Another note on site security, your security, and a malware email doing the rounds

[Dark0ne]

Recently we've been the target of some attacks on the site that date back to March of this year. To begin with a user was uploading a virus to the sites masquerading as other popular files. The virus was being used to gain infected user's stored usernames and passwords for the site which were then being used to login to their Nexus accounts here and continue to upload more viruses. That stopped. Now recently we had a high profile breach of one of our staff accounts that allowed a user to replace some popular files here with viruses masquerading as the popular files which is obviously more serious. I'm now getting reports that users are being spammed by a mailer which is sending out fake notifications to update to the latest version of NMM with a download link that, quite obviously, points to a location that isn't anything to do with Nexus Mods. This email doesn't even come from a nexusmods.com email address (or any address in any way related to games!) and doesn't point to nexusmods in any way, shape or form. However it does look convincing to people who haven't got their guard up and aren't checking the email headers to see where it's coming from or the link address itself (why would I send an email telling you to download a file from anywhere other than the Nexus Mods site!?). Please don't get caught out by this pathetic attempt to gain access to your system. You should treat this email the same way you'd treat an email from a Nigerian prince, or the "Bank of America" telling you there's a problem with your account that needs to be fixed by opening a zip file, or the Swedish consort letting you know the latest penis enlargement instruments really do work...

 

I have not done a bulk email to members of the sites since 2007 when TESSource became TESNexus. I hate doing it because I know how annoying it is to get unsolicited emails from sites trying to pump their product in your face. What's actually more worrying for us is how your email addresses have been obtained which is something we're looking in to much more closely. If I felt we'd had a breach of our system then I would most definately let you know (openness is obviously the best policy in these regards), however we've had no indication of that. What we cannot be certain of is a breach from before December of last year when we switched over to our new database system. Indeed, the newest account we've received a confirmation from on this topic is from April of 2013. We cannot verify that because we no longer have the original servers the databases were on. Obviously the most prudent course of action for you would be to change your password to be on the safe side.

 

We've had noone come forward to lay claim to these attacks directly so we're going off the assumption this is someone who's targeting the Nexus simply because it has a large amount of members with an active userbase. What we do know is that this is a brand new virus that anti-virus firms are only just starting to recognise now. Whether it's been made specifically for us or not is unknown.

 

We're no strangers to being attacked. We receive DDoS attacks regularly, you just don't notice it because as our resources have increased so have our means to combat them. We're working with our suppliers to come under the net of a new £250,000 investment in anti-DDoS measures that will continue to help us, and others, combat against this internet threat. Our servers automatically block hundreds of IP addresses daily from people trying to gain unlawful access to the servers or doing things they shouldn't be. The fact we're now being targeted more regularly is simply testament to what we have going on here and the people who want to try and exploit it for their own means.

 

This isn't the first time this has happened to a gaming community, or even a modding community. I know that the folks over at Curse have had many issues with their Curse Client (Curse's version of NMM for World of Warcraft) being "faked". Only as recently as January another fake client surfaced that was used to steal user's World of Warcraft account details. In 2010 the scammers even went so far as to pay for Google advertising so that their fake Curse client would show before any other results. So we're not alone here. The only difference is this is the first time this has happened to NMM, and it's important you're vigilant.

 

We pay $500 a year to buy a unique code signing certificate from Verisign that we use to certify all the versions of NMM that we provide. You can see this certificate when you go to install NMM. Here, have a picture so you can see what screen it shows on:

 

http://static-2.nexusmods.com/15/images/110/1-1402498844.jpg

 

As you can see the installer is signed to "Black Tree Gaming Ltd.". The name of the company I setup to handle Nexus affairs. We sign every single new release of NMM for this exact reason: so you know it has come from us and only us. If your installer does not say this or if you download NMM at some point and it doesn't say this then that's bad. VERY BAD. And you should cancel what you're doing and do a full system scan.

 

We will only ever offer NMM from our download page on the main Nexus Mods site. We will not send it to you in an email attachment or link you to somewhere that isn't on the nexusmods.com domain. Even then you should remain vigilant and check for that certificate on the installer.

 

As our work on the database stability issue comes to a close (thank god for that) we are going to be directing our attention on providing you, the user, with more tools to remain secure both when on your account and when downloading from the site.

