Small Wars Journal

Gnosticplayers: A Tale of Hacking Mobile Apps and Profit

Sat, 11/14/2020 - 6:31pm

Gnosticplayers: A Tale of Hacking Mobile Apps and Profit

Joshua Courter

 

In the summer of 2019, the login information of over 170 million accounts associated with the mobile gamer developer Zynga was stolen. For those unfamiliar, Zynga is one of the largest mobile game developing studios. They are responsible for titles such as Draw Something and Words with Friends. In September of 2019, Zynga admitted the information of over 170 million accounts registered mainly with those games had been stolen. The hacker steals the information and sells the accounts and info on the deep-web. The hacking cost a revenue loss for Zynga and a class action lawsuit against Zynga by those who had their data stolen. (Khandelwal, 2019)(Zynga, 2019)

The Origin of the Hack

The hack was committed by an anonymous hacker who goes by the name of Gnosticplayers. After Zynga held a press conference in September 2019, Gnosticplayers contacted the popular hacker magazine HackerNews. He informed the publication that he began the breach by hacking Words with Friends. Anyone who had downloaded and registered in the game before September 2, 2019, had their information stolen. (Lyons, 2019)

Type of Hack and How a Computer Was Used.

The type of hack isn't ransomware or malware, its more traditional information stealing known as cyber-trespassing and theft. (Holt, Bossler, & Seigfried-Spellar, Technology and Cybercrime, 2018) A common type of hacking that has existed since at least the 1990s. Hackers steal account information from popular websites and services. They then take this personal info and sell it on an illegal market place on the deep-web. Gnosticplayers told Hackernews that they had access to the names, email addresses, login IDs, phone numbers, Facebook IDs (if connected) and Zyna Account IDs of over 170 million users. Details of how the hack was conducted were not provided. However, the hacker has to use a computer to steal the data, store it and access the dark web. A computer was likely used to breach the servers and upload the data on the dark web. Though we lack details, a computer was instrumental as it was the primary tool used. (Hern, 2019)

How the Hack Was Exploited

Both Zynga and Gnosticplayers have not given any details on how the hack was performed. This isn't Gnosticplayers' first time stealing account information of mobile and online games. In early 2019, he stole the information of over 620 million users for various websites. Being the hack was a data breach, Gnosticplayers likely exploited outdated or older software. From there, he was able to steal the account information, store it on his computers and upload it to an illegal market place on the deep web. According to the Hacker News, Gnosticplayers is from Pakistan, making it harder for US Law Enforcement to catch him.

The other exciting thing about stolen account attacks is that usually, it takes companies a few days to a few weeks to even realized they were hack on a massive scale. It also takes companies a hefty amount of time to make the fact that they were hacked public information. Even after they do, many users are lazy and have a "well my account wasn't hacked" mentality. This means many users won't change their passwords. This means if the accounts are sold quickly enough, the buyers can quickly possess them and change the passwords.

The Actors and Sophistication

The actor of the attack is none other than a hacker than refers to himself as Gnosticplayers. (Troia, 2020) According to The Hacker News, Gnosticplayers claims to be Pakistani. He seems to operate alone and is motivated by profit on the dark web. The consensus on how sophisticated the crime is still up in the air. Few details of the sophistication of the crime have been released. The crime could be as complex as cracking passwords, exploiting week code, or developing hacking software. It could be as simple as using social engineering to steal passwords to access the account information. I do believe, based on the large number of accounts stolen, that a level of complexity was utilized.

Gnosticplayers might be one user, but law enforcement and hacker media have theorized that it may be more than one person.

The most interesting thing about Gnosticplayers is unlike most criminals who wish to remain anonymous, he boosts to the media after he commits his cybercrimes. Almost as if he is an online version of Son of Sam. The reasons for doing this are not only to gain notoriety but also to attract buyers on the deep web. (Khandelwal, Round 4 — Hacker Puts 26 Million New Accounts Up For Sale On Dark Web, 2019)

The Motive: Why People Purchase Stolen Accounts

We know the motive for Gnosticplayers is to profit off of selling the stolen accounts. But why does his market exist? When these accounts are stolen, they are sold on an illegal market place for an average of $15 (usually in Bitcoin). (Smith, 2018)(Jareth, 2020)(Holt, 2016) Certain account theft such as bank account logins, Amazon, and eBay accounts are obvious as people can make free purchases or steal bank account info. Buying Steam accounts is evident as people will download whatever games the account has for free. However, what would people want with a Words with Friends account?             

This seems to be baffling. Currently, there is a trend of hackers stealing accounts for AAA video games such as Fortnite and selling them on the dark web. The reason people purchase these accounts is so they can have the items and achievements that are already unlocked. However, mobile games like Words with Friends, Draw Me, and others aren't exactly competitive games like Fortnite. There is nothing to unlock, no custom skins, achievements, nothing. Words with Friends is literally Scrabble, so what would buyers want with these accounts? We weren't able to find a specific answer. My theory is that either people are buying these accounts in order to launder money.

