Comments

I’m sure some of you may think this is the notification of someone hitting the jackpot on a somerblink lottery. The Somerblink site was hit. Like a bank heist. Like Swordfish, without the blowjobs, random typing. Without “sliding in a trojan horse hiding a worm” and other random nonsensical Hollywood haxor phrases and flashy splash screens. Hacking looks more like… snore (this wasn’t the exploit used to access Somer Blink though). Pretty much the same kind of stuff that attracts all of us spreadsheet loving nerds to this terrible, awful, internet spaceship game which is why it seems to happen frequently in this community.

TL;DR – Somerblink’s admin account was accessed by a member of the Eve community through an exploit that has now been fixed.

As you likely see, on the right side of the page right now, Somer is one of our advertisers. So… blah blah blah, disclosing conflicts of interest. Blah blah. So, we waited for the exploit to be addressed before announcing “this is how you break into the website and steal all the iskies!” Plus, we have a modicum of ethics.

Player 1: Somerblink, as you probably already know, is a lottery site for in-game Eve stuff. At any given time, they have… a ton of isk on hand. Not to mention vast quantities of other assets. An extremely juicy target for nefarious types… which is pretty much the vast majority of Eve Online players.

Player 2: Project Nemesis. They’ve done stuff. Stolen things in game. Scams. Various other things which are encouraged in Eve.

The Heist: Normally, you don’t start a story about a robbery with what was taken. In this case, it was just the beginning of what went down. Basically, a member of Project Nemesis was looking through the code of the Somerblink website and noticed what was referred to as a “glaringly large vulnerability” in the way it determined who was logged in as you browsed the site. Seeing this as an easy way to make some isk, they REDACTED, which allowed them to access the site as the administrator. For quite a while, the only thing they did was siphon off isk. Changing the corp name that popped up when someone wanted to deposit isk, diverting the funds to a fake that looked legitimate. A couple hundred million here, a billion there. Small enough to be written off as a margin of error. Of course, no spreadsheet nerd would be content with just ripping someone off. They started digging into the operation to see how it ran.

The Twist: They claim to have found shill accounts on the site. Not a huge deal. People on ebay do it all the time, even though they aren’t supposed to. Stand-up comedians do it. A little extra momentum to keep the crowd moving in the right direction. Makes things look a little more desirable than they already are. Since the shills don’t have to actually pay out, they were sitting on ridiculous piles of deposit. Hundreds of billions of fake isk. A shill only really helps to drive traffic though. Not a huge deal.

The Scam: However, adjusted odds are a big deal. The unauthorized individual claims all accounts on somerblink have what looked like an unused Boolean in the database. A simple switch that seemed to always be set to false. They claim that the few accounts with over-the-top isk on deposit had this Boolean set as true. Looking at the odds of the general high end player with a false and comparing that to the odds of the select few with a true found a statistical difference, greater than two standard deviations. If true, it was a huge find. Giving a shill better than normal odds is a straight out scam. It means the house has tipped the odds far beyond what they are advertised as being.

The Epilogue: Despite all this. This is a gambling site. You know the odds are against you. Unlike a slot machine, the presumptive odds are right there on display for you. If there are shills, as claimed, then the odds are more murky but still clearly in favor of the house. I could preach about the odds to people who gamble until my face turns blue. It isn’t going to stop them from buying another Power Ball with 1:175m odds (currently). It likely will not change your playing behavior on somerblink either. Whatever you do, have fun. I will stick to games like undocking and poker though, where I have some control over the odds.

Bagehi

47 Comments

  1. Anom

    Fairly sure that hacking into someone's website to steal isk isn't encouraged by CCP. It is only scamming and stealing with in game mechanics that has ever been allowed.

    August 15, 2012 at 9:45 pm Reply
    1. Bagehi

      Agreed.

      August 15, 2012 at 9:55 pm Reply
    2. Testagram

      Yes but by using shill accounts with higher win chance BY DESIGN and then not advertising the fact SomerBlink are in effect running a classic fairground scam.

      I am not justifying the hacking but there was a disclosure a few months ago claiming that Somer was running a scam, everyone and their dog screamed it down. Guess what, they were telling the truth.

      August 15, 2012 at 9:58 pm Reply
      1. Anom

        Oh I totally agree.

        August 15, 2012 at 10:42 pm Reply
      2. I'm actually surprised that there are people who actually thought that this wasn't a scam. I mean what big money making scheme has Eve had that hasn't turned into a scam. The only one that hasn't turned full blown scam that I can think of is the BIG lottery.

