Account Safety and Security

=Purpose and Introduction= Hi, this is Skunkwerks-type-personage, and herein I'm going to try to archive or "inter" if you will, a wealth of information regarding Keyloggers and other Account Security issues that I usually keep freshly updated in a thread in the Official Earthen Ring Realm Forums.

I will in all likelihood continue to maintain the thread, but I would like to keep an archived copy here not only for reference of others, but also myself. It takes a good deal of effort to get a thread stickied, and the infomration changes so often that it needs to be "freshened" periodically (reorganized and such) to keep it convenient and readable. Here of course you also have advantage of the Wiki-Formatting's Table of Contents- which should make the article (a long read to be sure) easier to access for those looking for specific topics within it.

In any case, I understand it's a bit "off-topic" but as this is the Earthen Ring Community, and I've been keeping this as a service to that community, I think you can see where this "fits". --SkunkWerks 05:24, 6 December 2008 (UTC)

=Motivations= Why do Account Thieves do this? Well, as one poster on the forums once put it: "You will never see such industry in the art of account theft as you will in WoW."

And when you think about how successful WoW has become as an MMO (it's an anomaly in the MMO genre- few MMOs break the six-digit subscriber mark, let alone do so hundreds of times over as WoW has), it becomes easier to understand why there is such "industry" in the account theft trade. To put this simply: there's a lot of money to be made.

When an account is taken over, the thieves who take it are generally seeking to do two things:


 * 1) Fleece the account for all it's worth- selling off all equipment and stored goods, or transferring them to other accounts quickly so that the more protracted process of auctioning valuables can be conducted- in an effort to make as much gold from the account as possible.


 * 2) Further the trade of account theft- to which end these stolen accounts will be employed to post URLs leading to keyloggers, trojans, false "login" pages and whatever other deceptive tools the thieves may be using to facilitate account theft. In this sense, like a virus, it invades the "cell" (account) and reproduces more of itself by phishing for new marks who will in turn have their accounts stolen, and so the process begins anew.

Show Me Tha Money!
This leads to the question of where all that stolen gold and property goes- if this is a business, as I've suggested, someone must profit: who? To answer that question, we have to look at two sorts of WoW-related URLs- links you will see posted both on the forums and in-game. The first is the Keylogger URLs, and the second is Gold Sellers (or RMT- for Real Money Trade)- those who sell gold, "powerleveling" and other in-game "services" for real-world money.

First let's take a peek at our shadowy antagonists in this tale- the Account Thieves. What do we know about them? Well, most of the Keylogger URLs can be traced quite easily by a widely available web-based service called "WhoIs" which any internet user can make use of freely. Such traces will easily reveal who registered a domain name (the central part of any URL) and where that person hails from. These traces nearly ALWAYS lead to a Chinese origin.

Now let's look at Gold-Sellers. This is obviously an attractive offer to many players who feel they do not have the time for the "grind" that playing WoW can in many ways represent. You fork over a bit of cash and in return, get someone essentially to play the game for you- either by giving you goods or gold you never truly earned, or "powerleveling" your character- a term which basically means leveling a character very quickly.

What do we know about gold sellers? Just as you can trace keylogger URLs via widely available services, you can do the same for Gold-Sellers. And in any case, it's not exactly a secret that most Gold-Selling outfits (and the "gold farmers" they purportedly employ) are also Chinese in origin. We also know that Gold Farming, as many "insider" articles will tell you is a very formidable task, and a highly time-consuming activity. The individuals "hired" (it's been oft demonstrated that many work for a pittance- which is not necessarily unique to the MMO RMT "industry" in China in any case) work long hours, and work like machines.

The Devil is in the Details (a different view of your "Friendly Neighborhood Gold Seller")
Aside from the Chinese origin, what other similarities could we find between these two parties?

