Gold Sellers - I Summon All Those Knowledgeable To This Thread

Publius_Scipio · April 2014

Gold Sellers

1.) Are they real people sitting there for hours spamming or bots?
2.) Their website is designed to steal credit card information?
3.) How did they infiltrate ESO so quickly and at such a high population?
4.) Do they actually purchase a copy of the game solely for selling gold and not playing?

Thanks.

The reason I ask is because ESO is my first real deal massive ORPG. My only other experience that would come close would be Diablo 1 when I was on the Battle.net (or was it Blizzard.net?, around 1999-2000) chats where spamming was going on. Can't remember if gold selling was viable back then though.

shinkicker444rwb17_ESO · April 2014

1) can be automated or manually done, there are warehouses in Asia where people are paid to sit there and spam/farm gold. It's a pittance they get to, for like 12 hour shifts, gold farmers usually have to meet a quota to.

2) some probably do, dunno never been to them. It's a horrible practice.

3) they buy a large range of accounts or use hacked/stolen/sold accounts, also games in places like china are quite cheap I think.

4) yes. Selling and farming.

caschotchb14_ESO · April 2014

1. Usually both actually.
2. Website not normally steals information, its the people that pay for the 'rush to endgame' where they hand over login information and passwords that gets there stuff stolen.
3. Every AAA MMO will have gold sellers buy the early access to have there toons in game as soon as possible farming gold and selling said gold. Never fails.
4. I would assume both. 1 account to farm the gold that way they get a high enough level toon to farm ever increasing amounts of gold to sell. 2nd account to advertise said selling of gold that they know will get banned, then they just keep buying a new 2nd account or stealing one.

In all honesty just be a good citizen and report every single one of these guys. Its the only way that we will keep it clean...

Aylasa · April 2014

I haven't actually found a stable way to farm gold in ESO, so I'm fairly impressed that they've already expanded so much in such little time.
And disgusted.

Sillyfish · April 2014

In most online games, including WoW, a huge margin of the gold purchased from sites (we're talking 95% or more) is stolen gold from compromised accounts.

There are still games where there are 'chinese farmers', but in most MMO's it is not feasible to farm, and so they have resorted to theft via stealing account info to fund their business.

zamiel · April 2014

caschotchb14_ESO wrote: »

4. I would assume both. 1 account to farm the gold that way they get a high enough level toon to farm ever increasing amounts of gold to sell. 2nd account to advertise said selling of gold that they know will get banned, then they just keep buying a new 2nd account or stealing one.

That's why DDO started the practice of banning the farming accounts as well. Works suprisingly well, probably that's the game I saw the least amount of gold sellers.
First one is obviously EVE - any ISK seller there is obviously fake and will steal your cc info.

Tavish · April 2014

The best way to kill a gold farmer/spammer/rebrobate is to not use their "service".

Even one player succumbing to the "allure" of a quick level 50, or a quick influx of gold, or a quick booster to skill leveling perpetuates the practice of gold spamming.

Trust no one. Do the work yourself. Slow down and enjoy the content.

Publius_Scipio · April 2014

Wow, this is insane, I really had no idea. We are literally talking about games and there is real world crime and child labor farms involved.

shinkicker444rwb17_ESO · April 2014

Sillyfish wrote: »

In most online games, including WoW, a huge margin of the gold purchased from sites (we're talking 95% or more) is stolen gold from compromised accounts.

Often because people browsing unsafe or community sites that get their ad service compromised to install a key tracker to collect that info, email as well. But all they need is your account name to try and brute force guess the PW, getting your email makes it easier still, and if they get the PW you're boned.

zamiel · April 2014

shinkicker444rwb17_ESO wrote: »

Often because people browsing unsafe or community sites that get their ad service compromised to install a key tracker to collect that info, email as well. But all they need is your account name to try and brute force guess the PW, getting your email makes it easier still, and if they get the PW you're boned.

Lol? Noone bruteforces a password, sorry. If you have a long password - say 10-12 character long - it's highly unlikely anyone will succesfully brute force it, it would take years.

Note - that password doesn't even have to be particularly strong. 12x a lowercase 'a' is just as hard to crack as 12 special characters. So yes, if you are not careful, your pw will get stolen anyway, no matter how 'secure' your pw is. For everything else - the longer the password the more unlikely anyone will ever crack it.

HandofBane · April 2014

shinkicker444rwb17_ESO wrote: »

Sillyfish wrote: »

In most online games, including WoW, a huge margin of the gold purchased from sites (we're talking 95% or more) is stolen gold from compromised accounts.

Often because people browsing unsafe or community sites that get their ad service compromised to install a key tracker to collect that info, email as well. But all they need is your account name to try and brute force guess the PW, getting your email makes it easier still, and if they get the PW you're boned.