        August 17, 2012 at 8:40 am Reply
  2. Now this has some interesting stuff for me to wonder about. Like what are the legal ramifications for this? And I mean real world legal. Due to the fact that hacking/cracking a website is against the law in most places. And also. I have a feeling that CCP will refund any lost ISK back from the hacker/crackers Eve account if it proven to be true. As for "Shill" toons. Well. What did you expect from an Eve Player 😉

    August 15, 2012 at 9:49 pm Reply
    1. gizzy

      your A moron, ccp wont refund anything because this isk "doesnt exist." Isk "won" on blink is essentially an "IOU" from the blink corporation ingame, and is not a guarentee the isk will be sent to you.

      Basically you are giving them isk, and they are giving you credit on a website out of game. CCP has no jurisdiction in this case.

      August 15, 2012 at 11:01 pm Reply
      1. Nina_C

        Except that some buy GTCs (with RL cash) through Blink to get extra credit on their accounts. I am no lawyer, but does that not muddy the waters a bit?

        August 15, 2012 at 11:14 pm Reply
        1. Happy gunner

          One would think so but not really, ISK is not real currency, from the time you hit complete purchase when buying a GTC to the time you selld that GTC in game for ISK it becomes virtual (non-realworld valued) currency.

          August 16, 2012 at 4:41 am Reply
      2. Oh dear, Did you miss the part that said they stole ISK by "siphon off isk"? Think of it like this, Some nasty player hacks my computer and logs in to my eve account. Transfers all my ISK to himself. Now I am sure than once I have proved the incident. Then CCP would Transfer all the stolen ISK back to me. Well that is my understanding anyway. A Moron I maybe, But at lest I am a moron that can read a whole story

        August 16, 2012 at 12:23 pm Reply
        1. Happy gunner

          Well think of it like this, Blinks (non ccp related) site wrongfuly directs users to send is to an alternate corporation and not the originally intended one. You the player sends isk (all you had to do was click the "deposit" button and it brings the incorrect corporation up) to this attackers fake corporation.

          So now tell me, how would CCP deal with that? you sent isk somewhere it shouldnt have gone because of a terribly security issue on somer blinks site which CCP cannot verify even if they wanted to, how would they know that blink didnt just stage this whole thing to intercept more isk out of people? This is how i see it.

          August 16, 2012 at 4:20 pm Reply
    2. Widdershins

      Hi.

      Other commentary aside, I can clarify some specific things for you on the legal end of the spectrum.

      From a legal standpoint, SOMER Blink's gambling enterprise is not a gambling endeavor at all. ISK has no value legally: all assets, currency, and everything else that exists in EVE is the exclusive property of CCP and they reserve all rights to do whatever the hell they want with it. Not only can you not own any of it, but you cannot have any interest in it either. Stealing ISK or items, even PLEX, from other players in EVE is not a crime because there is no possible way it can legally benefit you. If anything, actually cashing out on it (getting someone to pay you real world money for these goods) is the criminal part, since CCP can and probably will take it away from them upon discovery of such a transaction; if they didn't know about this going into it, there is a bit of an argument that you may have scammed them with false claims as to what they would receive.

      As far as any court is concerned, the concerns of ISK being transferred and any unseemly goings-on in this area are basically speculation and betting with and on monopoly money blowing around in a furnace. There is no possible way to claim damages or misconduct whatever the case, as there was nothing of value to begin with.

      August 16, 2012 at 5:32 am Reply
      1. Dice

        Gaining unauthorised access to computer systems and confidential information? It's illegal in the U.S.A. and Australia at least. For the sake of argument, if SOMERblink's website was hosted on a server in the USA and the dude from Project Nemesis is a resident of the USA, then I would imagine that criminal charges could be pressed. Of course, it's unlikely the Project Nemesis dude would have done his shenanigans without using Tor, so maybe there's no way to trace the connection. The logs, they show nothing (useful), happens in real life too, I guess.

        August 16, 2012 at 9:43 am Reply
  3. ???

    As expected, people start commenting on the stolen isks and not the fact that there is a possibility of people who deposit more isks into this website has a greater chance of winning.

    August 15, 2012 at 9:58 pm Reply
    1. buff

      You do realize that its not people that deposit a lot of isk right? Its the other way around. People with this flag set true, win more often, therefore they have more isk on deposit. Good thing you posted anonymously to hide your downs.

      August 15, 2012 at 10:19 pm Reply
  4. I HACK EVERYTHING

    The comedy here is the absolute and entire lack of any proof for any of these claims.

    EN24 – I just hacked all of CCP, and have been siphoning ISK to myself, and there are shill players. Write a story about me too!

    August 15, 2012 at 10:03 pm Reply
    1. Bagehi

      We were able to see the admin with Somer's account provided by the hacker. Also have a list of over 1000 account usernames/passwords. Also was able to view some of the siphoned deposits. Seemed like the right thing to do to notify people that the accounts were compromised before publishing any of that info.

      August 15, 2012 at 10:13 pm Reply
      1. Heya Bagehi!