Well, neither business is "welcome" as far as Blizzard (WoW's parent company) is concerned. They operate in a shady area outside of Blizzard's Terms of Service- which is a legally-binding document that all who play WoW- be they players or gold-sellers- must agree to in order to play (be provided service). Blizzard has shown a history of actively prosecuting RMT companies wherever it can- most notably forcing an injunction against once-popular RMT company Peons4Hire on the grounds that it's incessant spam of global chat channels as well as whispers to players was creating an adverse experience for players and damaging Blizzard's business.

And obviously Blizzard doesn't want Account Thieves running willy-nilly, making a lot of sad and inconvenienced players and ruining their business that way- so here's another group of individuals who operate in a very small margin- which basically consists of wherever they can worm their way into unnoticed or unchecked.

Now here's the brain-buster: What if they're the same people?

As I've already suggested, Gold-Farming is a time-consuming activity. It was once far more popular I think when Gold was harder to come by (prior to Burning Crusade and the advent of the "easy-money" Daily Quests) and still primarily depended on your ability to play the Auction House in selling materials and goods. Now however, what's the motivation? I suppose it's as easy to give Farmers accounts and let them do Dailies in the same easy fashion as players do to get gold- but you're still limited to 25 a day- and that run can be accomplished really in about two hours.

And then of course you've got to pay someone (albeit very little in China) to do this.

What if there were an easier way to get it? Maybe by say, stealing accounts and fleecing them of their gold? Then you can sell that gold to other players, and make a tidy little profit doing it for all it cost you: some (likely botted) posts on the official forums containing keyloggers URLs and a few pittance fees to register the bogus sites which don't have to be paid for for more than a month anyway.

Heck, what's to stop you from just stealing that gold from other players? You could even steal it from the very "customers" you sell gold to by unwittingly infecting them with keyloggers at the point of purchase. They'll get their gold, you get their account information, and then at some later date, steal back what you sold them so you can sell the same gold to another trusting mark and be none the wiser.

Better still, you can get them to pay for the privilege of being robbed blind!

Get Out Your Tin Foil Hats Guys...
Sound like wild conspiracy theory? Should we call Oliver Stone or maybe Michael Moore? Maybe. Or maybe not...

Remember those widely available trace services for URLs? Well, it's not a well-known but easily uncovered fact that many of the URLs used by Account Thieves and those used by RMT companies share more than just a geographic similarity- they have on occasion, shared the same registrants, or have at any rate been eerily similar enough in addresses to suggest that fairly frequently, those selling the gold and those stealing it are the same people.

And to them this is the "victimless crime": the players who have their accounts stolen usually go straight to Account Admin and have most if not all of what they lost restored. So, your minor pain in the tuckus = their insane profit.

This is food for thought if you happen to be one of those players who may have been lured into buying gold- not only are you supporting the people stealing others' accounts, but in a tragically karmic irony, you will most probably become the victim of it at some point in the future yourself.

But in any case, the TL;DR version of this whole missive is: there's money to be made in account theft- the same take the RMT industry enjoys. That's where all that gold goes.

=Modus Operandi= Now that we've covered the "why" of the matter, let's look at the "how" of it. Returning to the statement about the amount of "industry" seen in the theft of WoW accounts, it's safe to say that the how is a veritable cornucopia of tom-foolery, cheap tricks, and underhanded schemes. Almost too many to count, honestly. But what I can try to do is identify some of the common "tools" used in the trade and how they're generally employed. First, let's look at what tools keep for, well, tools.

Tools of the Trade

 * Phishing - This is a specific sort of computer hacking strategy. As its trendy phonetic alteration of a more common English word (fishing) implies, Phishing suggests baiting a line and then waiting for bites from unwary fish. It is the strategy of least effort for the hacker, as it's basic premise involves tricking a user into giving you secure information.  Ever seen that tip on the WoW loading screen that says "A Blizzard employee will NEVER ask you for your password"?  E-mails asking you for such things (often obliquely: "please verify your account information") are attempts at Phishing.  Part of the reason this approach to hacking evolved (apart from laziness) is that encryption for passwords these days is very  difficult to crack.  It's far easier to dupe someone into giving you that information than it is to force it from their computer.


