The Day I Got Myself Hacked

I think everyone needs an opportunity to be the victim of their own earth-shattering stupidity. It’s a great learning experience.

On the eve of my eighteenth birthday (many years ago), I was hanging around in my free-to-play MMO of choice. I was relatively well respected on my server. Not super famous, like the 13 year old Israeli kid who was the highest level person in the game and once asked me to hold his farming spot because he had to hide from bombs. But people sort of looked up to me. Random, awe-inspired whispers were pretty normal.

One day I got a whisper from a low level person. He said he was looking for people to test out this new game he was playing, especially awesome people like myself to be Game Masters.

I didn’t really care to be a Game Master, but hey, I’m an agreeable person and I was curious about his game, so I started talking to the stranger.

Now, as an adult (and a programmer) this is already sounding fishy. Average people don’t just make MMOs, nor do game makers go around asking strangers to police their worlds. But I was young and naive.

I gave the stranger my MSN handle (ah, MSN). He told me a little (suspiciously little) about his game. The most notable thing was that it was similar to the one I was playing at that very moment.

A few hours into the conversation (I’m surprised it took him this long), he sent me the game file. Except, this isn’t a story of how I play tested the next big thing, this is the story of how I got keylogged. So I clicked on the file and installed.

Well, I tried to at least. My computer kept popping up with a warning I had never seen. A Trojan? Like the horse? What does that even mean? This isn’t something bad, it’s a game.

I asked my new friend for advice. He said this is something that normally happens, a bug, and all I needed to do was tell that popup to ignore the threat. I was determined at this point, and I could not fail now, not at installing a game. Even if I didn’t know much about computers at this point in my life, I knew how to install programs.

A little black console window popped up. I didn’t really know what this was, but I’d seen my dad use it before. This is probably normal for games that are still being tested.

At this point I imagine the stranger was cackling like an evil genius. So many had outwitted his social engineering, so many had not ignored their computer’s warnings. But this one was special.

Apparently the game didn’t work on this computer, he said. “Do you have any other computers in the house to try it on?” Why yes, I had my parents’ computer. A brand new machine with mystical things like a graphics card and a firewall. I swapped over.

I didn’t have admin privileges on my parents’ computer, so I asked my dad if he oculd log me into that account. He did (why not, I had been good at installing programs before). Another computer warning popped up, this time with more information and more red. I followed my new friend’s instructions and tried to ignore the warning, but it was more difficult this time. My friend said we should try again later.

A few hours later, back on my own computer, he reappeared. He pasted a snipped of conversation into the chat box. Something I had written, except it looked a little different than a straight up chat log copy-paste. Does his MSN just look different than mine? What’s the point of that? Then he explained it to me. My computer was infected with a keylogger. Those lines of conversation weren’t taken from MSN, but from the program that was recording all my keystrokes and sending them to him.

Ah, I had heard of keyloggers before. He posted my game account name and password into the chat. So this was how it all ends.

I was scared. My parents were going to be so mad at me. I changed my password, knowing that it would be ineffective. I remember staying logged into my character in that game, talking to my best friend over TeamSpeak. I didn’t want to type anything into chat, because I knew he was watching. But maybe if I stayed logged in, he wouldn’t be able to break into my account. I went to bed late that night.

In the morning, the day of my eighteenth birthday, I told my parents what I had done. They didn’t get angry, my dad just quickly took over damage control. Apparently the keylogger had successfully installed on their computer, but the stranger hadn’t used it very well. I think he had logged into my dad’s email and tried to change some things, but never changed the password. Somehow my dad took care of all that, and fixed everything. I don’t think I realized how bad that situation could have been, if the stranger actually knew what he was doing.

The only thing left to take care of was my game account. I logged in. He hadn’t changed my password, though that was likely intentional. What I found was my naked character, with not a single coin to her name. At least this time I wasn’t taken by surprise.

Then he whispered me. You see, he had a plan, a goal. He wasn’t in it for the money. He was in it for the blackmail.

Power level my character, or else you’ll never get your gear back.

Wait, so you don’t want to steel my father’s bank account or destroy the household computers through chaos. You want some digital slave labor? Um, no thanks. I’ll just talk to a GM.

In this game, you could actually add GMs to your friends list. If you had a problem, you whispered them. My whole guild was whispering them that morning, reporting my hack. I was too scared and embarrassed to report it myself, but they weren’t.

I spent that day waiting for a GM response. My guildmates stopped their normal activities and stayed with me. They bought me peasant clothes so I wouldn’t be naked, and a mount so I could travel around.

Eventually, feeLz the GM whispered me. Yes, his name was feeLz. He banned the person who stole my account, then teleported me and the two friends who were waiting with me to a large empty room. There he gave me instructions to prepare for an influx of my stolen gear.

I think he meant I needed to delete everything in my inventory, including my new peasant clothes, but it didn’t come across that way.

Everything that was stolen was returned, the bad guy got punished, and my parents didn’t have their identities stolen. All ended up well, though I imagine that getting socially engineered, as the first thing I did as a legal adult, did not set the best precedent for the rest of my adult years. But I did learn three important things.

  1. Don’t trust strange people on the internet
  2. with strange executable files, and
  3. even smart people can be socially engineered.