I’m not releasing any details about the beta client itself, so I do hope I’m not in violation of the non-disclosure agreement I was presented upon joining the beta. I need to vent about an ongoing issue and I felt this was the best way to get the word out there.
I’ve been part of the beta testing of the new MTGO client for a few months, and just about every two to three weeks they send out email blasts saying a patch has been pushed out, and they’re doing specialized events to test the update. Along with this invitation to upgrade the client and play, there is a link to a survey to provide feedback about the changes and your experiences over the event weekend.
Brilliantly, the last email was sent with each of the beta tester’s emails exposed. I’m a relatively public person online. If you Google MetalFrog or my actual name, I have a solid presence, and If you want to find me you’re more than able to.
What bothers me is that there are scumbags everywhere in the world, and of course one of the people that received this email decided to capitalize on the opportunity. The phisher created a shill survey to collect account details. The email sent out yesterday had the same subject as the official Wizards email, and nearly an identical body. The only things changed were the URLs to the survey, and a reminder that yesterday was the final day to partake in the survey (to still have prize eligibility for participating).
Since the original email was mostly unaltered, the correct deadline for the survey was intact. A more astute reader would notice that the survey could be completed up until Tuesday, April 3 at 6:00 pm PDT, but the email said that yesterday was the deadline. Further more, a more astute internet user would know to never share their password with anyone, anytime, no matter the circumstances under which it was requested. I don’t want to blame the victims at all. Yes, precaution would have prevented their information being compromised, but nonetheless they were preyed upon.
I’m upset with two parties right now: the phisher and Wizards of the Coast. While I am a public person on the internet, exposing my email to 400+ people is not within my reasonable expectation of privacy. What they did is nothing worse than what I have already done with my public-facing profiles over the years, but for less-public persons, it’s a worse violation. I’m more upset that we’re going through day two of this without any official acknowledgement of the happenings. Come on, Wizards, where is your response? I know for a fact that at least five of us have contacted you with details about this attack. None of us received comment as of the time of this publication. Get on it!
The phisher contacted some of the people to “apologize” for their actions. Here is the content of the email forwarded to the other beta testers that were not contacted:
Good day Beta players, since the latest phishing scam I think it’s important to clear things up a bit. The most easy way to do this is be sending you the e-mail that I send to wizards, here it is:
“So I heard that you had some trouble with phishing, now I’d like to explain the situation to make your work more easy. It all started when I received the last e-mail from Wizards it was an announcement that another Innistrad weekend was coming. The first thing that flashed through my mind was: “Nice, I can play Innistrad again and get free boosters” I always like these weekends and I enjoy participating in the Beta.
Then a friend of mine told me that there was something weird about the e-mail Wizards had send us, the weird thing was that all the e-mail addresses that the mail where send to were viewable. This made it possible to see every e-mail address of the Beta players (I can’t say for sure it are all e-mail addresses but by looking at the huge number of e-mail addresses in there I think it’s safe to say that it were all the e-mail addresses).
So of course it was true! Someone at wizards had send the e-mail in such a way that everyone could see the e-mails addresses of everyone. Now me being a “smart” guy I quickly realized the damage that could be done by having this information. Of course I also am a very nice person so I decided to do nothing because surely Wizards was going to send everyone an e-mail warning them of the great dangers that were lying ahead because of their own mistake.
I waited two days and I didn’t receive any e-mail, I realized Wizards probably didn’t think that this mistake could do harm. Sure it wouldn’t do the greatest harm, but phishing is a great problem under less intelligent people. Now I decided to educate Wizards and those “less intelligent” people on how phishing works.
My first Idea was to recreate the website from scratch so I dusted off my coding skills with .HTML and .PHP and started to work with the source code from the website were the survey was taken. After around 45 minutes of work I realized this was never going to happen in one day (I pretty much knew nothing about the subject anymore). So I decided to look for other options, I went to 4chan but 4chan was down, I moved to some other less known websites and IRC’s but those couldn’t help me either.
When then I realized at which website the survey was taken… A website that takes surveys and I could make my own survey there! The greatest most amazing thing about this was that the website offered a free 14 days trial, pretty much enough to let the phishing happen. The other plus sides were that I pretty much had no work to do in order to get the survey look like one of Wizards and the link was also indistinguishable unless you looked really well.
All I needed then was an e-mail address, I chose for a gmail account which looks more professional then Hotmail, yahoo, live etc.. After creating the e-mail (and of course the survey had been made already) I e-mailed 10 people, then 10 again, then again 10 and then again 10. I did it this way so if people would come to know of the phishing they wouldn’t be able to e-mail each other that easy, plus I didn’t really know how to e-mail everyone at once (I kept getting some error).
I did try mailing everyone in one go, I tried it 5 times and it all gave an error. When later that afternoon all 5 of them simultaneously arrived at everyone’s e-mail address. This of course immediately ruined my credibility and after a few people filling in the survey people started to mail that phishing was happening!
At this point I had 8 login details, correct username + password. If I would’ve mailed everyone per 10 I’m very very sure more people would’ve responded (the first 40 2 people responded the next 360 6 people so do the math, assuming of course that there are 400 Beta players I e-mailed which I am not sure of because I am too lazy to count).
Now as I said before I’m not evil, I’m pretty nice I just saw this great opportunity to educate the masses. So there I had all the login information and to my happy surprise people started warning each other and educating each other, personally I think this was great and you should applaud the people e-mailing with warnings for their good behaviour.
Then Wizards still didn’t send any warning e-mails so I started logging in on all the accounts and soon I saw cards worth hundreds of dollars. But as I said I’m not an evil person, I just wanted to educate so I started telling the ORC of the situation. I told them that I was sitting on accounts that I hacked with phishing, I also told them that I wanted to help them with their investigation.
