I've been a big fan of the online RPG Mabinogi by Nexon NA. Like most online games, there has always been a problem with hackers. Ever since I first joined the game, botters have been a huge problem. I've known players who got their accounts hacked and lost everything. A friend of mine from Mabinogi sent me this in my e-mail. I thought it was so interesting, I couldn't resist sharing it. I was unable to determine its origin or who wrote it, but here it is.
Interview with a Mabinogi Hacker
What does a Mabinogi Hacker do?
Well obviously, I hack Mabinogi accounts and steal their valuable items. It's a profitable gig when you learn how to do it right.
How do you hack Mabinogi accounts?
It's pretty simple really, basic trojan techniques. I write a few obscure little cheat programs, mods, and utilities that make gameplay easier for players. Programs that make dyes easier to use are popular because they save the players real money, because they have to buy fewer dyes, which irritates Nexon to no end. *laughs* I release these mods on other people's websites and forums under various aliases, pretending to be fellow users of the software rather than its creator, so it's pretty hard to trace any of them back to me. After a few people try the mods, which work pretty well, they recommend them to other players and the program becomes self-distributing. After a few weeks, hundreds of people trying to cheat the game are using my mods. The funny thing is that they're really the ones getting cheated.
Inside these mods, I add a small keylogger of some kind. Those are easy to write. They take fewer than 100 lines of code and just a few hours to write. I also throw in a small function that'll transmit that data to an online database where I keep farms of information from hundreds of user's computers all acquired this same way. When Mabinogi logs in, it communicates with many Nexon servers to authenticate your login information and ensure the game servers are ready. One of those many exchanges will be the mod sending me your keystrokes containing your login information, unencrypted, which you had just entered moments ago.
Do anti-virus or anti-spyware programs detect these exchanges?
That's where it gets especially amusing to me. Many mods are designed to run as part of Mabinogi and many users who have anti-virus software that would detect this already have Mabinogi setup on their anti-virus whitelists. That's why they are written that way! Hiding malicious code inside a file disguised as a trusted application is a staple of modern hacking. Still, most computers are not nearly protected enough because people have no idea what software actually works. Not to mention parents are too cheap to pay for good software, even if they did know which one works.
On top of all that, it gets better still. A kid could run Mabinogi after installing the mod and his virus protection might even prompt him with something like "This program is poentially hazardous! Run anyway?" And because the kid wants those mods to work, he is going to click 'yes'. It's really hilarious how easy it is.
Is that the only method for stealing passwords?
Amazingly enough, no! Trojans only merely the best method for getting large quantities of information quickly. There are other ways it can be done, but are questionable in efficiency. They are infinitely more difficult to trace back, though. I once knew a guy who started a gaming forum. This was really early, back before such forums were common. He reverse engineered the login system so the forum software stored passwords entirely unencrypted. I guarantee you that half of his members who joined the forums used the same usernames and passwords on the game. It was incredibly simple and surprisingly effective. It is also nearly impossible to determine who did it. Doing this now would be difficult because starting new forums and getting enough people into them is a pain and barely worth it.
There are also a few assumptions hackers use to essentially guess a player's information. For one, the main character's name is most likely the account's username. The password is often some variation of the username. For example, if your character's name is "Pete", your username is probably "Pete" and your password is probably "p3t3" or something like that. People tend not to select proper login credentials and basically ask to get hacked.
What do you do once you have control of an account?
Once I have farms of stolen keystrokes in my database, I randomly login to some of them every now and then to see who has what items that might be useful to me. I'm careful not to do this during peek hours. I also don't login to an account I have very recently hijacked because that makes it too easy to figure out how it was hijacked in the first place. Accounts are normally stolen for weeks before I actually do anything with it.
I already have several mule accounts registered. So I have the stolen account, which I often call the jack***, send its valuables to my mules. I often repair and dye the items to make them difficult to identify. Then I have my mules sell them from player shops. I don't use the housing channel, because it's too easy to search up stolen goods and houses cost money while player shops are practically free. My mules are all reasonably disguised to not look like mules. This is how I make millions in in-game gold.
Do you use the gold you gain from selling stolen goods? If not, what do you do with all that gold?
Do you mean on a Mabinogi account of my own? I play the game just enough to know what's valuable and why. I steal information from all servers and cannot maintain a real account for myself on all of them, so actually using the gold myself is pointless. I also don't get too attached to an account of my own since I can get banned anytime I make a mistake and get caught. I do this because it's profitable to me, not because I want your silly in-game gold and items.
What I do with the gold is sell it to others for real money. You know those ad bots that stand around town advertising websites to buy gold for Mabinogi? There are many of them out there. These websites are either mine or sites to whom I provide gold to sell. This is what I'm really after, real money!
I'll tell you something else that amuses me to no end. Many of the people who buy gold from these sites are the same cheap players I hacked in the first place who are now trying to buy back all their valuable stuff. So it's really an endless cycle that ends with me being the only one making any money. All these people do is change their passwords and pray they don't get hacked again, but still using my mods. It's really pathetic.
Are you not worried about making people angry?
Frankly, not in the least. The only people who are vulnerable are the ones dumb enough to cheat in the first place. Which is why I think Nexon does nothing when a player gets hacked. They know as well as I do that they wouldn't have gotten hacked if they had played the game right. They deserve it. Besides, maybe I'm being too enthusiastic, but I like to think the honest players still outnumber the cheaters.
Personally, if you get hacked, you have no right to complain. If you install a mod that allows you to rip off Nexon or another player in some way, you are just as bad as I am. In the end, the first one who cheated is you. I just come along and cheated you back. So smile, take it like a man, and enjoy the game.
Why are you choosing to tell everyone now?
Well, it is all a game to me. After beating the same opponent a hundred times, you start wanting a challenge. I feel like I've won so many times that I can't help giving everyone a clue. Besides, I know not everyone is going to take what I am saying seriously. They're still going to use mods. They're still going to get hacked. They're still going to wonder why. I just want to see how many people smarten up and start playing the game right. Hate me all you want. I honestly don't care. I have no stake whatsoever in the opinions of hypocritical "cheated cheaters."