Skyrim

Another note on site security, your security, and a malware email doing the rounds

  • Comment
Recently we've been the target of some attacks on the site that date back to March of this year. To begin with a user was uploading a virus to the sites masquerading as other popular files. The virus was being used to gain infected user's stored usernames and passwords for the site which were then being used to login to their Nexus accounts here and continue to upload more viruses. That stopped. Now recently we had a high profile breach of one of our staff accounts that allowed a user to replace some popular files here with viruses masquerading as the popular files which is obviously more serious. I'm now getting reports that users are being spammed by a mailer which is sending out fake notifications to update to the latest version of NMM with a download link that, quite obviously, points to a location that isn't anything to do with Nexus Mods. This email doesn't even come from a nexusmods.com email address (or any address in any way related to games!) and doesn't point to nexusmods in any way, shape or form. However it does look convincing to people who haven't got their guard up and aren't checking the email headers to see where it's coming from or the link address itself (why would I send an email telling you to download a file from anywhere other than the Nexus Mods site!?). Please don't get caught out by this pathetic attempt to gain access to your system. You should treat this email the same way you'd treat an email from a Nigerian prince, or the "Bank of America" telling you there's a problem with your account that needs to be fixed by opening a zip file, or the Swedish consort letting you know the latest penis enlargement instruments really do work...

I have not done a bulk email to members of the sites since 2007 when TESSource became TESNexus. I hate doing it because I know how annoying it is to get unsolicited emails from sites trying to pump their product in your face. What's actually more worrying for us is how your email addresses have been obtained which is something we're looking in to much more closely. If I felt we'd had a breach of our system then I would most definately let you know (openness is obviously the best policy in these regards), however we've had no indication of that. What we cannot be certain of is a breach from before December of last year when we switched over to our new database system. Indeed, the newest account we've received a confirmation from on this topic is from April of 2013. We cannot verify that because we no longer have the original servers the databases were on. Obviously the most prudent course of action for you would be to change your password to be on the safe side.

We've had noone come forward to lay claim to these attacks directly so we're going off the assumption this is someone who's targeting the Nexus simply because it has a large amount of members with an active userbase. What we do know is that this is a brand new virus that anti-virus firms are only just starting to recognise now. Whether it's been made specifically for us or not is unknown.

We're no strangers to being attacked. We receive DDoS attacks regularly, you just don't notice it because as our resources have increased so have our means to combat them. We're working with our suppliers to come under the net of a new £250,000 investment in anti-DDoS measures that will continue to help us, and others, combat against this internet threat. Our servers automatically block hundreds of IP addresses daily from people trying to gain unlawful access to the servers or doing things they shouldn't be. The fact we're now being targeted more regularly is simply testament to what we have going on here and the people who want to try and exploit it for their own means.

This isn't the first time this has happened to a gaming community, or even a modding community. I know that the folks over at Curse have had many issues with their Curse Client (Curse's version of NMM for World of Warcraft) being "faked". Only as recently as January another fake client surfaced that was used to steal user's World of Warcraft account details. In 2010 the scammers even went so far as to pay for Google advertising so that their fake Curse client would show before any other results. So we're not alone here. The only difference is this is the first time this has happened to NMM, and it's important you're vigilant.

We pay $500 a year to buy a unique code signing certificate from Verisign that we use to certify all the versions of NMM that we provide. You can see this certificate when you go to install NMM. Here, have a picture so you can see what screen it shows on:



As you can see the installer is signed to "Black Tree Gaming Ltd.". The name of the company I setup to handle Nexus affairs. We sign every single new release of NMM for this exact reason: so you know it has come from us and only us. If your installer does not say this or if you download NMM at some point and it doesn't say this then that's bad. VERY BAD. And you should cancel what you're doing and do a full system scan.

We will only ever offer NMM from our download page on the main Nexus Mods site. We will not send it to you in an email attachment or link you to somewhere that isn't on the nexusmods.com domain. Even then you should remain vigilant and check for that certificate on the installer.

As our work on the database stability issue comes to a close (thank god for that) we are going to be directing our attention on providing you, the user, with more tools to remain secure both when on your account and when downloading from the site.

Our login mechanism will soon be using SSL, a long over-due addition. We are looking in to implementing two factor authentication on account logins similar to how Facebook and Steam Guard work; if you login from a different location we'll send a unique code to your registered email address before you can login. We're looking in to implementing a new feature for the site that will let you explore the file structure of archives before you download them, which will not only help with spotting things that shouldn't be in the archive before you download but also help you work out whether a mod is actually compatible with NMM or not. We'll also implement a moderation system on files and archives that contain executables or other files that are potentially dangerous. If one gets uploaded we (the staff), will have to approve it before it goes public on the sites. Lastly, we'll explore our options in regards to external virus scanners to see if there's a decent online API that can handle the number of uploads we'd need to make to their servers.

