Social Engineering, the Past, and a Browser-based Game

I used to be a big gamer, playing mostly online multi-player games. When I started high school a friend of mine showed me a browser based game, let's call it game X. (I don't want to name the game as some of my memories are not exactly held in good taste.)  The game (mostly click-based) wasn't much fun and couldn't hold my attention for more than 10 minutes at a time. However, what did find my attention was various ways to exploit both the game mechanics and community. I was young, and mischievous.

Another friend helped me discover various loop-holes through which we could gain in game money. Since account registration was free and through email, we were able to make many game X accounts by registering many hotmail or yahoo email accounts. This was before CAPTCHAs were widely implemented so a simple AutoIt script did the job. We created a guild/clan/group or whatever and registered our bot accounts to it. (A pre-historic botnet if you will...) We created categories which corresponded to days of the week. Each day we would log into the bot accounts and claim free items and generate fast cash. Once the individual accounts generated enough cash they would purchase popular items from master accounts selling them for above-market prices. The master accounts would gain the money and the bot accounts would eventually amass a stock pile of popular items which they would legitimately sell and turn the profits over to the master accounts in a similar fashion. However this was small scale.

We thought by using the market to transfer funds we would fly under the detection of the game X admins. Who cared that all the bots could be found in one guild/clan/group? We only wanted to avoid sending cash from one account to another. Eventually, we found a cleaver ploy that would generate an exponential amount of cash, without using bots. We had been raising the selling price of the items used to transfer cash by a digit. So if the current market value was 650, we would sell them for 6500, having it seem like we meant 650, but accidental added a trailing zero. It turned out that other users were using our shops, had not noticed the trailing zero, and accidentally purchased the over priced items. Then they sent us in-game messages describing their mistake, and asking for the money back. Fat chance.

We immediately ran to the drawling board. How could we trap more users into making the same mistake? With a bit of testing we found a way to exploit a time of read bug. We would list a ton of popular items for low prices, then immediately change the price (appending a zero to the end). This way those searching would see the low price listing, and in haste navigate to the shop a purchase the item without checking the updated price. (Know that the updated price was visible on the actual shop.) For example, there are tons of users with item Y selling for around 650; we would sell ours for 600, and have about 30-100 of them too (very appealing); it would take about 2-3 seconds for the item to be indexed, then we'd change the price to 6000. Those acting in haste would even purchase multiple Ys.

We were able to improve the scam by adding design elements to the shop. The game included mechanics which allowed a user to include messages, images, and a bit of markup to better sell their wares. Our goal was to make the price change more innocuous. Step 1, add a ton of animated gifs to distract the user; Step 2, stack the gifs down the page so it takes them a while to reach (scroll to) the item; Step 3, change the background color to match the font color. Lastly, we reduced the amount of items we'd sell at a given time to increase the fever generated when customers saw the low price.

Using this scam with the aforementioned mechanics we were able to generate millions of in-game cash, allowing us to buy multiple of the most valued items in the game.

And it doesn't end there. As we noticed the fluctuation in market value for item Y (since we were constantly monitoring the prices to adapt our scam), we noticed how easy it was for us to affect. The next scam involved using the forums built-in to game X. But before that we 'invested' our 'hard-earned' money into obscure item Z, such that the only remaining sellers listed their prices in the tens of thousands. Then we would (using the massive amount of bot accounts) distribute the item Z amongst our accounts and create similar listings for tens of thousands. Finally, using the forums, we would create chaos around Z item causing users to purchase them from our bots. Little did they know.

Recently I returned to game X to see how things had changed. I tried my hand at a few new scams but found that they were rendered obsolete by various cheat engines and trainers floating around on various off-site forums. Game X had also reduced the amount of markup available for user shops including the black text on black background combo. However, a time of read bug was still prevalent using the in game trading system. (Diablo 2 called, they want their scams back.) And now that I'm familiar with screen scraping, I found it very easy to mechanize the game using short scripts. As a proof of concept I (manually) created 50 accounts and had each one generate about 500,000 in-game cash. They were all soon banned, go game X admins! I sent them a few emails detailing how they could have stopped me sooner, and how they could prevent the trading scam, but they got me in the end so I guess they're better off now then when I was in high school. The account I used when we first scammed is still active. :) I just can't remember the password.