• 11 June 2014 17:17:36

    Another note on site security, your security, and a malware email doing the rounds

    posted by Dark0ne Site News
    Recently we've been the target of some attacks on the site that date back to March of this year. To begin with a user was uploading a virus to the sites masquerading as other popular files. The virus was being used to gain infected user's stored usernames and passwords for the site which were then being used to login to their Nexus accounts here and continue to upload more viruses. That stopped. Now recently we had a high profile breach of one of our staff accounts that allowed a user to replace some popular files here with viruses masquerading as the popular files which is obviously more serious. I'm now getting reports that users are being spammed by a mailer which is sending out fake notifications to update to the latest version of NMM with a download link that, quite obviously, points to a location that isn't anything to do with Nexus Mods. This email doesn't even come from a email address (or any address in any way related to games!) and doesn't point to nexusmods in any way, shape or form. However it does look convincing to people who haven't got their guard up and aren't checking the email headers to see where it's coming from or the link address itself (why would I send an email telling you to download a file from anywhere other than the Nexus Mods site!?). Please don't get caught out by this pathetic attempt to gain access to your system. You should treat this email the same way you'd treat an email from a Nigerian prince, or the "Bank of America" telling you there's a problem with your account that needs to be fixed by opening a zip file, or the Swedish consort letting you know the latest penis enlargement instruments really do work...

    I have not done a bulk email to members of the sites since 2007 when TESSource became TESNexus. I hate doing it because I know how annoying it is to get unsolicited emails from sites trying to pump their product in your face. What's actually more worrying for us is how your email addresses have been obtained which is something we're looking in to much more closely. If I felt we'd had a breach of our system then I would most definately let you know (openness is obviously the best policy in these regards), however we've had no indication of that. What we cannot be certain of is a breach from before December of last year when we switched over to our new database system. Indeed, the newest account we've received a confirmation from on this topic is from April of 2013. We cannot verify that because we no longer have the original servers the databases were on. Obviously the most prudent course of action for you would be to change your password to be on the safe side.

    We've had noone come forward to lay claim to these attacks directly so we're going off the assumption this is someone who's targeting the Nexus simply because it has a large amount of members with an active userbase. What we do know is that this is a brand new virus that anti-virus firms are only just starting to recognise now. Whether it's been made specifically for us or not is unknown.

    We're no strangers to being attacked. We receive DDoS attacks regularly, you just don't notice it because as our resources have increased so have our means to combat them. We're working with our suppliers to come under the net of a new £250,000 investment in anti-DDoS measures that will continue to help us, and others, combat against this internet threat. Our servers automatically block hundreds of IP addresses daily from people trying to gain unlawful access to the servers or doing things they shouldn't be. The fact we're now being targeted more regularly is simply testament to what we have going on here and the people who want to try and exploit it for their own means.

    This isn't the first time this has happened to a gaming community, or even a modding community. I know that the folks over at Curse have had many issues with their Curse Client (Curse's version of NMM for World of Warcraft) being "faked". Only as recently as January another fake client surfaced that was used to steal user's World of Warcraft account details. In 2010 the scammers even went so far as to pay for Google advertising so that their fake Curse client would show before any other results. So we're not alone here. The only difference is this is the first time this has happened to NMM, and it's important you're vigilant.

    We pay $500 a year to buy a unique code signing certificate from Verisign that we use to certify all the versions of NMM that we provide. You can see this certificate when you go to install NMM. Here, have a picture so you can see what screen it shows on:

    As you can see the installer is signed to "Black Tree Gaming Ltd.". The name of the company I setup to handle Nexus affairs. We sign every single new release of NMM for this exact reason: so you know it has come from us and only us. If your installer does not say this or if you download NMM at some point and it doesn't say this then that's bad. VERY BAD. And you should cancel what you're doing and do a full system scan.

    We will only ever offer NMM from our download page on the main Nexus Mods site. We will not send it to you in an email attachment or link you to somewhere that isn't on the domain. Even then you should remain vigilant and check for that certificate on the installer.

    As our work on the database stability issue comes to a close (thank god for that) we are going to be directing our attention on providing you, the user, with more tools to remain secure both when on your account and when downloading from the site.

    Our login mechanism will soon be using SSL, a long over-due addition. We are looking in to implementing two factor authentication on account logins similar to how Facebook and Steam Guard work; if you login from a different location we'll send a unique code to your registered email address before you can login. We're looking in to implementing a new feature for the site that will let you explore the file structure of archives before you download them, which will not only help with spotting things that shouldn't be in the archive before you download but also help you work out whether a mod is actually compatible with NMM or not. We'll also implement a moderation system on files and archives that contain executables or other files that are potentially dangerous. If one gets uploaded we (the staff), will have to approve it before it goes public on the sites. Lastly, we'll explore our options in regards to external virus scanners to see if there's a decent online API that can handle the number of uploads we'd need to make to their servers.

    The fact we have to spend time on this sort of stuff when we'd rather be working on things that help make your modding experience better is obviously annoying, but it's also part and parcel of the world we live in. Your security is a high priority for me, as is keeping you up-to-date with the latest issues and ensuring you're informed about the times when we've let you down. It's important for me to take responsibility when we do slip up and to make sure that, while sometimes I might slip up, I will take that responsibility for it and do everything I can to get things right. At the end of the day, you guys trust me with your visits, your mods, and some of you even with your money, so your trust is very important to me. Your words of support and encouragement during these sorts of times only serve to compound what I already know about the community we belong to. It's flippin' good.

Comments (229)