The fact we have to spend time on this sort of stuff when we'd rather be working on things that help make your modding experience better is obviously annoying, but it's also part and parcel of the world we live in. Your security is a high priority for me, as is keeping you up-to-date with the latest issues and ensuring you're informed about the times when we've let you down. It's important for me to take responsibility when we do slip up and to make sure that, while sometimes I might slip up, I will take that responsibility for it and do everything I can to get things right. At the end of the day, you guys trust me with your visits, your mods, and some of you even with your money, so your trust is very important to me. Your words of support and encouragement during these sorts of times only serve to compound what I already know about the community we belong to. It's flippin' good.

228 comments

Comments locked

A moderator has closed this comment topic for the time being
  1. Twilightsucks1000
    Twilightsucks1000
    • member
    • 0 kudos
    If you don't mind me asking, is the smoke clear, err I mean is it safe to download mods again because I had to clean up my computer after the ordeal and I kinda lost my trust on Nexus and modding altogether. So I'd appreciate it if people would give a nice and honest answer from whoever is reading this..... Thanks for reading this and have a nice day.
    1. cylers
      cylers
      • premium
      • 0 kudos
      they virus scanned EVERY single mod, and all new mods submitted MUST be scanned so yes, you're good, I believe they scan with about 50 different virus scanning companies (high profile ones at that) and security has been drastically improved, so yeah, you're in the clear, just be wary and don't rely wholly on others for your own security because we are only human and people will always find a way to breach security eventually
  2. showfeng01
    showfeng01
    • member
    • 0 kudos
    Thank you for sharing!
  3. flyl05
    flyl05
    • premium
    • 5 kudos
    THANX-well you really brought some 'LIGHT' into this issue, and
    for all those hours you guys spend doing all the thinking
    and writing and...we appreciate very much--stay loose*
  4. mhhniangue
    mhhniangue
    • member
    • 0 kudos
    Do  like  this  thread  .all of you Admins are doing a good job  9.jpg
  5. maxine24610
    maxine24610
    • premium
    • 0 kudos
    Thankyou Dark0ne it has been a hard trot for me to understand that people like you and your team have the same problems with business in a screwed up world.I need to thankyou for your patience in helping with my problems and in return i will when able to help your site flourish. kind regards maxine24610 ( William R.)
  6. terranoxiic
    terranoxiic
    • member
    • 5 kudos
    Cool, thanks! #ThumbsUpToYou
  7. lucifertheson
    lucifertheson
    • member
    • 0 kudos
    guys guys guys, you should really change the download system back because the new one..SUCKS..iam sorry to say that but it sucks, it never works and when it works it takes so much time to download anything ((i dont want to spend an hour for a 7mb file)) i dont know why it was changed in the first place but it didnt change to better at all. it is so painful to try and download any file doesnt matter the size, it is just painful.
    1. lucifertheson
      lucifertheson
      • member
      • 0 kudos
      wrong place moving it to the right fourm
  8. ashleyclark
    ashleyclark
    • premium
    • 46 kudos
    Nevermind. Wrong place.
  9. bben46
    bben46
    • premium
    • 781 kudos
    You can check any file from any site before downloading FREE. Here is a link for that.
    https://www.virustotal.com/
    Yes, it is safe. If you are suspicious of a file for any reason. Use it.
     
     
    Easiest way to use it - copy the url from the site ( this is the stuff that appears in the address bar) such as this one - from Nexus mod manager http://www.nexusmods.com/skyrim/mods/modmanager/? - This is called the URL (Uniform Resource Locator) and is the actual internet address of the file.
     
    Click on the URL tab on the Virus total site - Then paste the URL that you copied into the example bar. Then click on the large "Scan it!" button underneath. It will run multiple scans on just that file and return a list of the scanners it used and what they found.
     
    This is not to be confused with the antivirus on your computer. It does not run in the background, it does not scan more than one file it also Can NOT clean a virus - it is not meant for that. You do not have to download anything or register at the site. Virus total is never downloaded to your computer and only works from it's own site.
  10. lonewolfsstuck
    lonewolfsstuck
    • member
    • 0 kudos
    was just browsing around around on the forums, found this.. worth reading.