January 22, 2009
Blizzard, makers of the very popular World of Warcraft series of MMORPG, has been aggressively warning players to the risks of keyloggers and other trojans that can lead to compromise of their online gaming credentials. After plowing through 12 pages of player comments in the Blizzard customer support forum, I'm convinced there's more than just malware at play. For many of the impacted players, the cause could boil down to good old fashioned trickery, aka Social Engineering.
Now, of course no one wants to believe or admit that they were the victim of a social engineering scam. At least with an outright malware infection, you can blame Windows or the failure of your antivirus (regardless of whether it's either of those at fault). But with a social engineering scam, we have only ourselves to blame. However, until we 'fess up to our own fallibility, we can't take the steps necessary to change our behavior (and avoid getting fooled again and again).
To be perfectly fair, many social engineering scams are extremely cleverly done. Consider a phishing scam that masquerades as a password change notice from a website that you have an account with. The email advises you that a new password has been provided for the account and includes a link to visit in case the request wasn't initiated by you. Click that link and you get taken to what looks to be the site you know and trust. You're prompted to enter your username and the old password (pre-change) for confirmation. So you do. Problem is, the site is just a false front for the attacker, sort of like the false fronts on the stores in the old-timey Western flicks. What you've really done is just sent the attacker your valid login ID and password (/pwned).
Chances are equally good that it's not even the website (or online game) credentials that have been compromised. Instead, chances are that the email you've specified in the account has been compromised. Consider that many folks use the same username and password for their email as they do for their IM. This is a bad practice, but still lots of folks do it. One popular (and for some reason, wildly successful) IM scam works as follows:
You get an IM from someone on your contact list. It has a link, perhaps claiming to be a video or something else. You click the link and it takes you to a website that tells you that you need to login to your IM account (or Facebook, or MySpace, or whatever) in order to view the video. You 'login' on the page provided, but once again it's just a false front and what you're really doing is sending the attackers your login credentials.
Let's say the attackers want to steal some WoW accounts. First, they'll probably work through the list of email credentials they've already stolen. For those who use the same account info in multiple places, they may be able to login with just that. If not, they initiate a bunch of forgotten password requests. Those passwords will be sent to the respective email addresses on record for each of the respective accounts. All the attackers have to do now is sit back and monitor the stolen email accounts and intercept any of these password change notices before they reach the legitimate email account holder. Now you can't login, but the attacker can.
This is a pretty pervasive scam - odds are that if you do actually receive a change notice from an account for which you have not just made a change, it's almost undoubtedly a phishing scam. On the other hand, if the attackers are making the change, you're almost certain *not* to get a change notification.
To play it safe, if you ever do receive a change notification from an online account for which you did not initiate the change, do not click any links provided in the email. Instead, visit the site just as you normally would and check your account that way. And to prevent a scam on one account leading to the compromise of another, never use the same credentials across multiple accounts.
When account credentials for IM, email, Facebook, MySpace, etc. are stolen, they end up on big lists that get sold to other criminals. It can be weeks, months, even years, between the original scam that led to the compromise of the credentials, to those credentials being used to steal your online game assets. So just because you don't remember getting scammed, it doesn't mean you weren't.
Sadly, scammers may not even need to work that hard. Often all they need to do is persuade the gamer that they are a GM. Now I'm not sure why people are so willing to believe that X is a GM - maybe it's the cool factor. Two things about real GM's. One, if they want to play the game, they aren't going to advertise the fact that they are also a GM. Otherwise, players will never stop badgering them with questions. So if another player claims to be a GM, think twice. In any event, never, ever (and I mean NEVER) will a legitimate GM ask for your username and password. So if you supply your username and/or password to a GM, whether in-game or out, you've just been scammed.
Certainly malware does play a significant role in data theft and password stealing, and this article is not meant to minimize the seriousness of today's malware threats. But not every online game account compromise is the result of malware - quite often we are our own worst enemy.
