there are those that are not educated in the online poker community.
I post this as a warning to all online poker players out there.

You have money online. Bad people want it....they want it, and they can get it. You only notice this when you read a post in the high-stakes regarding how the OP was swindled out of X thousand dollars by villain, usually through a transfer scam. There is a better way to do it, and I'm sure that it's already going on. I write this to inform and educate you about the dangers of playing poker online.

How I would hack you

First, I would get your IP address. This is a trivial matter. I could hack a site that you post on that logs your IP address. I could own a site that you visit and be logging your IP every time you come. I could befriend you via an IM program and initiate a direct file transfer (heck, this in and of itself might be enough...you've seen posts where someone downloads an .exe file, executes it, and now the malicious user has control of their PC). In any case, again, a very trivial matter.

So I have your IP, you say...so what? Well, I hate to break it to you, huckleberry, but you're not the only person I'm targeting. I have the IP's of many mid and high-stakes players. I might not be able to break into YOUR computer, but I can break into at least a few of the PC's that I have IP info for. I won't go into detail here, but suffice to say, I *will* be able to have full control over at least some of the users that I'm targeting.

Now what? I log usernames/passwords to the sites you play at, get onto your account and dump the money in any number of ways. The end.

But wait; why would I do something as stupid as that? Sure, I probably will be able to hide myself enough that I won't get caught, but why risk it? And why would I want you to be aware that you've been hacked? Wouldn't it be better if I could siphon money off in a way that you wouldn't notice. Why don't I just orchestrate a scenario in which you'd basically be working for me (if you're a winning player).....you have a steady winrate, so your bankroll grows while I skim off the top. A long-term source of income, rather than a one time large score.

No, I won't simply dump all the chips on your account, I'm a little more refined than that. Instead, I'll install a program that allows me to see your desktop. Uh, oh. I can see your cards. I can see your online banking info. I can see the porn you're watching. I just sat down at your table, and now I go from a game of incomplete information, to being able to play perfect poker against you. And, like I said earlier, you're not the only person I've done this to. You might get wise if you see me following you to every table that you sit at, and it would seem awfully weird if I call you down with 10 high and am right....all the time. No, I have many sheep like you that I can steal from. And it's all "legit". I won my money at the table fair and square. No dumping money to off-shore accounts, or laundering through multiple accounts, or worrying about covering the money trail. Think of the advantage I have over you if your hand is always face up.


This is one of the many ways that you can be screwed out of your money. Again, I write this as a warning more than anything. This probably won't happen to you, but it sure is a possibility, especially if you're playing mega-stakes online. Take steps to ensure your security online. Buy a hardware firewall. Set up VMWare or get seperate computers for playing poker/doing everything else.



Cliff notes: Security should be of the utmost concern to anyone that manipulates or manages money online (banking, poker, whatever). Have 2 computers or set up VMWare so that you have one quarantined PC that you play poker on, and another that you use for everything else. This isn't foolproof, but it's a helluva lot better than what you currently have set up.

Sure it's unlikely that you will every be personally targeted for a malicious attack, but why risk the possibility if it only takes a little bit of effort to fix. Think of like this: would you have sex with a prostitute with no condom? Then why would you be so careless with the personal information on your computer?

[Dementia]

really sounds like you've thought this out, GL to you.

[Percula]

Excellent post, I hope it rings some bells. But I suspect that it will be met with ridicule and not taken for the valuable information that it is.

[Freakin]

NAT router, software firewall & AV is all you need if you don't download questionable stuff on a computer.

[BiPolar_Nut]

I'm seriously struggling w/ making a comment along the lines of: So when BBV wouldn't stake you you go on a hacking rampage? or remaining silent shaking my head in disgust knowing that there may actually be some HSNL players that don't have much security in place and haven't been screwed yet.

Also considered challenging OP to get my IP since it's so trivial...and then actually being able to do anything with it. No system is impenetrable, but I am quite confident my zero open ports, multiple firewalls, and bouncing my traffic between several computers around the globe before hitting the public internet non-tunneled depending on what I'm connecting with/to/for would be sufficient to stop the OP.

