I have had several posts up of late about accounts being compromised and phishing attempts I have received, all revolving around World of Warcraft.
It seems like a huge issue. But I have four accounts that belonged to friends compromised in the last few months (one of which was a double, two accounts with different user IDs and passwords compromised) and I get more than one WoW related phishing email per day, so it is something that is up in my face.
And things close to you gain exaggerated importance.
For example, that the police blotter in the local paper has shown that burglaries are up in my town has registered with me. The unemployment rate is 12% in California these days, and that sort of thing is a sign of hard times. But the fact that the house across the street was broken into suddenly makes it a serious issue.
So the fact that I have been close to a number of cases makes WoW account security seem like a big deal.
But the fact that I seem to be hearing a lot about WoW does not mean that WoW is the only one having this sort of problem.
On the other hand, I have seen almost nothing about account security issues when it comes to other MMOs. Once in a while something comes up around EVE Online. And there was that story back in July where somebody was phishing for EverQuest II accounts, which was notable mostly due to the fact that is was somebody other than Blizzard being targeted.
Certainly I haven’t seen any other MMO developers offer anything like Blizzard’s Authenticator for account security.
Plus, when it comes to phishing, the ratio of WoW to everything else is something on the order of 500 to 1.
For a while I was getting an Aion phishing email about once a month, but I haven’t seen one in a few months now. I also got phished for Star Trek Online and Warhammer Online a couple of times, but both games it was back at the product launch, and I haven’t seen anything since.
I think I got a phishing attempt for EverQuest II a few years back, but I wouldn’t swear to it in court.
And I have never seen any phishing emails related to Lord of the Rings Online, Dungeons & Dragons Online, Runes of Magic, or any of the SOE games besides EverQuest II.
This isn’t to say that I do not believe that each game gets their share of account security calls. People do goofy things all the time. People share accounts, fall out, and issues arise. We even had our own account security issue at my house with Club Penguin a while back.
But there does not seem to be the same sort of concentrated external effort to compromise and steal accounts in other games the way there is in World of Warcraft.
Or, maybe there is, but I am just not aware of it.
Is this happening to other games? Is there enough money to be made in other MMOs to draw attention to them in this fashion, even if it is in proportion to the relative subscriber base?
And what is current “next big MMO” Star Wars: The Old Republic planning to address this sort of thing?
Blizzard isn’t the only one with an Authenticator. Final Fantasy Online offers also one. Im not 100% sure, but i think they had it before Blizzard.
LikeLike
I gotta be honest.
In 6 years I have never been hacked. I am not sure what these people are doing but I am starting to suspect serious PEBKAC issues…
LikeLike
I gotta think that like everything else, whatever has the critical mass has most of the effort directed against it. Just like with Windows. If you were writing programs to zombie computers, would you get more bang for your buck from Windows or Mac?
I suspect it’s the same in the MMO space.
LikeLike
Final Fantasy 11 saw a ton of hacked accounts as well. In fact, they offered authenticator devices way before Blizzard made it cool.
LikeLike
I’m still lost as to the rationale behind spending the time and energy to phish or hack accounts. What purpose does it serve? How does it make someone money? Since I can’t quite fathom that, I’ve started to wonder in the other direction: is it not so much that it generates an advantage to the hacker/phisher as it is a direct attack on Blizzard/WoW/whoever for past grievances of some sort? Translation: I can’t imagine ever being bored or desperate enough to hack someone’s MMO account. Apparently others can though.
LikeLike
Our guild got hit really hard by hackings lately. (EQ2) 6 in the past 2 months. I’ve never seen this many incidents in such a short time – in fact, in the past decade of gaming, I can’t recall more than one or two incidents prior to this wave. We can’t pinpoint a source yet, but EQ2’s CS has been terrific in helping restore hacked and deleted toons. People in guild are pretty careful overall, so whatever it is isn’t something that’s obvious – no noob mistakes from what we can tell.
LikeLike
I haven’t played WoW in over two years. But I’ve been receiving phishing emails that only started in the last month or two. My account was hacked earlier in the year but I managed to recover it, and secured it with the mobile authenticator for android. I don’t understand where all the emails are coming from though.
LikeLike
@Rob &Yath – I think I have demonstrated in the past my complete ignorance when it comes to Final Fantasy. But it is interesting to hear that they offered up an authenticator. (Cue SynCaine to comment about Blizzard copying others.)
@Genda – Absolutely. WoW must seem like the big score. I am more curious to see if other games still get linearly proportional attention from hackers, or if there is a more geometric progression. You can, after all, still buy currency for all of these games. SOE has pretty much shrugged and said, “whatever” when it comes to people buying from gold sellers (though they still go after the sellers themselves I am told), and those sellers have to get their supply somewhere.
@HZ – You and I couldn’t make enough money hacking accounts and selling virtual goods, but we live in the land of plenty and a minimum wage. Maybe. Go grab a copy of Julian Dibbell’s Play Money. He tried to make a go of it as a currency seller, though he used in-game exploits as opposed to account hacks. It is an interesting read and it will make you want to go play UO.
@Karen – Ouch. I went Googling around when I was thinking about this and I ran into a couple of commentaries that mentioned guild web sites and forums being a gold mine for hackers. People let their guard down.
But I guess that answers my question for EQ2.
LikeLike
Someone in my LOTRO Kin had an attempted hack the other day – not as common, but it does happen.
LikeLike
“I’m still lost as to the rationale behind spending the time and energy to phish or hack accounts. What purpose does it serve? How does it make someone money?”
