Hacking China’s online games for profit: an interview with a Chinese hacker
Chinese gaming portal Sina Games has run a fascinating piece on hackers who attack web games in China for profit. The full article is well worth your time, but for those who can’t read Chinese, a summary of the most interesting bits is below.
“PW”—that’s not his real name, obviously—has a secret life, kind of like a superhero (or perhaps a super-villain). By day, he’s the young prodigy manager of a legitimate software company, the guy who graduated a top Guangzhou college with a triple major and landed a high position at a reputable software firm. The guy whose friends call him a computer god. By night—well, by whenever he feels like it really—he’s a hacker, a member of a big hacker QQ group on China that produces all kinds of hacking tools and techniques.
PW says that many of the other members are similarly-gifted individuals, and that their interest in hacking is purely academic. They look down, he says, on those who use these tools to earn money. But at the same time, he admits that the group he is a part of has created tools that other hackers have used to steal money. And one major target of those hackers: online games and gamers.
In fact, PW says online games are “probably the most valuable part of the Chinese hacking industry, and the division of labor and operations [around hacking online games] is already quite mature.” Hackers organize into small teams, with the most technically skilled hackers cracking into the databases of online games to grab account names and passwords. Less skilled hackers are in charge of sweeping whatever’s valuable out of the compromised accounts, and the hackers on the lowest rung of the team (who may not have any technical skills at all) are in charge of selling off the stolen armor, weapons, and in-game currency at cut-rate prices that the official game store cannot compete with. PW says these hackers, even the less skilled ones, can earn as much as 100,000 RMB ($16,000) a month.
Of course, there are other ways of making money from hacking, too. Some hackers use the access they gain to user accounts blackmail the users; others specialize in attacking competitors on the behalf of legitimate internet companies (including game companies).
Or they just sell the compromised data directly to whoever wants it. For example, PW told Sina Games that recently, one hacker had earned 5 million RMB (about $820,000) selling an online game’s entire database (and access to it) to a third party. PW says the third-party buyer can use this access to replace the game’s topping-up system so that when users add money to their accounts, it will be sent to him rather than the game developer. Obviously such a scheme would be uncovered fairly quickly, but with a popular enough game even a day or two of payments would be enough for the buyer to more than recoup what he spent buying the database.
And with China’s tech scene developing, and many computer-savvy youth looking for interesting jobs that pay well, interest in hacking is high. There are all kinds of online training courses, some of which are quite expensive, that exist to help Chinese youngsters turn themselves into hackers. “Little G”—again, not his real name—is one such character.
Little G got into China’s hacking industry about three years ago, and unlike PW he’s not in it out of any lofty academic interest, he’s in it for the money. “I took four or five [hacker] training courses,” he says, and although the first few were scams, eventually he learned. Then he linked up with a local group through an acquaintance.
Little G says that rather than just draining the accounts of people they hack, they often follow their spending habits, and then create programs that mimic them, taking just a few RMB at a time. This way, it may take users quite a while to notice anything is amiss, and when this approach is spread out across hundreds or thousands of users, the income it can generate for hackers is still quite large.
Part of the reason this kind of hacking is so profitable is that China’s internet security consciousness is weak. Many Chinese companies cut corners when it comes to security, since having good security is a significant cost, but it isn’t something that customers can see, or that will generally cause customers to choose one game over another (when was the last time you looked carefully at how your favorite online games secure your information?).
And China’s internet users, many of whom are relatively new to the web, don’t have a high level of security consciousness, so even when a web service includes high-end security features like two-step authentication, customers don’t always make use of them. Many also use the same accounts and login data for multiple services—one man quoted in the article woke up one morning to discover his QQ had been hacked and realized that that account would give the hacker access to his other social media accounts and his online payment account.
Long story short: China’s online gaming environment is very profitable, but it’s also very vulnerable, and more often than not, it’s Chinese gamers who end up paying the price for the lax attitudes of game developers and publishers toward security.
(via Netease Games)