How Darknet Markets Work

During his previous hacks, Gnosticplayers would sell the stolen accounts on a darknet market known as Dream Market.  Dream Market was shut down in April of 2019. It was a replacement for previous darknet market places such as the Skill Road, Alpha Bay and Hansa. Websites like Dream Market allow users to buy and sell stolen accounts, passwords for websites, illegal drugs, stolen goods, counterfeit items, weapons and more. It's like eBay for criminals. The websites are usually hosted in foreign countries on Onion servers. Goods are purchased through using cryptocurrencies, with Bitcoin being the de facto currency accepted at most markets.

Many more of these darknet markets exist, but they operate on a very underground level and are difficult to find. Because most of these markets operate in foreign countries, they are usually taken down by global task forces, which end up forcibly seizing the website. (Pagliery, 2013)(Darknet Markets, 2020) (Dark Web Link , 2020)

Lessons Learned?

The big lesson learned for Zynga is that as one of the largest mobile developers, they have to be on top of their cybersecurity. Hundreds of millions of users from around the world have downloaded and installed their games. They cannot have week security that can be exploited by a random hacker.

Conclusion

Gnosticplayers 2019 hack of Zynga is part of a growing trend of large mobile and gaming hacks. Hackers are finding security breaches in mobile apps and gaming software. They are exploiting these weaknesses to steal information and selling it on the deep web for an illegal profit. These hacks are a form of cyber-trespassing and theft. As the hackers are trespassing in areas they aren’t suppose such as data servers and game hosting servers. They do this in order to steal the account information and sell it on the deep web for a profit.

 

 

 

 

Works Cited

Dark Web Link . (2020, April 10). Top Darknet Markets List. Retrieved from Dark Web Link : https://darkweblink.com/top-darknet-markets-list/

Darknet Markets. (2020). Darknet Markets. Retrieved from Darknet Markets: https://darknetmarkets.org/

Hern, A. (2019, December 19). 170m passwords stolen in Zynga hack, monitor says. Retrieved from Guardian UK: https://www.theguardian.com/games/2019/dec/19/170m-passwords-stolen-in-zynga-words-with-friends-hack-monitor-says

Holt, T. (2016, June 22). Buying and selling hacked passwords: How does it work? Retrieved from The Conversation: https://theconversation.com/buying-and-selling-hacked-passwords-how-does-it-work-60894

Holt, T., Bossler, A., & Seigfried-Spellar, K. (2018). Technology and Cybercrime. In T. Holt, A. Bossler, & K. Seigfried-Spellar, Cybercrime and Digital Forensics: An Introduction (pp. 22-23). Oxon: Routledge.

Jareth. (2020, February 20). How do hackers make money from your stolen data? Retrieved from Emisoft: https://blog.emsisoft.com/en/35541/how-do-hackers-make-money-from-your-stolen-data/

Khandelwal, S. (2019, September 29). Exclusive — Hacker Steals Over 218 Million Zynga 'Words with Friends' Gamers Data. Retrieved from The Hacker News: https://thehackernews.com/2019/09/zynga-game-hacking.html

Khandelwal, S. (2019, March 17). Round 4 — Hacker Puts 26 Million New Accounts Up For Sale On Dark Web. Retrieved from The Hacker News: https://thehackernews.com/2019/03/data-breach-security.html

Lyons, K. (2019, December 19). Zynga hack affected 170 million accounts. Retrieved from The Verge: https://www.theverge.com/2019/12/19/21029682/zynga-hack-words-with-friends-draw-something-password-data-breach

Pagliery, J. (2013, October 2). FBI shuts down online drug market Silk Road. Retrieved from CNN: https://money.cnn.com/2013/10/02/technology/silk-road-shut-down/index.html

Smith, S. V. (2018, February 22). Take A Peek Inside The Market For Stolen Usernames And Passwords. Retrieved from NPR: https://www.npr.org/2018/02/22/588069886/take-a-peek-inside-the-market-for-stolen-usernames-and-passwords

Troia, V. (2020, January 1). GnosticPlayers Part 1: An Overview of Hackers Nclay, DDB, and NSFW. Retrieved from Data Viper: https://www.dataviper.io/blog/2019/gnosticplayers-part-1-nclay-ddb-nsfw/

Zynga. (2019, September 12). Player Security Announcement. Retrieved from Zynga: https://investor.zynga.com/news-releases/news-release-details/player-security-announcement

 

 

 

About the Author(s)

Joshua Courter is a graduate student at the University of South Florida where he is working to obtain his M.S. in Cybercrime. In 2010, he graduated from the University of South Florida with a B.A. Criminology. He is also an experienced Automotive Journalist specializing in muscle cars and drag racing history. His work has been published in Street Muscle Magazine, Drag Zine and Offroad Xtreme Magazine.