 * Trojans (Trojan Horses) - This is a variety of viral code whose strategy is mostly dependent on subtlety. Whereas viruses of the past sought to do massive amounts of damage to computer systems, Trojans (like their mythologically-referenced name implies) are meant to pass into a system unnoticed and conduct their nefarious purposes in a similarly invisible fashion.  Trojans can have a variety of purposes- most of which involve the unwitting puppeting of systems for nefarious purposes- but all share this "stealth" aspect in common.


 * Keyloggers - Probably the most common tool of these naughty men is the "keylogger". It's both a sub-variety of Trojan and part of a broader "hacking" strategy called Phishing.  Keyloggers are little bits of invasive code that are designed to quietly and discreetly invade your computer without your knowledge. Once the Keylogger is in your computer, it lays dormant and silently keeps a log of everything you type.  Presumably, sooner or later, you're going to enter some username/password information, and the log will record it. These logs are sent (just as discreetly) of course typically to the person who infected you and by a bit of reading, they glean secure information from them, then take your account or whatever else they can by way of them.


 * Keylogger URLs - A keylogger alone is just a piece of viral code. It needs a vector of transmission to reach your computer.  URL stands for Universal Resource Locator, it's that odd string of text you may call a "website address" typically beginning with the prefix "http://".  A Keylogger URL is a link leading to a bogus site which contains the bit of viral code that makes up the Keylogger as well as a bit of script (usually javascript) which clandestinely "injects" the keylogger into your machine without your knowledge.  These bogus sites of course appear to be normal web pages, but behind the appearance is the purpose: to infect your machine.  You need only visit one of these sites and you can contract the keylogger from it without ever knowing it happened.


 * (Website) Script - It should be noted that the same sorts of scripts that can be used to infect a computer with a Keylogger also find legitimate uses in Website design. Part of what this means is that most Web Browsers (Internet Explorer, and even Firefox) by default allow these script to run, regardless of the risk.  The other part of what this implies is that in order to negate that risk, you must also negate the ability for legitimate websites to run script.  There are certain approaches to safely browsing using scripts that involve "white-listing" sites that are deemed "safe" by the user and "black-listing" all other sites by default- allowing the user to choose what websites are allowed to run script through their browser- but any way you slice it, browsing safely means a certain degree of inconvenience for the user.


 * Chinese Keylogger Zombies (Stolen Accounts) - This is my own colloquial term for the posters making bogus posts with infected URLs in them. The "Keylogger" part seems pretty obvious, so let's look at the other two words. I call these posters "Zombies" because they are themselves, stolen accounts- accounts stolen by one or more of the same means I am discussing here. Think "Invasion of the Body Snatchers". These folk are sorta like the WoW version of Pod People- being puppeted by the thief who took the account. Now to the question of why they're Chinese. Well, if you look at the sites these Zombies spam, they sometimes have a ".cn" somewhere near the end of the URL string. This is the extension for sites that originate out of China. Early on, before they started getting smarter, this was an easy way to identify a URL that most likely contains a keylogger.


 * Spoofing - Another sub-stratagem of Phishing, this scheme involves faking the domain name or identity of a popular and usually widely trusted site such as YouTube, or IGN and attempting to use that "street cred" to gull people into a false sense of security. As with bogus login pages, these can be spotted for the counterfeits they are, but only to someone who knows what to look for, and more importantly, takes the time to look- such "spoofs" will nearly alwasy be slightly... off in some way (a letter added or two letters transposed or replaced) since no two domain names can be perfectly identical.  It only needs to look close enough to the original to do the trick.


 * Bogus Forum Posts - There's such a variety of these that it's difficult to summarize, but the basic premise of a bogus forum post is getting you to think it's something else (most commonly pictures of naked women, free beta keys, pictures of a popular raid on Halaa, and so on) long enough for you to visit whatever URL it contains and become infected by a Keylogger without knowing it. If it seems "too good to be true" it probably is.


