MMO Security - A Phishing Story



This is the second in my series on MMO Gaming and Security.  The first post can be found within the Security Blogs on  

A bit more background for those that have never worked in gaming, and a bit of warning to all of you who have fantasies of working in gaming, your work experience comes in dog years.  You won't ever have one master, nor will you ever be working on only one title at a time.  Well, you might in the beginning when you are proving yourself, but once proven and part of the fold you are going to be pulled in every direction possible.  While still working on the first expansion of Ultima Online (UO), I was already helping architect systems for UO2 (and later all the other aborted launches of that same title) with Starr Long, I was working on Long Bow 2 with  Andy Hollis (another title that never shipped), working with  Richard Garriott and Seth Mendelsohn on  Ultima IX: Ascension , and on global projects for EA Corporate internally known as "EARS."  I consider all of these guys to be friends, and would drop anything to work on projects with them.  But working with them all at once, well let's just say I am a recommendation and one more miracle from being put up for sainthood.  (And that tiny issue of having to be dead as well... so no rush really on my part.)

While doing all of the stuff listed above, I was also the guy leading up investigations into cheating, hacking, attacks and the occasional criminal investigation.  And that, really, is what this post is about.  The fun, scary and educational bits and bobs regarding, in this case, phishing.  

 Phishing [sic], is really a con perpetrated using the Internet with the goal of gaining your username, password, credit card number, or other personal information.  We have two kinds, the indirect mass email kind simply called "phishing" and the more pinpoint kind referred to as "spear phishing."  In either situation, the design and intent is basically the same:  Get your information from you by tricking you into providing it.

An example of phishing - I receive email from time-to-time from major banks that I don't have an account with.  The email is cleverly crafted and informs me that I need to either respond back with confidential information or I need to immediately click an embedded link and enter my login credentials on that site to stop some bad action the bank is taking.  The person who sent this email bought a few hundred thousand email addresses on the black market.  They send out these broadcast email to those addresses in the hopes that a percentage of the recipients will have accounts with the bank they are pretending to represent.  Out of those people they know a percentage will, without thinking, follow the instructions in the email and thus unwittingly provide login IDs and passwords to their bank accounts.  


This story represents the easiest of this type of attack, in that it only required people to respond back to the email.  The harder method, one that works a bit better but requires some know-how on the part of the thief, is one that asks you to click a link that takes you to a website that looks like the login page from your bank or whatever other entity they are impersonating.  You enter your account information and in most cases nothing happens, other than of course your data was just transmitted to the thief.  In really good setups you actually log into your bank account as they redirect you to the real site and pass it the login credentials you just provided.  You go on about your life not even realizing you were just conned.  This story will give you some insight using a real-life example and hopefully make you a bit wiser.


First, the story -

The customer service group came to me about wanting to ban someone from the game.  (Ultima Online.)  It seemed the person had been found to be taking over accounts and would loot all the valuable digital items from the accounts and it was believed they then sold them.  

We realized how big this issue was by cross-referencing the user databases looking for a specific credit card number.  Not an easy feat given the security you have to have around the storage of credit card numbers, but I digress.  It was found that while a number of people had called and reported their account had been hacked, there were quite a few more that probably hadn't realized yet.  Or, maybe, were too embarrassed to report it yet.

Why the change of credit card information in the account you ask?  Well, good question.  One of the ways the billing department would validate the ownership of an account was to have you provide the last four digits (the only ones they can see) of the credit card on file for billing the account.  This was used if you forgot your password and the email address you had on record was one you no longer could access.  Which was clue number two, our thief had changed all the email addresses as well as the passwords once he had access to the accounts.  This way, when the legitimate owner tried to use the password reset tool or contact customer support they had a very hard time proving the account was theirs.  Very clever; our thief was buying himself valuable time to empty the accounts of valuable virtual items.   

All-in-all this was big enough of an pain that customer service was coming to me, and that meant I was getting the authorities involved.  So all the data was collected and I put the case together.  Great fun really; I always enjoyed these little distractions.

So after explaining all the details to the authorities, and waiting until all the jokes about magical swords and elves were finished (we didn't bother explaining that elves had died out in Sosaria at this given time in the history of the game), we began the process of putting a case together for prosecution.  See, there are people who do this at those huge companies.  They are me... and I am a singular person, so really… chillax, but rejoice in knowing there are small teams that take up this challenge.  

During our work we found our suspect was a minor, which was good for him because federal agencies don't arrest people under 18.  No, really - they don't.  So we decided perhaps we should call his mother vs. trying to get a local police department interested in taking the case.  (Local police do arrest people under 18 and unexpected phone calls from federal agents, in my experience, works wonders in such cases.  Federal agents can arrest the parents of people under 18 - really.)  Turns out Mom and Dad immigrated to the US only a few years prior to this event and spoke hardly any English.  Our very young entrepreneur / pre-teen was using Mom's bank ATM card as his substitute credit card for the accounts he was taking over.  Each account ran $9.99 / month in billing, and he had a few dozen of them all on her card.  My first question, you don't find it odd that your young child is billing many hundreds of dollars a month to your credit card?  The answer, which may shock you, was that he always paid her in advance for the fees and he had started his own account where he now had thousands of dollars saved.  This, oddly, didn't strike Mom and Dad as strange because their child was a kid genius and he always found ways to earn money.  I could only imagine the social engineering this kid was capable of and I wanted this kid on my staff, but child labor laws prevented such delusions.  

