ICQ hack theories flood into Vulture Central

Walking on deathrow

  • alert
  • submit to reddit

SANS - Survey on application security programs

Our recent story about a possible mass hack of ICQ inspired many of you to turn sleuth.

To recap, a Reg reader discovered that both of his accounts had suddenly become disconnected and the passwords no longer worked. The email addresses for both accounts, which were divided between divided between MacOS machines and Windows machines, were changed to 'uin@deathrow.com'.

A search of the AOL Mirabilis ICQ whitepages reveals hundreds of accounts all with this address (registered in countries such as China and Egypt). We began to suspect a mass hack.

(Since we wrote our original story, nearly all the 'hacked' ICQ accounts have been de-activated, according to our latest search of ICQ whitepages).

AOL was unable to shed much light, and more than two weeks later, is still to get back to us on its attempts to root out a cause for the problem. Likewise, security experts we quizzed were unsure about what was going on.

Reg readers have weighed with sundry theories. We'll kick off proceedings with the ones we were immediately able to discount - but which nonetheless illustrate script kiddie tricks of which users should be wary.

Spoof goes your ICQ account

First up is a spoofed email which is doing the rounds. Purporting to come from ICQ's support staff, it tries to trick the gullible into divulging their account names and passwords, which they are induced to enter into a script kiddie-friendly HTML form.

If you receive an email like the one below simply delete it.

From: support@icq.com
Sent: xx February 2002 xx:xx
To: gulliable@whatever.com
Subject: Important Notice about keeping your ICQ account active.

Dear ICQ user,

The ICQ Inc. is refreshing its databases to delete the inactive accounts. Please fill in your ICQ# and your Password and then submit this form by clicking the send button. This is everything that you have to do to keep your account active. Don't reply to this mail. After your submission you will be forwarded to our homepage and will be able to read the latest news about ICQ Inc. Unless you confirm us that you are using your ICQ legally by filling the empty spaces, you won't be able to use your ICQ account after our refreshing is over.

With best regards ICQ Inc.


Password :

Doubtless this works on some people (AOL warns users of such messages, which it NEVER sends itself), but we're able to discount this as a complete explanation of this particular hack because we're quite sure our original source didn't fall for it.

Cock-up not conspiracy

Next up, we have the theory that AOL's database administrator(s) messed up an SQL statement which updated everyone's email accounts so that they were the same address. This is an easy enough mistake to make, but we don't buy it, much as we incline towards the cock-up rather than conspiracy theory of history

It's all Microsoft's fault

This takes us to the popular theory that the user's ICQ account was hacked after first compromising user's Web-based accounts, such as Hotmail or Yahoo!

Crackers gain use of a Hotmail mailbox connected to an ICQ account (perhaps by re-registering an inactive account) before telling AOL that they've forgotten their ICQ password. A password is then sent to the compromised Web mail account and voila!, the script kiddies have access to your account.

Once this happens it's very hard to get your account back' and we understand also that it's difficult to get AOL to change the default email address to which such sensitive information is sent.

This is a plausible scenario, to be sure, but it fails to explain why many ICQ accounts NOT associated with Web mail addresses got reamed.

War scripting

Moving on, there's the idea that someone has written a script to scan accounts for common passwords (remember to make this harder by using non-alpha-numerical characters in your password). They then change the password - inserting hidden ASCII characters - so even if you successfully request a password back you'll fail to type in the right phrase. This is possible, but seems far too laborious for application in mass hacking.

ICQ accounts sent to deathrow

Numerous Web sites exist which contain tools and utilities for ICQ hacking, and it seems that there appears that there appears to be a competition going on to compromise as many ICQ numbers as possible. This explains the motive for attacks and also takes us closer to an explanation of the probable method used.

A script published by Russian crackers, used a buffer overflow glitch in ICQ to create a ICQ White Pages form makes it possible to change people's else's ICQ details in White Pages.

The form send a UIN and 'password' to web.icq.com, which is longer than eight characters but gets through anyway because of the buffer overflow glitch. In the standard (official) ICQ form, there is 8-symbol limit but hackers rewrote that form changing this limit (to make the maxlength="10000" instead of maxlength="8").

We reckon the hack was pulled off either using either this technique (which might be a bit old) or cracker programs like ICQr, but if you've a better theory let us know.

So who's the culprit?

We're far from sure on this one but a discussion on the forum 8thwonder-net contains a boast from a cracker called de@throw that he/she was behind the hack. This may, or may not be true - no proof was given and the page in question has since been pulled.

Whatever the methods used in ICQ cracking, it's certainly a common problem. Users with hacked accounts are often asked to re-register, but we think this is not good enough.

With newer versions of ICQ your contact list gets stored on its server and can be retrieved at any computer with ICQ and the correct password. So if the accounts have been cracked, somebody could harvest this potentially sensitive information.

Since ICQ is widely used (with 122 million users according to ICQ Inc, an AOL Time Warner-owned subsidiary) the existence of numerous cracking utilities is something which needs to be guarded against. ®

Related stories

Mass ICQ 'hack' baffles world+dog
AOL ICQ in hacker risk alert

Combat fraud and increase customer satisfaction

More from The Register

next story
Parent gabfest Mumsnet hit by SSL bug: My heart bleeds, grins hacker
Natter-board tells middle-class Britain to purée its passwords
Obama allows NSA to exploit 0-days: report
If the spooks say they need it, they get it
Web data BLEEDOUT: Users to feel the pain as Heartbleed bug revealed
Vendors and ISPs have work to do updating firmware - if it's possible to fix this
Samsung Galaxy S5 fingerprint scanner hacked in just 4 DAYS
Sammy's newbie cooked slower than iPhone, also costs more to build
Mounties always get their man: Heartbleed 'hacker', 19, CUFFED
Canadian teen accused of raiding tax computers using OpenSSL bug
Snowden-inspired crypto-email service Lavaboom launches
German service pays tribute to Lavabit
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
prev story


Designing a defence for mobile apps
In this whitepaper learn the various considerations for defending mobile applications; from the mobile application architecture itself to the myriad testing technologies needed to properly assess mobile applications risk.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.