These Are Not the Keys You Are Logging For
In the ten years I've been playing MMOs, there has been one thing I've never done. I knew of its existence, but I generally made a point to avoid it. Friends talked about it, and some even tried it themselves. So last week, I finally gave up my inhibitions, took the plunge, and did what so many others before me had done.
I got hacked.
This was, of course, unintentional on my part. It also contained not just one, but two delicious twists of irony. The first twist was that I had ordered an authenticator at the beginning of the week "just in case." Naturally, I got hacked the day before it arrived in the mail. The second twist? A while back, someone suggested that I write a column to raise awareness about keylogging and other forms of account hacking, and I thought to myself, "Why? It's pretty cut and dry. Don't be stupid, and you'll be just fine."
The joke's on me, now. I believed a lot of the common myths about getting hacked, and had deluded myself into believing that I was shielded by a protective bubble. A few weeks ago, I even teased a few of my friends who got hacked because they fell for a fake StarCraft II beta invite. Luckily, they didn't tease me back - too much.
The most common misconception about getting hacked is that it won't happen to you. This was my greatest sin in getting keylogged; after all, I'd had a perfect record for ten years and thought I knew it all. Go back in time to last Wednesday, when just before a raid, I decided to go update my add-ons. I know better than to download add-ons from untrustworthy sites, especially when they come in the form of executable files. Nonetheless, there I stumbled off to grab an add-on from its official site - except after having been overworked already that day, I made the tired mistake of thinking it the site ended in .org instead of .com. Without a second thought, I downloaded the executable file and then ran it, to only stop a second later and realize I'd been duped by a blatantly fake add-on site. Although my initial scans for viruses and malware came up clean, I had a sinking feeling the saga wasn't over yet, and Friday my suspicions were proven right.
Thus was the greatest lesson I learned about keylogging: yes, it can happen to you. Even the meticulously careful can fall prey to a simple moment of carelessness.
If the misconception that you've conjured up an immunity to being hacked is the greatest, right behind it is the belief that anti-virus, anti-spyware, and anti-malware programs will protect you. Let's even ignore for the moment that hackers are always coming up with new ways and virus variants that may slip through the cracks of your avast! shouting at you "Virus database has been updated." The simple fact is, these programs will not detect 100% of the malware that can come through to your system. In my case, I ran three virus scans and seven anti-malware programs - even an anti-keylogger program. I ran three registry cleaners. Not a single one found the keylogger I knew was drifting around on my hard drive. What did find it was me running HijackThis and running carefully, line by line, through the code until I found something that I knew didn't belong: a .dll in a temp folder. In all the years of progress we've made with technology, for all the money these programs would charge you to protect your computer, this simple keylogger had to be found using same method of finding and deleting viruses that we used before anti-virus programs were common among home users: a sharp eye and computer know-how.
I certainly felt knocked off my pedestal after the incident. I had proven to myself two things: that I could make a tired mistake that would compromise my gaming account (and much more), and that all the protective software in the world wasn't going to be enough to find or fix it if it did happen. It not only was easy to make a stupid mistake, it was a tiring process to fix it: from spending hours trying to clean my computer, to spending the same amount of hours recovering my account and putting everything back into place across several characters and a large guild bank. In truth, I was lucky it was only a WoW keylogger; so much more important things could have been compromised, especially had I not been aware of my mistake from the moment it happened.
Should game companies be providing us extra protection? PIN systems are common among free-to-play MMOs, who use a secondary password that has to be entered via clicking on a scrambled image keypad. In western MMOs, secondary authentication is not so common. World of Warcraft takes the step in the right direction by offering authenticators, but their use isn't mandatory, and only the mobile versions are free. Neither of these methods are fool-proof, either, although it's doubtful there ever will be 100% protection against hackers outside of abstaining from the games in the first place.
Cyber attacks like keylogging are continuing to be on the rise, per the 2010 CSO CyberSecurity Watch Survey. The survey finds what we can see in our own MMO community: attacks are becoming more frequent, more sophisticated, harder to detect, and aim to trick the receiving user rather than force themselves onto a computer. While the CSO report is broad reaching, it still offers a very real warning: the art of hacking is evolving, and we need to evolve our protection systems along with it. It's also important to remember that what could just be a simple hack into your game account could develop into theft of not only your virtual goods, but your real goods and reputation as well.
It's hopeful that every MMO player would be smart enough to be careful what links they clicked, what files they downloaded, and what they used as their passwords. There are some that are still intentionally or unwittingly careless, some who are as gullible every day of the year as they are on April Fool's Day. Even if you take every precaution, you can still get hacked.
What can we do? Although nothing is a guarantee, you can take these steps to protect yourself:
- Think smart with your passwords. Don't use the same password everywhere, and make strong passwords. Change them frequently. Don't give them to anyone else.
- Be security conscious while web-browsing and reading your e-mails. Make sure you're on a trusted site before logging in or downloading any sort of software.
- If your favorite games offer secondary password protection, use it.
- Run at least one anti-virus and anti-malware program on your computer on a regular basis. There are free programs (avast!, Spybot, and Ad-Aware are most commonly known), and they don't take up much memory. There's no excuse not to at least take free protection, even if it's not perfect.
- If you do get hacked, report it. Don't just let customer service restore your account; give them the details on how you got hacked if you know (and it wasn't your little brother). Also report the incident to the Internet Crime Complaint Center if you're in the States, or to the appropriate agency in your own country. Most of these agencies take reports about spyware and keyloggers, as they are recognized methods of cyber crime.
The best advice, however, is just be mindful of what you're doing. As the old adage says, "If it's too good to be true, it probably is." Even if it's not 100% effective, it goes a long way to protect your virtual stuff if you follow some pretty simple guidelines. Be careful about teasing your friends, too. You don't want to give them any fire to burn you right back, do you?