 * Bogus E-mails - If you're in the habit of passing out your e-mail address (in particular in WoW-related venues, such as the Official Forums), be aware that your Account Thief friends are watching. They will scan the forums for such bits of contact information and then you will start getting e-mails.  Some claim your account is about to be closed, some claim to offer a free beta key to the latest expansion, but all will usually ask you to "verify your account information" via a login page they have most conveniently provided you in the e-mail.  The login page is itself, bogus, and of course only transmits your user info to the thieves, but most of these pages are done up to look very convincing- using official Blizzard graphics and all of that- there are ways to see the counterfeit, but they're hard to spot for the untrained eye, and of course require a certain presence of mind to look for.


 * Hacking/Compromising "Third-Party" WoW Websites - While Blizzard's Official Site for WoW obviously "spared no expense" with regard to security, and is locked down pretty damn tight, there are a number of "third-party" sites dedicated to WoW which are run on a much smaller budget, and are thus easier to compromise and turn to less-than-charitable ends. Such sites include Knowledgebases (such as Thottbott and WoWHead), Addon Distribution Sites (such as Curse Gaming and IncGamers), and even Strategy Sites (like ElitistJerks or WorldOfRaids).  Not all, but many of these sites I happen to know have had problems with this.  They may have been hosting ads from an infected source, or hackers may have actually broken into the site and placed a viral code that was infecting one or more of the site's files.  The moral of this story is that while these sites will often claim to scan for viruses themselves, don't count on them to be your only line of defense.


 * Haste (Yours) - this as easily could be termed as something I like to call "compulsive clicking syndrome". It's the tendency for people to click a link or follow a URL without any thought as to what it might be or who may have put it there.  This can be caused as much by lack of knowledge of the risks as it can just by plain compulsive behavior.  "Ooh!  A link!  ~click-click!~"  People often say a lot of Keylogger posts are childishly simple in how obvious they are, but the fact of the matter is they really don't need to be subtle to work.  It certainly helps, but you'll still get a lot of bites without it.


 * Panic (Yours) - Some of the best tools for perpetrating account theft aren't highly technical or even especially sneaky. Get a person jittery enough and they'll start doing all sorts of things that they normally would not.  This goes even for especially intelligent or wary people.  You drop your guard for a moment, and they have you.  A fine example of this is that yours truly (author of this near-paranoid missive about avoiding account theft) was gulled when he got an e-mail stating his WoW account was about to be closed under suspicion of gold selling.  I panicked, and next thing you know I was entering account information into a bogus login page without even thinking.


 * Excitement (Yours) - Just as panic alters perception and behavior, so too does excitement. Have you noticed lately that with the Wrath of the Lich King Expansion the amount of Keylogger posting activity and bogus e-mails has been on a sharp rise?  This isn't a coincidence.  And it's a common conceit among people on the forums and elsewhere that only stupid people fall for scams and Keyloggers.  This is perhaps half-true: excited people are often "dumber" than they might be otherwise, and easier prey for simple tricks and schemes- but they may be quite intelligent given other circumstances.

=The Forums (and Keeping Your Account Information Safe while Browsing Them)= As I'm sure some of you will know, even if you don't participate in it directly or often, the WoW official forums are vast with many people posting all sorts of topics, some of them about the game, and probably as many, if not more, not about the game, or loosely related to it. URL Links have been passed around those forums since their inception, and for the most part, many of those things linked are innocent enough. But because of the amount of money and business involved in WoW, less scrupulous individuals seek to use the forums as their own tool for perpetrating Account Theft against it's denizens.

=Appendices= Herein are contained a number of informational archives on the subject of Keylogger posts. Much of this has been gathered by observations and pattrns seen while browsing the forums. It is kept both for posterity and for reference and will be updated as new information becomes avaialable.

