ICQ hack theories flood into Vulture Central
Walking on deathrow
Our recent story about a possible mass hack of ICQ inspired many of you to turn sleuth.
To recap, a Reg reader discovered that both of his accounts had suddenly become disconnected and the passwords no longer worked. The email addresses for both accounts, which were divided between divided between MacOS machines and Windows machines, were changed to 'firstname.lastname@example.org'.
A search of the AOL Mirabilis ICQ whitepages reveals hundreds of accounts all with this address (registered in countries such as China and Egypt). We began to suspect a mass hack.
(Since we wrote our original story, nearly all the 'hacked' ICQ accounts have been de-activated, according to our latest search of ICQ whitepages).
AOL was unable to shed much light, and more than two weeks later, is still to get back to us on its attempts to root out a cause for the problem. Likewise, security experts we quizzed were unsure about what was going on.
Reg readers have weighed with sundry theories. We'll kick off proceedings with the ones we were immediately able to discount - but which nonetheless illustrate script kiddie tricks of which users should be wary.
Spoof goes your ICQ account
First up is a spoofed email which is doing the rounds. Purporting to come from ICQ's support staff, it tries to trick the gullible into divulging their account names and passwords, which they are induced to enter into a script kiddie-friendly HTML form.
If you receive an email like the one below simply delete it.
Sent: xx February 2002 xx:xx
Subject: Important Notice about keeping your ICQ account active.
Dear ICQ user,
The ICQ Inc. is refreshing its databases to delete the inactive accounts. Please fill in your ICQ# and your Password and then submit this form by clicking the send button. This is everything that you have to do to keep your account active. Don't reply to this mail. After your submission you will be forwarded to our homepage and will be able to read the latest news about ICQ Inc. Unless you confirm us that you are using your ICQ legally by filling the empty spaces, you won't be able to use your ICQ account after our refreshing is over.
With best regards ICQ Inc.
Doubtless this works on some people (AOL warns users of such messages, which it NEVER sends itself), but we're able to discount this as a complete explanation of this particular hack because we're quite sure our original source didn't fall for it.
Cock-up not conspiracy
Next up, we have the theory that AOL's database administrator(s) messed up an SQL statement which updated everyone's email accounts so that they were the same address. This is an easy enough mistake to make, but we don't buy it, much as we incline towards the cock-up rather than conspiracy theory of history
It's all Microsoft's fault
This takes us to the popular theory that the user's ICQ account was hacked after first compromising user's Web-based accounts, such as Hotmail or Yahoo!
Crackers gain use of a Hotmail mailbox connected to an ICQ account (perhaps by re-registering an inactive account) before telling AOL that they've forgotten their ICQ password. A password is then sent to the compromised Web mail account and voila!, the script kiddies have access to your account.
Once this happens it's very hard to get your account back' and we understand also that it's difficult to get AOL to change the default email address to which such sensitive information is sent.
This is a plausible scenario, to be sure, but it fails to explain why many ICQ accounts NOT associated with Web mail addresses got reamed.
Moving on, there's the idea that someone has written a script to scan accounts for common passwords (remember to make this harder by using non-alpha-numerical characters in your password). They then change the password - inserting hidden ASCII characters - so even if you successfully request a password back you'll fail to type in the right phrase. This is possible, but seems far too laborious for application in mass hacking.
ICQ accounts sent to deathrow
Numerous Web sites exist which contain tools and utilities for ICQ hacking, and it seems that there appears that there appears to be a competition going on to compromise as many ICQ numbers as possible. This explains the motive for attacks and also takes us closer to an explanation of the probable method used.
A script published by Russian crackers, used a buffer overflow glitch in ICQ to create a ICQ White Pages form makes it possible to change people's else's ICQ details in White Pages.
The form send a UIN and 'password' to web.icq.com, which is longer than eight characters but gets through anyway because of the buffer overflow glitch. In the standard (official) ICQ form, there is 8-symbol limit but hackers rewrote that form changing this limit (to make the maxlength="10000" instead of maxlength="8").
We reckon the hack was pulled off either using either this technique (which might be a bit old) or cracker programs like ICQr, but if you've a better theory let us know.
So who's the culprit?
We're far from sure on this one but a discussion on the forum 8thwonder-net contains a boast from a cracker called de@throw that he/she was behind the hack. This may, or may not be true - no proof was given and the page in question has since been pulled.
Whatever the methods used in ICQ cracking, it's certainly a common problem. Users with hacked accounts are often asked to re-register, but we think this is not good enough.
With newer versions of ICQ your contact list gets stored on its server and can be retrieved at any computer with ICQ and the correct password. So if the accounts have been cracked, somebody could harvest this potentially sensitive information.
Since ICQ is widely used (with 122 million users according to ICQ Inc, an AOL Time Warner-owned subsidiary) the existence of numerous cracking utilities is something which needs to be guarded against. ®