There is no real need to brute force it, social engineering and a bit of phishing works wonders. Ever wonder why you keep seeing those poorly spelled emails telling you that your account is compromised and you need to log in through it? Because some people are stupid enough to believe it and reply to them.

All that said, the solution to dealing with gold farmers is not just banning their accounts, but banning the buyers when they are found/caught. Once word spreads that buyers put their accounts directly at risk, gold buying plummets and the sellers have no reason to waste nearly as much time spamming/farming. A lot of companies are afraid to do this, but it has worked well for those who do (see: Frogster's Runes of Magic for an example).

shinkicker444rwb17_ESO · April 2014

Perhaps, but PWs around 10 letters in length can be broken in less then a day with publicly purchasable systems.

Not saying they need to brute it, just that they can if they feel the need, which they often don't.

Sillyfish · April 2014

zamiel wrote: »

shinkicker444rwb17_ESO wrote: »

Often because people browsing unsafe or community sites that get their ad service compromised to install a key tracker to collect that info, email as well. But all they need is your account name to try and brute force guess the PW, getting your email makes it easier still, and if they get the PW you're boned.

Lol? Noone bruteforces a password, sorry. If you have a long password - say 10-12 character long - it's highly unlikely anyone will succesfully brute force it, it would take years.

This is correct. People get their PC compromised with malicious software that records their activity and keystrokes. That is the number one cause of account compromise.

The second is most people have one email address they use for everything. So when the person signs up to a gold selling site to purchase some gold, they use the same email address and quite often the same password that they use for the email itself during registration. Hell, sometimes they'll use the same password on multiple things, including their game account.

You will often get people saying that they're tech specialists and computer security wizards and it's simply not possible for their machine to be compromised and it must be the game server that's been 'hacked'. I have been gaming online for more than a decade and I can count the instances of this actually happening in games that I am familiar with (and I've played every MMO of decent size that's available on the market) on two fingers. And both times it wasn't the account information that was accessed, but the credit card details that were compromised.

The bottom line is that if your account was compromised, it was due to something you did.

7788b14_ESO · April 2014

They also buy gold from players to resale.

kickamyassa_ESO · April 2014

Publius_Scipio wrote: »

Gold Sellers

1.) Are they real people sitting there for hours spamming or bots?
2.) Their website is designed to steal credit card information?
3.) How did they infiltrate ESO so quickly and at such a high population?
4.) Do they actually purchase a copy of the game solely for selling gold and not playing?

1. Pretty much what everyone has said, it's both.
2. There are plenty of legit sites, the more they spam the more it makes you wonder. You have people that might create a "gold generator" so you download a program that doesn't do anything and could be a keylogger. You have people that might steal your items in exchange for gold you never receive and then there is the fact that it's profitable.
3. Not everyone will report bugs during beta and people find methods of exploiting games.
4. If you had a profitable business, it would only make sense to buy multiple copies to make more profit, they have to play to make the gold.

zamiel · April 2014

shinkicker444rwb17_ESO wrote: »

Perhaps, but PWs around 10 letters in length can be broken in less then a day.

I seriously doubt that. With brute force even a standard ~60 key pw crack would take ages. Every time you will have to wait the result and it takes a long time (from a computer's point of view). Running a brute force crack - for example a rar password - is rather slow as well and it's on your own machine not in a distant server. For reference a 5 character password takes 5 hours. 6-300. 7-18000, etc. It's unrealistical to expect that you'd live to brute force crack a 10 character password.

Sakiri · April 2014

Sillyfish wrote: »

In most online games, including WoW, a huge margin of the gold purchased from sites (we're talking 95% or more) is stolen gold from compromised accounts.

There are still games where there are 'chinese farmers', but in most MMO's it is not feasible to farm, and so they have resorted to theft via stealing account info to fund their business.

And contrary to popular belief, wows main way of account hacking thesr days includes gold sellers buying or stealing fansite user databases.

People are stupid enough to share login between the two and theyll attempt login that way. If it works they clean you out.

Sakiri · April 2014

zamiel wrote: »

shinkicker444rwb17_ESO wrote: »

Often because people browsing unsafe or community sites that get their ad service compromised to install a key tracker to collect that info, email as well. But all they need is your account name to try and brute force guess the PW, getting your email makes it easier still, and if they get the PW you're boned.

Lol? Noone bruteforces a password, sorry. If you have a long password - say 10-12 character long - it's highly unlikely anyone will succesfully brute force it, it would take years.

Note - that password doesn't even have to be particularly strong. 12x a lowercase 'a' is just as hard to crack as 12 special characters. So yes, if you are not careful, your pw will get stolen anyway, no matter how 'secure' your pw is. For everything else - the longer the password the more unlikely anyone will ever crack it.

They dont need to when the lazy or forgetful use their b.net email and pw to register for a fansite or guild hosting site.

shinkicker444rwb17_ESO · April 2014

It's what I read in a journal article for university end of last year to do with cyber security.

