MMO Security - Greed



This is the third post in my series on MMO Security, and again it aims to bring attention to the methods used to take advantage of the masses.  My first story was about phishing, and how situational awareness can save you a lot of heartache.  While it's hard for those who do not dedicate time and energy into playing an MMO to understand the loss of digital intangible items, the average consumer on a good MMO plays forty (yes 40) hours per week.  That happens to be the same amount of time people work at a full-time job, and thus there is considerable emotional attachment to these intangible items.  That’s even before you start to realize the very tangible amounts of real world money they are worth.

The collection of artifacts and special items in the game, for prestige and/or enhancing game enjoyment, is inculcated as part of the game design and is often a passion of the consumer.  These items, which are simply entries in a database represented by pixels on a screen, hold real-world monetary value.  The same laws that dictate the value of any tangible item dictate their value; those being “supply and demand” and overall rarity are a key component to the game’s design. The illegal procurement of these items is quite often the goal of so many of the thieves that lurk in the shadows of the MMO world.
Psychology is a strange thing, and while this article won’t focus on theft via hacking means such as duping, stuttering, exploiting, etc. it will focus on the use of manipulation (“social engineering”) to gain these items with little true hacking skill. Human greed is a constant you can always take to the bank, and in the world of social engineering it is the hammer that can make everything react like a nail – even the screws. 

In college we normally have to take at least one, often dreaded, class in the subject of psychology. Now that I am older and supposedly wiser, I find the topic hyper fascinating and wish I knew infinitely more than I was taught.  Because much like every other person, the rest of my body of knowledge in this area was found through the trials and tribulations of real life.  And frankly, getting punched in the face by a really big mean guy isn't the way someone wants learn that it hurts to get punched in the face by a really big mean guy.  It's just easier if someone who has done it before tells you about it so you can borrow that experience and forgo the bleeding and flashing waves of heat and pain.  Ironically most people don’t appreciate the simple way of learning things until after they have been “punched in the face” a few times, so I guess it’s a bit of a catch twenty-two really.  There are several key things to know about all people:

  • Everyone, yes EVERYONE, is afraid of what everyone else thinks about them.
  • Anyone can be intimidating, even if they don't mean to be.
  • Most people inherently and subconsciously believe that He/She who dies with the most stuff wins.

MMOs are great because they play a bit to these three things.  You can be whoever, and sometimes whatever, you want in a fantasy game.  Small guys can pretend to be huge warriors, old lonely men can pretend to be beautiful young women (not that I'm saying there is anything wrong with that), and boy oh boy can you become silly rich quickly and live the “good life” all be it only while online.

A lot of people are far more intimidating, often on purpose, online and when confronted or even interacted with in real-life they are very timid.  And hoarding, greed, and a desire to get ahead can be more easily practiced in a world where you can become virtually wealthy than it can in real-life.  The last item is where our thieves focus.  They pray on that human desire to have something others do not, to get things easily, and to amass the most of something ("wealth") to create prestige.  Let's just call this playing on "greed" for now.  Before I go into story time, here is a quick side note on that "Everyone is afraid of what everyone else thinks" note.  

When I started at Origin, I knew Richard Garriott was in the building.  It's like having worked at Apple knowing that somewhere in your building Steve Jobs is (was) walking around.  I knew I would have to meet Richard at some point, but was terrified / anxious / giddy with the idea that I get to work with a personal hero.  I mean, he's freaking Lord British!  Anyway, the day finally came where I couldn't avoid it, and I found myself standing in his office being introduced and for the first time, and oddly last time to date in my life, I was totally star struck.  Later in life I was flinging myself off of mountains trusting he had taught me how to rig my rappelling gear properly, and drinking myself blind as he and I killed a bottle of port wine that was older than this country that he "found" in his wine cellar but wasn't sure it was even safe to drink.  But at this moment in time, I was shaking in my boots at the thought I was going to have to eventually speak.  I have worked with a lot of celebrities since then, and am happy Richard was the first one I met because not only did he recognize that my eyes were apparently as big as saucers, but he jokingly pointed out he had heard a lot about me and was a bit worried I would be critical of some of his more technical plans. Yea, people are people... every last one of them.  And it's great to have gotten to work with one of the good ones.
Okay now back to security.

