Hackers Target Neopets Users

| | Comments (5)
I regularly see a lot of extremely dubious and rather slimy techniques deployed to get end-users to run horrible things or fall for scams. Generally, the targets tend to be the technologically inept or granny, sitting in the corner. See granny? Sure you do, she's right over there replying to the Third King of Nigeria and helping him out with his cash relocation problem.

However, I've come across a scam rapidly spreading across numerous underground forums and IRC channels that is truly one of the scummiest tactics I've seen in some time.

How bad? Allow the following screenshot to spell it out for you.


Ladies and Gentlemen, allow me to present you with the winner of the Lowest Tactic Used in 2009 award. Do your kids play Neopets? If they do, you might want to read this and gently warn them of the dangers.

Neopets: What is it?

Neopets, originally uploaded by Paperghost.

From Wikipedia:

Neopets (originally NeoPets) is a virtual pet website, based around the virtual pets that inhabit the virtual world of Neopia. Visitors can create an account and take care of up to four virtual pets, buying them food, toys, clothes, and other accessories using a virtual currency called Neopoints. Neopoints can be earned through playing games, investing in the game's stock market, trading, and winning contests such as customization and art. Neopets also operates a pay-to-play version known as Neopets Premium, which offers additional features and benefits for a monthly fee of $7.99 (USD).

The scam is based around one of the core mechanics of Neopets: kids love rare items and things that nobody else has. Neopets has magical paintbrushes - stay with me on this - and they're rather hard to get hold of nowadays. As an example of that, here's a petition posted in 2004(!) that people are still posting comments to. In addition, here's a list of current prices - now consider a newcomer to Neopets starts with the rather paltry sum of 1000 Neopoints, and you can see why there's a desire for these items.

This is where we target some 12 year olds with social engineering. Oh dear...

The Method

Neopets is effectively social networking for younger kids and some teenagers. Or, as someone on a hacking forum put it while discussing this particular attack,


...ouch. No surprise, then, that the site has many communal areas where people can chat, hang out, send each other messages and see what's going on. Our hackers will move to the trading areas, where kids can post requests for items they'd like to buy, sell or trade. Then it's just a case of hunting out posts like this....


...and that child is, officially, doomed. Asking for paintbrushes on the trading areas of Neopets will mean that they're likely to be the recipient of a Neomail (private messaging on the Neopets website) that looks like this:

Neopets Scam, originally uploaded by Paperghost.

From there, it's just a case of said child visiting the external link, downloading a file and being keylogged into infinity and beyond. Then the fun really begins.


Wave goodbye to your rare items, kids - and you didn't want your XBox Live account (that potentially has credit card details attached to it) anymore either, did you? The attackers then use the familiar tactic of taking a previously trusted source and using it to attack their friends & other newcomers to the site. Alongside hanging out in the handily labeled "Newbies" section and spamming messages, they'll also post fake "It worked" messages from compromised accounts to the forums of threads started by the attacker, much like people do on Youtube to give the impression that fake programs actually work (scroll down to "positive comments").

Additionally, the PC is quite possibly used by other people, or indeed belongs to someone else altogether....


...which would be, as you can imagine, a "bad thing".

Shall we see some of the reaction to this attack method from the peanut gallery?


"Stupid 12 year olds" are apparently in for a smackdown.


The above individual is clearly excited by this.


...well, if you're going to intentionally target young kids you might as well go the whole hog and dump them into a Botnet too. The messages aren't just being posted and sent by private message on the Neopets site - they're also turning up on third party websites too.

Click to Enlarge

Interestingly, sites such as Neopets are accessed in corporate environments too - FaceTime collects live traffic data from commercially deployed Unified Security Gateway appliances at more than 80 mid to large enterprises worldwide that have opted into this program, representing the daily Web-based activities of more than 100,000 corporate workers.

During the past week, these corporate workers have accessed 99 different virtual worlds from their work computers, and at least half of those are targeted at children. Perhaps the kids are asking their parents to check on their Neopets at work or see if the latest friend request on Myspace has been approved?

At any rate, let's hope they're wary of too-good-to-be-true paintbrush deals. Whether at home or in the workplace, "offers" such as the ones above should be avoided and anyone sending your child messages about paintbrush creators should report them here (you'll need to be logged in to access that URL).

I never thought I'd have to advise young children to stay frosty, but there you go...


I own a Neopets game gold site and you would not believe the amount of fraud that goes on. I have to firmly refuse to buy Neopoints off people who want to sell their accounts points and pets to me (regardless of the profit I would make).

The Neopoints market is booming and hackers are constantly trying to steal accounts and cash them out. With a single account being worth more than a World of Warcraft account and significantly less secure, people take advantage.

I personally have lost money due to people exploiting paypal and issuing false chargebacks now I have implemented a new system to stop this.


The use of RapidShare is very interesting. I don't know of many trojans that spread through RapidShare; those that do, as far as I can tell, were all initiated at 4chan. I think the "hacking forum" you're reading must have 4chan links as well.

These types of attacks underscore the importance of setting up a safe children's computing environment on your PC, like Kiddix or Edubuntu... or buy a Mac. In our house we use Kiddix. Even if you are using safety software, it is important to monitor where your children are going on the net and who they are communicating with.

Hi Avery, dumping infection files onto storage like Rapidshare is pretty common (or it used to be, before they started cracking down on infection files hosted there). Other file hosting sites have grown in popularity where choosing a place to place EXEs is concerned, however.

As far as we're aware, none of the forums or IRC channels we've seen talking about this have any ties to the various chans (though that doesn't mean none exist, of course).

mymovetypeacct, thanks for mentioning Kiddix, I'd not seen that before :) I'll take a look at it, sounds interesting.

mymovetypeacct, I agree with your comment. Though we have a special programs, we also must monitor our child manually everytime and every where they browse the internet.

Leave a comment

About this Entry

This page contains a single entry by Christopher Boyd published on June 30, 2009 7:30 AM.

Pay Per Click Autoclickers was the previous entry in this blog.

Rash Of XBox Live Phishing Sites is the next entry in this blog.

Find recent content on the main index or look in the archives to find all content.