ICQ hack theories flood into Vulture Central

Walking on deathrow

  • alert
  • submit to reddit

Choosing a cloud hosting partner with confidence

Our recent story about a possible mass hack of ICQ inspired many of you to turn sleuth.

To recap, a Reg reader discovered that both of his accounts had suddenly become disconnected and the passwords no longer worked. The email addresses for both accounts, which were divided between divided between MacOS machines and Windows machines, were changed to 'uin@deathrow.com'.

A search of the AOL Mirabilis ICQ whitepages reveals hundreds of accounts all with this address (registered in countries such as China and Egypt). We began to suspect a mass hack.

(Since we wrote our original story, nearly all the 'hacked' ICQ accounts have been de-activated, according to our latest search of ICQ whitepages).

AOL was unable to shed much light, and more than two weeks later, is still to get back to us on its attempts to root out a cause for the problem. Likewise, security experts we quizzed were unsure about what was going on.

Reg readers have weighed with sundry theories. We'll kick off proceedings with the ones we were immediately able to discount - but which nonetheless illustrate script kiddie tricks of which users should be wary.

Spoof goes your ICQ account

First up is a spoofed email which is doing the rounds. Purporting to come from ICQ's support staff, it tries to trick the gullible into divulging their account names and passwords, which they are induced to enter into a script kiddie-friendly HTML form.

If you receive an email like the one below simply delete it.

From: support@icq.com
Sent: xx February 2002 xx:xx
To: gulliable@whatever.com
Subject: Important Notice about keeping your ICQ account active.

Dear ICQ user,

The ICQ Inc. is refreshing its databases to delete the inactive accounts. Please fill in your ICQ# and your Password and then submit this form by clicking the send button. This is everything that you have to do to keep your account active. Don't reply to this mail. After your submission you will be forwarded to our homepage and will be able to read the latest news about ICQ Inc. Unless you confirm us that you are using your ICQ legally by filling the empty spaces, you won't be able to use your ICQ account after our refreshing is over.

With best regards ICQ Inc.


Password :

Doubtless this works on some people (AOL warns users of such messages, which it NEVER sends itself), but we're able to discount this as a complete explanation of this particular hack because we're quite sure our original source didn't fall for it.

Cock-up not conspiracy

Next up, we have the theory that AOL's database administrator(s) messed up an SQL statement which updated everyone's email accounts so that they were the same address. This is an easy enough mistake to make, but we don't buy it, much as we incline towards the cock-up rather than conspiracy theory of history

It's all Microsoft's fault

This takes us to the popular theory that the user's ICQ account was hacked after first compromising user's Web-based accounts, such as Hotmail or Yahoo!

Crackers gain use of a Hotmail mailbox connected to an ICQ account (perhaps by re-registering an inactive account) before telling AOL that they've forgotten their ICQ password. A password is then sent to the compromised Web mail account and voila!, the script kiddies have access to your account.

Once this happens it's very hard to get your account back' and we understand also that it's difficult to get AOL to change the default email address to which such sensitive information is sent.

This is a plausible scenario, to be sure, but it fails to explain why many ICQ accounts NOT associated with Web mail addresses got reamed.

War scripting

Moving on, there's the idea that someone has written a script to scan accounts for common passwords (remember to make this harder by using non-alpha-numerical characters in your password). They then change the password - inserting hidden ASCII characters - so even if you successfully request a password back you'll fail to type in the right phrase. This is possible, but seems far too laborious for application in mass hacking.

ICQ accounts sent to deathrow

Numerous Web sites exist which contain tools and utilities for ICQ hacking, and it seems that there appears that there appears to be a competition going on to compromise as many ICQ numbers as possible. This explains the motive for attacks and also takes us closer to an explanation of the probable method used.

A script published by Russian crackers, used a buffer overflow glitch in ICQ to create a ICQ White Pages form makes it possible to change people's else's ICQ details in White Pages.

The form send a UIN and 'password' to web.icq.com, which is longer than eight characters but gets through anyway because of the buffer overflow glitch. In the standard (official) ICQ form, there is 8-symbol limit but hackers rewrote that form changing this limit (to make the maxlength="10000" instead of maxlength="8").

We reckon the hack was pulled off either using either this technique (which might be a bit old) or cracker programs like ICQr, but if you've a better theory let us know.

So who's the culprit?

We're far from sure on this one but a discussion on the forum 8thwonder-net contains a boast from a cracker called de@throw that he/she was behind the hack. This may, or may not be true - no proof was given and the page in question has since been pulled.

Whatever the methods used in ICQ cracking, it's certainly a common problem. Users with hacked accounts are often asked to re-register, but we think this is not good enough.

With newer versions of ICQ your contact list gets stored on its server and can be retrieved at any computer with ICQ and the correct password. So if the accounts have been cracked, somebody could harvest this potentially sensitive information.

Since ICQ is widely used (with 122 million users according to ICQ Inc, an AOL Time Warner-owned subsidiary) the existence of numerous cracking utilities is something which needs to be guarded against. ®

Related stories

Mass ICQ 'hack' baffles world+dog
AOL ICQ in hacker risk alert

Internet Security Threat Report 2014

More from The Register

next story
FYI: OS X Yosemite's Spotlight tells Apple EVERYTHING you're looking for
It's on by default – didn't you read the small print?
Russian hackers exploit 'Sandworm' bug 'to spy on NATO, EU PCs'
Fix imminent from Microsoft for Vista, Server 2008, other stuff
Edward who? GCHQ boss dodges Snowden topic during last speech
UK spies would rather 'walk' than do 'mass surveillance'
Microsoft pulls another dodgy patch
Redmond makes a hash of hashing add-on
'LulzSec leader Aush0k' found to be naughty boy not worthy of jail
15 months home detention leaves egg on feds' faces as they grab for more power
China is ALREADY spying on Apple iCloud users, claims watchdog
Attack harvests users' info at iPhone 6 launch
Carders punch holes through Staples
Investigation launched into East Coast stores
prev story


Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Why and how to choose the right cloud vendor
The benefits of cloud-based storage in your processes. Eliminate onsite, disk-based backup and archiving in favor of cloud-based data protection.
Three 1TB solid state scorchers up for grabs
Big SSDs can be expensive but think big and think free because you could be the lucky winner of one of three 1TB Samsung SSD 840 EVO drives that we’re giving away worth over £300 apiece.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.