Greed and why it works - 

I kind of covered this, it's part of our hardwiring and we can't get away from it.  We can try; you can choose not to covet things.  But keep in mind the audience I am speaking to and about is not Father John who took a vow of poverty.  It's “Steve the Black Smith” who wants to be a Grand Master Black Smith in the game, and he can make armor at that point out of rare minerals he will have to spend months collecting, and then somehow that translates to women, fame and fortune.  I'm paraphrasing, but if I had a white board and a stiff drink I probably could draw out the diagram so you would understand.  For those of you who play MMOs, no explanation is needed.
Now Steve, who in real life is a clerk at a convenience store, happens to notice a n00b running around that just days earlier had no idea what he was doing.  The new guy is suddenly far too high ranking and has a lot of gold.  This annoys Steve.

Steve does what all good Internet users resort to and he uses “The Google” to go find out how to “cheat”, “script”, “dupe”, etc. in the game he plays.  There are hundreds of thousands of links.  He spends hours and hours on sites learning some tricks, and then finally finds what he is looking for – a program that will give him God Mode!  It’s a gamer thing, they don’t mean to be sacrilegious with the terms.  Having used the true God Mode Tools while at EA, I can say – It’s Awesome and nah-nah pfffffff I did it and you didn’t! (yea, I totally just did that.)

Here is what Steve didn’t want, but ended up getting:

  1. Most of those sites he landed and read at a frantic pace while working on his umpteenth caffeinated beverage were harvesting cookies, planting and reading meta data from his machine, and infecting his workstation with malware.  He will get to deal with all that later in life.
  2. The software he downloaded contains a Trojan that is crafted to harvest his username and password from his game client and supplies it to creator of the program who feels a bit like God due to all this omnipotent information now filling his database.  That guy will use this information later to loot all the goodies out of Steve’s account, and maybe more real-world damage as well. Steve will get to deal with it all later.
  3. The application may or may not work, but chances are it probable triggered a security system inside the game, and Steve may end up having his account banned whereby he looses everything he has worked on for the year-and-a-half it took him to become what he is in the game.

The n00b kid, well he probably will eventually suffer the same fait, or he found that if he stacked five shirts on top of each other, then dropped a hammer out of his backpack within three second and spun around it would produce a gold bar due to some glitch in the code.  Whatever, the bottom line is you don’t get stuff for free.  Even that little “discovery” will end up being a “Bad thing” for the kid.

But greed, yea that greed stuff will always work.  Let’s take a look at what’s happening to the guy who made that program.  He probably got a few good weeks or a month out of that iteration of the software.  He probably gave it away for free, and had it hosted on a dozen different sites – none of which can be traced back to him.  He used an internet café and logged into all those hundreds of accounts, handing off goods and items from the accounts to a “mule” character he created for this very purpose using a second computer next to him.  Those items were then moved to other accounts, and he eventually will sell them on auction sites and online brokerage sites setup for trading and selling goods in that specific game.  It’s the digital equivalent of robbing houses and selling the items in pawn shops… except there is no way for our “pawn shop” to know what is and what isn’t stolen. 

I was once working at a police station, and a 911 call came in with a woman very upset.  Her house had been burglarized.  Every officer tore out of the station to go help as it had just happened and she saw the guys who did it.  The police get there, and I get called to come out to the scene and all the officers went back on patrol.  The woman had witnessed her house in a MMO game get broken into and looted.  She wouldn’t stop yelling about her magical sword that was taken.  It was a “lifetime of items” that had been taken from her.  Things she “could not replace.”  She reacted as if her real life home was broken into and her world was violated.  Because, to be honest, to her it was.  The people who did this were people she trusted in the game and she had downloaded software they told her to get so she could advance quickly like they had.  It was a Trojan of course, they used it to access her account and transfer ownership of her house and all it’s items to their account.   I might need a lot more psychology classes to really dissect that one, but the bottom line is greed is an easy angle to take, and socially engineering people is easier online then it is in real life – and it’s not really all that hard to do in real life.

Stay sharp, trust only people you actually truly know, don’t go looking for something for free, and try to keep your greed under control when pack ratting away reagents, cloth, armor bits, and odd art gumps that aren’t normally in the game.  Oh, and all these lessons apply to all your time on the Internet, even if you don't play MMOs.  But you should, really, I still have a lot of EA stock and could use the support.