The big gold seller advertises I think 1000 gold for $30. If they were to hack my account, they’d find my main with 20K gold in cash, decked out in gear with a vendor value of 200+ gold, with feasts, flasks and spare gear in my bags worth at least another 300. My bank is stuffed with extra gems (some raw, some cut), herbs, even more gear, and a bunch of stuff of little to no value. Oh, and high level (but not unlimited) access to a loaded guild bank. At $30/1000, they could easily take in $700 dollars or more off of that one toon on my account. I don’t know how much that will *net* them at the end of the day, I don’t know how much time and money is spent in trying to get my account information but, once they get it, they can bring in a lot of cash in a short amount of time.
LikeLike
I’m an IT professional – not that means much beyond that I know how to keep a clean machine – and my account was hacked. I’ve never responded to a Blizzard email at all of any type. The only downloads I did were from Curse.com – I think they’re clean, but I guess they could be considered an attack vector. One funny thing on my account status though was that my Authenticator was listed as ‘revoked’ (or a similar term) but I never had an Authenticator.
My account was hacked and banned last spring – I was notified by Blizzard, but I just figured it was a phishing email since I’d terminated my subscription about 7 months prior. This week after reading all of the ‘hacked’ articles and in preparation for Cataclysm I decided to check on it and sure enough, I was banned.
I wrote a simple email to their support link last friday that said “My account was banned in May after not logging in for 7 months. Please either un-ban me or refund all of the money I have into your game client and expansions.”
Today I got an email that I was un-banned and regarding my account:
“We have reviewed our logs of your account, and we were able to determine the following:
No gold was removed
No items have been deleted, sold, traded
No unauthorized character transfers
No profession changes
Guild banks associated with your characters are intact
Fortunately, it appears as though your account has been unharmed.”
So apparently, my account was banned for gold-selling related activities, but the hackers were nice enough to leave all my stuff alone? Not even sell my gold? It sounds fishy to me and I don’t plan on playing soon or giving them $15 to look around my account for a month.
My experience combined with other things I’ve read lately leads me to a couple possibilities. Barring curse.com infecting my machine, either 1) Someone has gotten good at socially engineering their system for associating authenticators or 2) There never was a real problem and they are using a little creative marketing to try to suck ex-players back in.
LikeLike
From what I can tell, this is how they make money doing it.
They hack your account, usually through an email that looks like it came from Blizzard but really did not (Welcome to the Cataclysm Beta!!!), then if you’re not currently subscribed they will actually pay for one month of time. Either way, this part of the process doesn’t cost them anything, even if they paid for your sub (more on that later).
They log in your toons, sell all your crap, and mail all your gold. If you have a “good farming toon” they may use that character to farm hides/meat to sell on the AH for more money. I know this because when I regained control of my own account I was in the middle of nowhere with bags full of hides and meats.
Usually by now you’re in the process of regaining control of your account, so your account gets frozen. Jump through a few hoops and eventually Blizzard says that they agree with you and will give you your account back.
A month or so later (possibly weeks) maybe you decide to play WoW again. You pay for your month and play a couple days. One day you try to log in and cannot, you check the Bnet account management page and your account is once again Frozen. This is because the gold farmers disputed the original 1 month sub fee and Blizzard didn’t put 1+1 together and think you are the culprit. Jump through some more hoops and your account is reinstated.
Not to mention you could easily fall victim to another email, after getting all of your items restored, and they can do it all over again.
Best way to avoid it is to always check where the email came from (phishing ones are usually through hotmail) and mark em as junk. Most will go to your junk but you’ll occasionally get one that slips through.
LikeLike
I still get spam fairly routinely for the following games:
Aion
DDO(Explain this one, I dare you)
LOTRO
WAR
AOC
Granted, none of them are nearly as regular as WoW(3-6 per day), but I get them at least once a month or so, with Aion being the top at 2 or 3 a week.
LikeLike
Is the gold spamming market honestly all that profitable? Do they really get that much traffic? With Blizzard banning the buying accounts all day (which they can easily track from the selling toons), is there really that many new players willing to fill the shoes of those who get banned?
Secondly though, I still don’t buy it because I’ve seen and heard of many accounts going through this where nothing changed. Nothing missing, characters untouched, or only minor items taken.
The more I hear the arguments the more I’m convinced it has nothing to do with gold spamming itself. People don’t hack Windows or Microsoft products to make money. They do it because Microsoft has somehow, someway, pissed them off, and they want revenge. With a 13million player base, how many pissed off computer nerds/coding monkeys are floating around world wide with an axe to grind with Blizzard? Isn’t that at least part of why private servers pop up as well?
LikeLike
I Play in a large WoW guild, and we have had probably 10 or more people hacked in the last year.
We have even seen hackers doing it to guild members while we have been online. They log on, ignore any attempts at communication, go through all the characters that person owns one by one, to see what items/loot/guild bank access they have. Then they start disenchanting any epic clothing/weapons, usually standing by a mailbox so they can forward everything on to another holding character. The rest of the stuff ends up on the AH pretty quick, again through a 3rd party.
Often when I am playing, I get whispers from people telling me I’ve been invited to Cataclysm Beta/I’ve won a rare pet in a competition/my account is about to be suspended because of complaints from other players; and in every case I can solve it all by going to BlizzDodgyWebsite.com and entering my account details etc.
Is this connected to gold selling? I presume so, otherwise why wouldn’t they just vendor everything you have? Why go to the trouble of DEing items and selling things on the Auction House?
This is nothing compared to one of the early MMOs I used to play though, called Phantasy Star Online. There our characters themselves often came under attack by hackers, either by forcing our games to crash, or even turning us into NPCs and therefore making our characters unplayable (the infamous NOL attack, if anyone remembers that).
There was definitely no monetary gain to be made there, it was pure nastiness.
LikeLike