Eh, I just like this comic to sum it up. And I'm off to bed since it's 3am.

https://xkcd.com/936/ <- apt for topic, worth a look. It's also pretty accurate.

Besides most people are lazy asses with PWs, which are easy to break because they are commonly used. Go look up a list of common PWs it's hilarious.

Just did a quick google, but couldn't find what I was looking for, but did find this from last year.

http://arstechnica.com/security/2013/05/how-crackers-make-minced-meat-out-of-your-passwords/

zamiel · April 2014

eq2imora_ESO wrote: »

They dont need to when the lazy or forgetful use their b.net email and pw to register for a fansite or guild hosting site.

I can only congratulate for that. I also do not know why a fansite is allowed to see passwords. Passwords should be stored encrypted and it should be enforced by law. There's no reason to see a user's password.

redcrowley · April 2014

My answer to question #4.....it's a long one, so if you have a short attention span, stop here.

First, a bit of context: I pre-ordered my imperial edition physical copy from Gamestop using Paypal. Imagine my surprise upon completing my order and it tells me I will not be charged until the game ships. Imagine my secondary surprise when I receive my early access code.

So, I have yet to actually deliver my money for the game, but I am able to play. Of course when the game ships I will be charged and all will be right, but as far as gold spammers go this enables them.

If a gold selling company made a game purchase the same way I did and saw the basically free way of getting an early access code, what would they do? Order a ton of copies then remove the money from their account so they are never charged and the game never ships.

Going out of order here, but the above also answers question #3.

Let's continue going backwards here and answer question #2. Clearly if they were able to create so many early access accounts using the above method, they will need accounts after early access. So yes, many of these websites are either trying to steal your CC info or your account. It enables them to continue the zero investment process after launch.

Question #1 does not even matter, but let's just assume they are all bots. Why would an operation like this waste human time spamming.

kickamyassa_ESO · April 2014

zamiel wrote: »

shinkicker444rwb17_ESO wrote: »

Perhaps, but PWs around 10 letters in length can be broken in less then a day.

I seriously doubt that. With brute force even a standard ~60 key pw crack would take ages. Every time you will have to wait the result and it takes a long time (from a computer's point of view). Running a brute force crack - for example a rar password - is rather slow as well and it's on your own machine not in a distant server. For reference a 5 character password takes 5 hours. 6-300. 7-18000, etc. It's unrealistical to expect that you'd live to brute force crack a 10 character password.

Maybe if you are using your cpu, most of the bruteforcing done now is with gpus and that is after they gained the encrypted passwords. It all depends on the site and if they even bother with encryption. Because hey, security through obscurity means no one is going to get your password if it's left in plain text on a server somewhere (*cough* Sony *cough*).

Sakiri · April 2014

zamiel wrote: »

eq2imora_ESO wrote: »

They dont need to when the lazy or forgetful use their b.net email and pw to register for a fansite or guild hosting site.

I can only congratulate for that. I also do not know why a fansite is allowed to see passwords. Passwords should be stored encrypted and it should be enforced by law. There's no reason to see a user's password.

Because encryption cant be broken. Mhm.

Darzil · April 2014

kickamyassa_ESO wrote: »

Maybe if you are using your cpu, most of the bruteforcing done now is with gpus and that is after they gained the encrypted passwords. It all depends on the site and if they even bother with encryption. Because hey, security through obscurity means no one is going to get your password if it's left in plain text on a server somewhere (*cough* Sony *cough*).

Particularly messy on a number of recent hacks because they encrypted all passwords with the same hash, so you didn't have to try every password, just encrypt a known one and see what you are given. Plus as they had so many passwords, they could sort the encrypted passwords based on number of occurences, and the most common ones are the ones that'll be easy to crack.

zamiel · April 2014

kickamyassa_ESO wrote: »

Maybe if you are using your cpu, most of the bruteforcing done now is with gpus and that is after they gained the encrypted passwords. It all depends on the site and if they even bother with encryption. Because hey, security through obscurity means no one is going to get your password if it's left in plain text on a server somewhere (*cough* Sony *cough*).

Even if you are 100x as fast, it means you will finish it in 800 years instead of 80000:) Doesn't matter, generally speaking a 10+ character password is strong enough to hold until the information it protects is worthless anyway.

Yes, you are right at that. I do hope however most people are not that amateurs.

Darzil · April 2014

Hmm, how long would it take gold spammers to realise, if the game was coded up to recognise the gold spamming, and put them all on the same phase, so no one who wasn't a gold spammer saw it !

Ashlynne · April 2014

It's sad that the first thing I saw when I logged on for the first time was a gold farmer spamming. Not only was he/she spamming, but every time I reported and ignored one, another one popped up. Yesterday didn't seem as bad. I hope they stay on top of this issue.