        I can only assume Riv didn't forward along our side of things before you had a chance to write the article. :)

        I was forwarded the "proof" the individual sent you. What he sent you was the information he gathered from a phishing site that gathered Blink cookies. The only "admin" access he had was a cookie from one of our entry level, preauth staff. If you'd like a screenshot of what the ACTUAL admin panel looks like, I'd be happy to forward it along for comparison :p

        There was no grand hacking attempt or success. :p Four days ago, an individual used a security loophole to redirect a small percentage of people browsing to our site to a fishing site. This fishing site would copy down the Blink cookie of those who visited it. The security hole was plugged almost immediately, and no harm to the site or any accounts was managed. :)

        We love running Blink, and the community around it, but the one real downside is "Gamblers Regret." A few days before the shenanigans started, this person deposited 1.5b over the course of a day. He lost a few and won a few, but was so caught up in the excitement that he kept exchanging all of his wins for more credit until the only thing he successfully cashed out was a Tengu. As in most cases of Gambler's Regret, he chose to blame us for his decision to gamble that all away, and created an imposture corporation to try and scam deposits. When that was removed by GMs, he even went so far as to break state and federal laws trying (and partially succeeding) to "hack" the site. Now that that security hole is plugged, he's fishing for any other outlet that will join him in his outrage that he chose to send us isk and chose to gamble even his winnings away.

        We've done our best to create a site that is fun, fair, and exciting to use – and for some people, they would rather try to scream and rage at and about us, instead of admitting that they chose to gamble more than they should have, or didn't walk away from the table when they could have.

        August 15, 2012 at 10:48 pm Reply
        1. And this is why, generally, you try to get confirmation or denial from associated parties. Verification of facts or at least the attempt thereof is usually a good thing.

          August 15, 2012 at 10:54 pm Reply
          1. Marc:

            Riv did actually contact Somer and myself, and we sent an explanation of what happened. I can only assume Bag ran with posting the story before he was able to get a copy of that email conversation.

            August 15, 2012 at 11:02 pm
          2. Bagehi

            There was quite a bit of correspondence to dig through. It looks like Riverini did forward along your email to him. Either I missed it in the nested messages or I had already finished the story when it was sent. Hard to tell at this point. We held the story for a while for the K-6 fight.

            August 16, 2012 at 1:49 am
        2. derp

          Look buddy this is en24 we don't need any of your "facts" here. Bagehi got told something by some dude on the internet so this is going frontpage baby! Shocking headline soundbyte!

          August 15, 2012 at 11:04 pm Reply
        3. buggrit

          Come on man, damage control is spin is bullshit.

          You may even be telling the truth, but its long odds.

          August 16, 2012 at 1:00 am Reply
        4. Happy gunner

          Looks like he has Somerset Mahm's password hash, session Id and authToken to me.

          August 16, 2012 at 4:35 am Reply
        5. Happy gunner

          Can you tell us who this person is in game? If you know what they spend and deposited you should make this information public.

          August 16, 2012 at 4:37 am Reply
        6. LOL.

          a) cookies should never have any relevant information in them ever, usually a proper set cookie contains a session ID and thats it.
          b) sessions should expire when no requests done in a certain amount of time.

          everything else is not secure.

          c) that guy had lists of usernames + hashes, which means there has been a serious security compromise, now if he got that from a low-level pre-auth account or by other problems, it does not matter – with the hashes, the usernames and a decent rainbow table he is able to login as any of those users. Meaning security relevant information HAS LEAKED. period. there is no talking it down. No matter what sort of a loser the guy who did it was, no matter how much you try to beautify it.

          – You had a security issue
          – You had relevant information leaked

          Fucking DEAL with it, instead of trying to talk it down.

          god damn i hate people who don't take security serious.

          August 16, 2012 at 9:51 am Reply
          1. Happy gunner

            Completely agree.

            August 16, 2012 at 4:22 pm
      2. srly?

        screenshot or it didn't happened

        August 15, 2012 at 10:49 pm Reply
        1. Happy gunner

          This link http://www.evenews24.com/2012/08/15/somer-blink-o

          Post by "Somerset Spam" links to multiple items, including raw log files of thousands of somer blink account password hashed and instructions to decrypt them.

          I now believe.

          August 16, 2012 at 4:34 am Reply
  5. Lol, this is funny. All the comments so far have been about players worrying about who scammed who. But you all failed to miss the big issue that somebody somewhere "BROKE THE REAL WORLD LAW" to steal some virtual pixel credits. But this only matters if the story can be proven to be true.

    August 15, 2012 at 10:30 pm Reply
    1. Catastrophe

      They dont care about that. Blink cares about damage control so u keep giving them isk and news24 cares about a story to drive traffic to their website.