OP has a few valid points...but I think most HSNL players by nature would be more security conscious. Los stakes players may not have been around long enough to be in the habit of protecting their computer(s) and would be more likely targets.

The whole "I can see your screen" stuff, while certainly possible by any number of protocols, would be a silly way to get hole card info IMO (too easy to see the connection in netstat on a constant TCP connection and too bandwidth intensive when there are more efficient ways to make intermittent, focused screen captures and sending them via periodic stateless bursts.

Good info for the uninformed, I suppose. Might have been a better Zoo post to hit more of the unaware masses but it does arguably belong here more than there context-wise. I just think it may be more helpful targeting a more general audience *shrug*.

Ah well. It won't hurt anyone by being here, and if it scares one person into operating more safely, then it's served it's purpose.

[Sotiria]

[ QUOTE ]

Ah well. It won't hurt anyone by being here, and if it scares one person into operating more safely, then it's served it's purpose.

[/ QUOTE ]

That's all I was going for. This was a post for the completely uninformed. I saw a few posts from people in other forums that were rather naive about their security situation, but thought the the computer/technical help section was the most legitimate place for it. I wasn't trying to wow anyone with a technical-esque document, I was explaining on a 4th grade level what CAN happen (in any number of attack avenues) for those that seem to neglect what I consider mandatory steps.

This wasn't addressed to someone like yourself that has all their traffic going through multiple proxies and has multiple layers of local security. I also was not trying to make a script kiddie type "I know youR IP-zor NOw Ur Base belong to ME" post.

Please, take the OP for what it is and try not to have the usual arrogant 2p2 attitude.

BTW, I completely forgot about that BBV post...hillarious.

[goldtoes]

this is actually very funny.

I recently had my computer hacked into through LogMeIn. I believe it may have originated from me logging into LogMeIn on a public computer.

They maxed my credit card through Paypal buying stuff on eBay when they were controlling my computer. I was on vacation for 2 weeks the whole time this was going on and did not expect a thing. They also made their way into my poker accounts and used my accounts in some elaborate chip dumping scheme where they took someone's chips, dumped them to me, and then continued to dump them PLUS MINE to someone else then someone else, etc.

And since they did all of this from my computer through LogMeIn, it was all from my IP and even computer. Now Full Tilt and Stars locked my account and seized the few funds I had left. I lost over $3,000 but there was still a little less than 1k left on my Full Tilt account but it's frozen.

And since it appears that I did this myself from my own computer, they said they are giving that remaining $1,000 to the person who originally dumped their chips to me as repayment to them.

I have learned a good lesson from this. Don't use remote administration software on your poker playing computer and DO NOT TRUST POKER SITES with your money.

/gold

[BiPolar_Nut]

[ QUOTE ]
it may have originated from me logging into LogMeIn on a public computer

[/ QUOTE ]

Ouch.

[MrMoo]

While I'm not against you warning people of the dangers they face, I think overall your post sucks. Your entire post focuses on some hacking mysticism you're going to use to own someones computer. Goody for you. It seems to me that your doing this for no other reason than fear mongering and delusions of grandeur.

A while back ColdCaller posted a thread about security. His was much better. Instead of spreading FUD, he concentrated on explaining to people here how to protect themselves. A lot of people learned from it. Perhaps you'd be interested in posting how to avoid what you claim you can do instead of making posts designed to inspire fear.

Finally, your post provides little details as to how to actually do the "hard stuff". You summarize "dumping the money" in one sentence. How exactly would you do that? It's not easy. At least if you live within the US or in a country that has liberal extradition laws. Getting away with anything more than a few thousand dollars becomes very difficult. It isn't as simple as you portray. If you're reasonably intelligent and your skills have passed that of someone who's read Hacking Exposed and can download Metasploit, there are far easier, less risky, and more profitable ways to commit computer crime.