Researchers at the Imperva Application Defense Center have uncovered a new hack attack which specifically targets teens using the popular Habbo Hotel virtual world come social networking site. Since it launched in 2000, Habbo Hotel has gone on to see around 75,000 new avatars being registered daily and with monthly visitor totals of around 8 million uniques you can see why it might present an attractive target for hackers looking to spread malware or spam to a 'trusted' circle of freinds via compromised accounts.
According to Imperva ADC it was pretty easy to do the detective work that uncovered the Habbo Hotel attack. First researchers searched the T35 hosting site, favoured by certain hackers as it allows for PHP execution as well as providing sufficient free space for their nefarious purposes, using a simple filetype search for passwords stored as plain text at t35.com
This revealed a site, the URL of which I will not repeat here as it appears to still be up and running, containing a directory listing of thousands of Habbo Hotel users with data such as username, password, birthdate, email and snail mail details of both the user and their parents.
A little further digging found the alledged hacker behind the listing, openly bragging online about how the data was obtained courtesy of some simple phishing. Imperva says that the hacker had an Habbo account before being banned there by the name of chewingbum, and T35 also had a hosted site (since taken down) with the same name which acted as a phishing site for Habbo in the UK by tempting "the very young and innocent" to "give away their credentials for a promise of some game prizes".
Could it be that the people you might expect to be the savviest when it comes to online security, that is the generation that has known nothing other than a totally connected world and for whom social networking and virtual worlds are second nature, are actually more vulnerable to social engineering than you might think?
I'm a hacker turned writer and consultant, specialising in IT security. I've been a freelance word punk for over 20 years and along the way I have seen 23 of my books published, produced and presented programmes for TV and radio, picked up a bunch of awards and continue being a contributing editor with PC Pro - the best selling IT magazine in the UK .