      August 15, 2012 at 11:42 pm Reply
    2. Odds:

      We did send the information about the phishing site to his ISP, and about the ingame threats to "hack" our website to CCP. :)

      August 15, 2012 at 11:51 pm Reply
  6. xor

    I dabbled with Somer, roughly 100m isk (tops) just to 'test the water' on a good number of 1-5m isk bets. Didn't win a single one, but often saw the same player winning instead. I was convinced then it was a shill/scam/etc so stopped putting money into it. Happy to read my intuition was fairly correct, though sad to see the site was hacked in order to prove it true.

    August 15, 2012 at 10:49 pm Reply
    1. Nina_C

      If you play Blink often, you'll notice that those who win often normally buy 1/2 or more of the ticks. A guy who spends 100m and buy 1 tick per lottery and wins nothing proves nothing.

      However, it's still bullshit.

      August 15, 2012 at 11:13 pm Reply
      1. xor

        Obviously someone buying 50% of tickets is gna have a greater chance over someone buying 10% of tickets. But its when its 33v33v33 for example and one third wins everytime (or so its perceived to me) its not impossible, but highly unlikely.

        August 15, 2012 at 11:19 pm Reply
        1. Nina_C

          I'll buy that. But, what I said was only part of the story. For myself, I try to see what numbers have been winning most in the last 10 or so blinks, and try and buy those numbers. I can tell other raging blinkers do the same, as they are buying similar numbers. Not surefire by any means, but I feel it has upped my win stats.

          Try to never buy tickets off a blink someone else has started (unless the numbers remaining are those that have been winning often, which happens when blinks run long like Rorqs and such). Always start your own blink with the numbers you want.

          However, this could all be my fail attempt at winning at blink, which I can assure you I am no pro. Sitting around 25% wins right now out of about 4300 played.

          August 15, 2012 at 11:44 pm Reply
      2. Okay NINA!!!

        The ticket prices make it ridiculously stupid long-term to continue investing in half of the tickets.

        August 16, 2012 at 1:28 am Reply
    2. LOL.

      i do know a guy who claimed that he had some sort of script analyzing the win-patterns of somer a while ago, which found that some of the most winning characters never showed up in the rankings / statistics.

      August 16, 2012 at 9:54 am Reply
      1. Happy gunner

        Cool, who was it.

        August 16, 2012 at 4:21 pm Reply
  7. Nina_C

    Gambling site or not, when the odds are changed, it becomes less than gambling.

    I have won over 500b ISK with Somer. However, this is fucking bullshit.

    Never depositing more ISK, until an obviously neutral 3rd party (not Riv) who has knowledge of the code can check it, should they make it available for scrutiny.

    August 15, 2012 at 11:12 pm Reply
    1. Bob

      It's all available for scrutiny, and they get their lots drawn by a third party (random.org)

      August 16, 2012 at 1:23 am Reply
      1. IAmThe3nd

        Its all… meaning a small snippet of boilerplate code (about 20 lines) that show what code would look like to access the random.org api.

        That sir is not nearly "all available for scrutiny"

        August 16, 2012 at 6:08 am Reply
  8. The_Oracle86

    hehe, Somerblink is probly the most recognized gambling site out there for the eve community and in my opinion probly the best. But it's still no different to the other gambling sites. All you have to do is sit there and watch. After time, you'll notice certain characters winning over and over again, then after a while these characters will dissappear then others will come. The point is, for the site to survive it needs to take more isk in then what its putting out.

    At the end of the day your feeding the owners and partners isk while they laugh their ass's off.

    August 16, 2012 at 2:01 am Reply
  9. Hundreds of billions of 'fake' ISK on shill accounts and it is dismissed by evenews24 as just a way to drive business to the site?

    Damn, even though the whole scam they've been running is obvious at the very least don't make retards of yourselves trying to make lame excuses for them.

    August 16, 2012 at 6:21 am Reply
  10. LOL.

    i'm telling people for *years* that there are shills (didnt know this word before though =). and no one ever believed me.

    August 16, 2012 at 7:32 am Reply
  11. JohnDouche

    TL;DR: BLINK has got holes, management fears it will bring bad luck to Internet gambling and tries to draw away attention.

    When a hot-headed, attention seeking and gambling addicted kid can hack BLINK then probably anyone can hack them.

    August 16, 2012 at 11:31 pm Reply
  12. Ashera Yune

    There are many ways Somer can cheat. One that includes having shill characters with infinite Blink Credit.

    The idea is simple, these shill characters buys a large portion of expensive lotteries on capital ships and faction ships. You typically see them buy a ridiculous amount of tickets 50-75% which greatly costs more that the price of the actual ship.

    The legitimate bidders buy the remaining tickets for a fairly substantial amount of money.

    The shill at this point has a superior chance of winning. If by some crazy chance his number is not picked, the site will change the numbers to make sure he is the winner.

    The prize still remains in Somer blink's possession, but they have gain practically lots of isk from the victims they ripped off.

    August 18, 2012 at 9:39 am Reply

Leave a Reply