I even offered them multiple times to name everyone that gave up their details but the ORC just kept banning me and didn’t want to have a civilized conversation. I think this is really really stupid from the ORC because now they have to do an investigation and I have to type this whole, so far 2 pages long, text explaining the situation.
So if you at Wizards are interested in the whose account details I still got (some aren’t blocked/banned/put on non-active yet) just tell me, I’m not a bad person I’m glad to help.
Wasn’t this very educational? Don’t you think it educated a lot of your beta testers? How much more do you want from me, a fewllow Beta player? I tested the system pointed, out what you did wrong without causing to much damage because the damage that happened (putting accounts on non-active) you did yourself.
A very important thing to note: I made sure not to touch the collection/attained rating any player had acquired. I didn’t trade away any cards/tickets/booster nor did I join any events.”
I hope this clears things up and might stop people worrying about their possibly lost cards/tickets or acquired rating. I hope that you see the greater goal behind this phishing scam instead of getting mad, because if I didn’t do it someone else could’ve done it too and that person might have fucked around with the information in a much worse way then I did.
So I hope that everyone’s account gets unlocked fast and I apologize for any trouble I might have caused.
So here’s the problem: you have absolutely no credibility. None. Whether you became fearful of the repercussions after the fact, or you genuinely wanted only to prove that it was possible to gain account information, you procured said information under false pretense and used it. Regardless of your intent —which we can argue was unjust, as you have stated multiple times that you verified the accounts, which can only be done by logging in with the username and password— you have committed fraud and I fully expect that you are prosecuted to the fullest extent.
It is regrettable that Wizards has yet to comment on this fiasco. Hopefully it will be handled better than Sony handled the hacking of their network, but only time will tell. I’m not in this for compensation in the way of product or money. I’ll be happy with an assurance that this was an isolated incident, that it will not happen again, and that they are exerting every possible ounce of energy into finding the culprit and pursuing justice for those that fell prey to this attack.
I cannot stress enough that your information is sacred. Just as we were taught as children to not allow strangers into our personal space, don’t feel compelled to share any personal information unless the site is secure and verified beforehand. Even then, if someone is asking you for a password, expect the worst.
Last night, an email was sent by Wizards of the Coast addressing the issue. Pretty standard fare, but it has sound advice for all internet users. Sounds like the accounts that were locked will receive additional communication, but the rest of us will be in the dark about the outcome of their investigation.
On March 29, 2012, the Magic Online QA team sent out an email announcing the Innistrad Beta Event offered over the weekend of March 30 through April 1. That announcement inadvertently displayed player email addresses to other players on the email distribution list. Your email address has been identified as one that was part of that distribution list and may have been compromised.
Our primary concern at this time is regarding players who received a Beta Survey Reminder email on Sunday, April 1st. This email was NOT an official email from Wizards of the Coast and was an attempt to gain access to player account information through a link to a fake survey that asked for your account password in addition to your Magic Online account name.
If you completed a survey that asked you for your Magic Online account password, please take a moment to log into the email account associated with your Magic Online account and change the password. In addition, if you share your Magic Online password with any other systems, programs, or websites, we recommend that you change those passwords as well.
In order to protect our players and their accounts during our investigation of this incident, we have temporarily disabled all Magic Online accounts that were potentially at risk. If your account has been disabled, our Game Support team will be in contact with you as soon as possible to resolve this issue. You may also contact Wizards directly, by going to www.wizards.com/customerservice and clicking the “Email Us” tab or calling 800-324-6496 from the United States (or 425-204-8069 from outside of the United States) between 9:00 AM to 6:00 PM PDT (16:00 – 01:00 UTC), and request your account be reactivated.
Protecting your information is our highest priority, and we want to assure you that we are taking steps to ensure that this does not happen again. We want to take this time to remind you that there are several simple steps you can take to protect yourself and your Magic Online account in the future.
1. Password Security: Never share your password with anyone. Employees and representatives of Wizards of the Coast will NEVER ask you for your password under any circumstance. If someone who claims to be an official Wizards of the Coast or Magic Online employee or representative asks for your password, please report it immediately to http://wizards.custhelp.com/app/answers/detail/a_id/1236/kw/suspicious%20behavior.
2. Do Not Accept “Official” Emails at Face Value: If you receive an email that is supposedly from Wizards of the Coast, take the time to check who sent it. Does it come from a “@wizards.com” address? If not, then it is definitely not an official email from Wizards. If the email asks for your password, offers you free cards, or otherwise says something suspicious, do not fall for it. Forward any such emails firstname.lastname@example.org immediately or report them via our Report Suspicious Activity link: http://wizards.custhelp.com/app/answers/detail/a_id/1236/kw/suspicious%20behavior.
3. Protect Yourself from Scams: Be careful that you always know what site you are on when browsing for Magic info. Wizards of the Coast publishes the official Magic: The Gathering website and theMagic: The Gathering Online game. There are no sanctioned cheats, hacks, mods, bots, or any other kind of attachments for Magic Online. Other websites proclaiming to be “official” or “authorized” are likely scams.
By following a few basic steps, you can help protect yourself and your Magic Online account and focus on what Magic: The Gathering is all about: having fun! If you have any questions, please do not hesitate to contact Game Support by going to www.wizards.com/customerservice and clicking the “Email Us” tab or calling 800-324-6496 from the United States (or 425-204-8069 from outside of the United States). Our hours are 9:00 AM to 6:00 PM PDT (16:00 – 01:00 UTC).
Again, we apologize for any inconvenience and thank you for your patience while we resolve this matter,
The Magic Online Team