DDO: Danger will robinson
Posted April 14, 2010on:
Check out the ddo forums for risks before viewing the DDO offer page.
I am posting this below in case it is removed (however I am not including the links)
By simply VIEWING THE OFFER WALL, Turbine is passing them information about you! (DANGER WILL ROBINSON!)
1) Network traffic monitoring has indicated that by simply looking at the offer wall, Turbine sends the email address tied to your account as well as your DDO login account name UNENCRYPTED to the offer provider. Unfortunately, this is legal, but it could also lead to your DDO account being compromised.
2) I did the HTTP sniffing myself to confirm this and posted the results here: http://forums.ddo.com/showthread.php?t=242982
3) We have confirmation that SuperRewards (or an affiliate of theirs) is actively using this pre-passed information to send World of Warcraft account phishing scams. The contents of that email are in the link above.
If they ask you to install software, please be aware of what it does: (DANGER WILL ROBINSON!)
1) Harvests your browsing history and browser cookies to gather information about you, your online purchasing history, what sites you go to, etc. Be aware a site can store anything they want to in a cookie, and the software you install will have free reign to crack open those cookies to take a peek. And yes, there is potential for a poorly written site you purchased something from to store stuff like credit card information in a cookie, and yes, the spammers will be able to extract that CC number.
2) Scans/reads your email if you run a local email tool (Outlook, Thunderbird, etc). It can, it will, so don’t be surprised. Credit card numbers, social security numbers, anything you’ve ever put in an email is now fair game.
3) Before you’ve even installed the software, you’ve already agreed to let them sell and resell the information in any way shape or form without any restrictions. All the information collected is sold at a market value. Note, a social security number with matching address is worth about $5 to most of these guys. An active credit card number with address is worth about $15-20 depending on your spending limits and how long it goes unnoticed.
If they ask you to send a text message: (DANGER WILL ROBINSON!)
1) If you send that message, expect a charge on your next cell phone statement. This is how they make money, how they are able to pay Turbine, and how Turbine is able to give you free Turbine Points. You thought you sent a text, but you really just sent them $10. This scam is well known to be used by SuperRewards (information here – credit to Code).
2) Be forewarned that cell phone providers do not require you to confirm that you want to accept a monthly charge on your cell phone. Simply sending a text message to the correct number is implicit grounds for them to charge your cell phone EVERY MONTH with some bogus charge for no real services rendered.
3) Unless your mobile carrier happens to take pity on you, you WILL NOT be able to get out of past charges, though you can obviously cancel your “subscription”.
Please, if you value your privacy at all and don’t know exactly how the internals of all this stuff works, don’t do this. If you think you can outsmart these guys but don’t have any technical understanding of how this all works, you’re only fooling yourself and padding their wallets.
Further edits: to give you information on what is going on and how they’re making money.
From massively the latest news from turbine
Update: Turbine has since added an update post to their forums, giving further information about the program. The Offer Wall has been temporarily removed while Turbine investigates player concerns over email and username security.
If you checked the offer wall before this. I would advise scanning your pc for spyware or viruses and being very careful about what emails you open.