Imperva’s ADC has uncovered a new scheme targeting teens. How does it work? Hackers used a phishing attack to get credentials of the Habbo hotel social network, a social networking website aimed at teenagers. The website is owned and operated by Sulake Corporation. The service began in 2000 and has expanded to include 32 online communities (or “hotels”). As of June 2008 over 118 million avatars have been registered. There are an average 8 million unique visitors monthly and 75,000 avatars are being created every day.
Habbo had some issues in the past which were related to the young age of its customers. In December 2004, a 36-year-old man was imprisoned after using Habbo to persuade a 13-year-old girl to visit him. On 14 November 2007, a 17-year-old in Holland was arrested by police for allegedly stealing virtual furniture bought with real money.
How does the scam work?
Step 1: t35.com
T35.com is a popular free hosting provider. Hackers prefer this site for their nefarious actions because:
1. It allows PHP execution – hackers weapon of choice in server tech.
2. It has FTP access to the account – uploading and downloading content automatically is easy.
3. It’s free and offer enough disk space (thought that’s not unique but it’s very helpful).
Step 2: Finding the credentials
Knowing that t35.com hosts malicious sites, we tried to find sites that store passwords in text file, using the following Google search – password site:t35.com filetype:txt. From the search results we had found the site halist.t35.com, which contains thousands of user credentials and personal detail;s for habbo.co.uk.
The details, apart from the user password, includes birthdate, mail address and parents address, as many of the Habbo’s application users are minors, as can be seen from their birthdate.
Step 3: Stealing the credentials
We had found the hacker (an 18 years old female from Eindhoven, NL, or at least so she claims) bragging about her findings, and saying it was done by phishing:
Jumping to the end of the message the attacker boasts about their handiwork:
In another post, she tells that she was banned from Habbo and reveals her avatar’s name is “chewingbum”.
And what did chewingbum.t35.com have before it was taken off from t35 servers?
A Habbo phishing site!
Habbo’s phishing sites example
An unrelated phishing site is hosted also on the t35.com server, http://own3dblog.t35.com/ (translated by Google from Italian).
They tempt the very young and innocent users to give away their credentials for a promise of some game prizes, such as coins or rare furniture for their virtual room.
What are the hackers doing with the credentials?
A confession of a hacker that found out that the mail of the parent and the password are the same as her eBay account. Luckily for her, that hacker didn’t want to do something “definitely illegal” in his words. But surely other hackers are not as righteous as this one.
It is quite likely that the attacker could use the credentials to gain access to trusting teens for very improper motivations.