The victims here were the customers, who did get their accounts back in the end, but forever lost the items that our thief took from them and sold.  Keep in mind, that while a large company may be happy to help you, if your account is hacked then you are the victim and thus you are the only one who can actually call the police and file a claim.  Sometimes a company may decide to try to work as your proxy if there are enough other customers lumped together, but that large company is often dealing with their own issues and hackers.  So don't be shocked when you get back a set of documents on how-to contact various agencies and instructions on what kind of data you should collect for them to help with the case.  

How did he do it?  

Well, good question and the answer is really quite elementary, because after all he was in elementary school.  (That was bad; I'm so sorry.)  Our little wunderkind had realized that he could write email to an email list that he was a member of which contained other fans of the game who all were part of a 3rd party message board system. E.g. the email list was owned and controlled by a 3rd party which was dedicated to playing the game and hadn't thought about security very much.  The list was unrestricted, people had manually subscribed to it in good faith, and he knew there were thousands of people on the list with a common interest.  Great, so he has targets and the entrepreneur mindset to realize when you have a lot of potential recipients for mass advertising even 1% return on that target audience is good business.  Next he realized that 99.97% (most figures are made up on the spot, did you know that?) of people don't really pay attention to their email.  They see an email arrive saying it is from X person, they believe it to be, and even when they hit reply they don't take the time to review who the email is going to... they just assume it is going back to the person who they thought sent the email.   Be honest, in your mind's eye visualize the most recent ten email you replied to.  Now, how many times did you look at the "To:" line of those email to confirm who it was going to go to?  Honestly, be honest now... yea, zero of them.  Let me say that last bit again just in case you missed it because it is quite important.   

Very few people have the situational awareness when using a computer to notice very obvious slight-of-hand tricks like changing the reply to address, especially as they don't realize that anyone can put anything they want in the field that shows you who the email supposedly came from to begin with.  Take note of the fact that I bolded the words "reply to" and "from."  It's not just a silly grammar thing, they are two different terms and programmers are very literal people.  We don't present information to you and arbitrarily come up with the terms we use.  Words have meanings, so do numbers... but this isn't a blog on chemistry experiments gone wrong so I won't dwell on little things like zero is a number and needs to be respected as such.  The bottom line, pay attention to what is happening.  

Side note:  Spoofing (faking) email to trick people into believing an email came from someone else is slowly becoming a criminal offense in-and-of-itself in some states (Texas entered it into law this September 1st), but it still requires that you pay attention and notice it has happened to you.  Much like any other crime really if you stop and think about it. 

Oh back to what I was talking about...

So, he emails the list and makes the email look like it came from customer service at OSI / EA.  The email he composed had all the normal telltale signs of a phishing email.  Those are:  misspelled words, poor grammar, slang, and a very bold demand that you will lose your account / access to something if you do not reply back with your username and password. Really, if you are bad at spelling and/or have horrible grammar yourself, the final clue about sending someone else your username and password to prove it is you or they are going to stop collecting your money should be a dead give away.   Many people might catch on to this, especially today, but there is always that percentage that apparently don't stop and think long enough to realize what they are doing.  And this isn't a new con, this is very very old.  It has happened nearly forever with the post mail, and it is a misuse of basic human psychology. You may read about US Mail cons targeting the elderly, and now more and more email is being used to replace the post mail.  (Same con though.)  You have probably also seen this played out when a young adult shows up at your door peddling magazines to support their school, church, or other nobel sounding cause.  They try not to accept cash, but really would rather you gave them a check because for some reason they are only "trusted" to collect checks.  You write your check for the magazines, and a few weeks later the check hits your bank for a larger amount, written to cash, etc. etc.  They washed the check, or they now used your ATA routing information from the check, they may have even made more checks using the information from that one, etc.  Same exact con really.  They tricked you into providing personal information and a means to access your accounts.  I would bet more people would recognize the magazine fraud was being perpetrated then would realizing an email, supposedly from their bank demanding that they write back with their username and password or their account will be frozen, is fraudulent behavior.  Which is why "experts" like me need to get these stories into the public domain.

How you can avoid this -

I started the series with this story and example of protecting yourself because it is the simplest form of getting information from another person and the solution is situational awareness and self preservation.  Regardless of this supposedly being an email from a computer game you subscribe to, your bank, insurance company, employer, etc. you should never answer such an email.  There is no reason for any support person to need to have your password.  Support staff can already access your account, by law they have limited visibility into your personal data but do have enough that they could quiz you on the phone to determine if you are the account holder.  They will ask you to validate your zip code, street number, last four digits of a credit card, maybe the last four digits an ID number such as a social security number.  But realize, they don't have full data themselves, and this is to protect you.  Don't give out all sixteen numbers of your credit card to someone asking you to validate who you are.  Likewise, don't give out social security numbers or the like.  Only partial, and in most cases systems are designed to only show the last few numbers.  They already can see your user name, account number, etc.  If they need to test your account they can change your password and use whatever they changed it to; after they are done you can change it back to your secure password.

Remember when I said; don't ever reply back via email.  I meant it.  Companies will have policies against soliciting information like this because it exposes them to civil and possible criminal litigation.  So they aren't going to do it.  If you are in doubt, call the company (lookup the phone number yourself, don't rely on a number listed in the email you just got) and ask to speak to a representative and tell them about the email you received.  You will find that many companies have fraud departments and will take down details so they can take action to stop the people using their good name and attacking their customers.  They may ask you to forward the email that you received, and I would encourage you to assist so they can stop the thief.