 

Our login mechanism will soon be using SSL, a long over-due addition. We are looking in to implementing two factor authentication on account logins similar to how Facebook and Steam Guard work; if you login from a different location we'll send a unique code to your registered email address before you can login. We're looking in to implementing a new feature for the site that will let you explore the file structure of archives before you download them, which will not only help with spotting things that shouldn't be in the archive before you download but also help you work out whether a mod is actually compatible with NMM or not. We'll also implement a moderation system on files and archives that contain executables or other files that are potentially dangerous. If one gets uploaded we (the staff), will have to approve it before it goes public on the sites. Lastly, we'll explore our options in regards to external virus scanners to see if there's a decent online API that can handle the number of uploads we'd need to make to their servers.

 

The fact we have to spend time on this sort of stuff when we'd rather be working on things that help make your modding experience better is obviously annoying, but it's also part and parcel of the world we live in. Your security is a high priority for me, as is keeping you up-to-date with the latest issues and ensuring you're informed about the times when we've let you down. It's important for me to take responsibility when we do slip up and to make sure that, while sometimes I might slip up, I will take that responsibility for it and do everything I can to get things right. At the end of the day, you guys trust me with your visits, your mods, and some of you even with your money, so your trust is very important to me. Your words of support and encouragement during these sorts of times only serve to compound what I already know about the community we belong to. It's flippin' good.

[Junknthings69]

I just recently started using Nexus Mods again for my Skyrim and Fallout needs and I must say, this is one of the reasons I am a supporter of the site with money. These bulletins are much appreciated and I feel like my information (even though I did sign up with a junk email :P) is well protected and a high priority. I will continue to use NM and NMM for a long time to come. Keep up the good work you guys. It's much appreciated!

[MODinsane]

It is the very reason I have all of my Skyrim programs with Admin Status or ANY program that tries to download without express permission. Ive even seen "fake" Windows programs try this sort of thing, so it isn't just Nexus. I detest these little dweeb hackers. My Vipre virus program has already detected a Trojan that hit Nexus and Steam in the past.

[bizzclaw]

I don't understand why a modding site is getting attacked. This is obviously a website built for doing nothing but enriching it's user's experience. Do you guys even make that much profit off of this?When I see the nexus it doesn't come across as something very profitable, you guys are just doing it for the same reason I run a gaming community, because you want too. I don't see what's so bad about that, yet that doesn't stop us from being attacked. I've had my servers and website attacked on numerous occasions in the form of viruses and a multitude of Ddos. While it may not be to the scale at which your problem is, I can kind of understand and see how frustrating this could be to you. I personally think this is just a sign that you're successful, for if you where not you wouldn't be such a a target. In the mean time, I'm going to renew my premium membership to help you guys out because this honestly sucks.

[MODinsane]

Isnt it a shame a reverse affect cant head back on these hackers that burns out their whole system? Roasted motherboards on an open fire! :laugh: Dark0ne ... all of you Admins are doing a good job, it's just so many today are in a stupid mode hacking everything.

[TheVampireDante]

I don't understand why a modding site is getting attacked.

 

Fairly effective way of building up a botnet of drone systems for larger scale operations - until you get caught at it of course.

 

The actual content and purpose of the site is only relevant in as far as the size of it's userbase and the types of files it allows (so the problem causer knows what to disguise their crapware as).

[warlordodin]

Appreciate the update, thanks.

[ElderScrollsFan001]

Hi i went to DL a mod today and this message below came up. Is it part of the new security option of the site?

 

 

 

___________________________

Download location

 

In order for the Nexus to provide you with the best downloading experience we need to know where your preferred download location would be from the list below.

Based on this information we'll always try and serve you your downloads from the least busy and closest file server to your preferred location.

 

Choose from one of these locations:

 

USA

European Union

EU - Kent Premium

USA - Dallas Premium

USA - Washington Premium

 

 

You can change this setting at any time in your preferences.]

Edited June 11, 2014 by ElderScrollsFan001

[Dark0ne]

In response to post #15515910.

Yes, it's new, I would have posted up some news yesterday about it but we had to remove some of the endorsement features as it was overloading the servers. Once it's all rolled out there'll be a big news post about it.

[MrGrymReaper]

@Dark0ne - I have sent you a PM about your news post. With some suggestions.