Appendix A: Typical WhoIs Profile for a Bogus URL
Domain Name..........  Creation Date........ 2008-09-07 12:40:07 Registration Date.... 2008-09-07 12:40:07 Expiry Date.......... 2009-09-07 12:40:07 Organisation Name.... Star Co.Ltd Organisation Address. Star Street Organisation Address. Organisation Address. GuangZhou Organisation Address. 100000 Organisation Address. XJ Organisation Address. CN Admin Name........... Zhang ShanShan Admin Address........ Star Street Admin Address........ Admin Address........ GuangZhou Admin Address........ 100000 Admin Address........ HK Admin Address........ CN Admin Email.......... fg@gmail.com Admin Phone.......... +86.102322111 Admin Fax............ +86.102322111 Tech Name............ taian liao Tech Address......... nn Tech Address......... Tech Address......... Nanning Tech Address......... 510031 Tech Address......... GX Tech Address......... CN Tech Email........... agent10782@agent.dns.com.cn Tech Phone........... +86.7714922224 Tech Fax............. +86.7714916049 Bill Name............ taian liao Bill Address......... nn Bill Address......... Bill Address......... Nanning Bill Address......... 510031 Bill Address......... GX Bill Address......... CN Bill Email........... agent10782@agent.dns.com.cn Bill Phone........... +86.7714922224 Bill Fax............. +86.7714916049 Name Server.......... ns2.dns.com.cn Name Server.......... ns1.dns.com.cn 

''Note: all the bolded CN's and other indications of Chinese origin. Also know that the Domain name (which is removed from the above text contained no outwardly obvious evidence of Chinese origin- it was a regular .net or .com, but it's WoIs rather obviously shows where it came from.''

Appendix B: Commonly-Used Single Thread Titles for Bogus Posts
This is a historic list of Titles used for Single-Thread bogus posts containing Keyloggers. They do change from tiem to time, but are often used and reused. Each Title has a parenthetical notation of it's probable "style" either "lost-in-translation" or "copypasta". It can be safely assumed that any post on the official forums bearing any of these titles is about 99.9% positively a Keylogger post. I will continue to add to this list as more titles come into use.


 * "Most fun with Kazzak since Reck Bomb (video)" (Copypasta)
 * "Huge Alliance Raid on Halaa (w/pics)" (Copypasta)
 * "The real AP IRL picture thread!" (Copypasta)
 * "hello, I am the ret" (Copypasta)
 * "Sex girl" (Lost in Translation)
 * "do any of you show your naked wife pics to ot" (Lost in Translation)
 * "Some of my teacher's naked pics" (Lost in Translation)
 * "my sex teacher" (Lost in Translation)
 * "Hey Kalgan, we're fine" (Copypasta)
 * "FREE BETA KEY" (Copypasta)
 * "Naked Woman Caught By Satellite" (Lost in Translation)
 * "After school lezzies" (Copypasta, sadly)
 * *NEW* "i am a sexy model." (Copypasta)
 * *NEW* "We Are Not Much Into WoW" (Copypasta)
 * *NEW* "Kylie Minogue - Wow (Original Edit)" (Copypasta)
 * *NEW* "World of Warcraft Girl Rants: Alliance" (Copypasta)
 * *NEW* "Drunken Dwarf Milita Recruiting for WotLK" (Copypasta- mimicking a Guild Recruitment post)

Appendix C: Common "Blurbs" used to Mask Bogus Post-Responses
Just as Single Thread Keylogger posts share a fairly common set of titles, so too do the typically-vague "blurbs" of text used to mask the malefic nature of Keyloggers posted in response to already-existing threads. This is a short list I've compiled that I will add to as I see more of them. If a URL is seen preceded by one of these, it's a good chance it's a keylogger.


 * "This is a joke, right?"
 * "That's a good idea"
 * "just beautiful!"
 * "It's too good to be true!" (my personal favorite)