tl;dr: Six of my accounts were stolen by phishing SC support. I ventured into the world of CoC account selling, learned who did it, and then ethically phished an account to confirm how easy it was.
You’ve probably seen countless stories about people losing their accounts. It’s an epidemic. I hope to contribute to the discussion in a bit more detail about how it is done and how shockingly easy it is.
I stopped playing several months ago. When I re-downloaded the game in November, I found out that my SC ID login no longer worked for six of my ten accounts and my clan had been taken over. Two of those accounts had just been temporarily locked and were easy to recover. One was locked and I could not recover it. The other three had been taken over and sold to new players. I recovered two of those, including my main account.
When I recovered the two accounts that had been sold, I left messages in the clans where the buyers had put them, asking for them to contact me on discord. One did. The other I had to hunt down myself. Both ended up giving me the contact info for the people who sold them my accounts. The two sellers are consistent posters on a certain subreddit that shall not be named. I kept digging. After talking to about a dozen different people in discord DMs, including both sellers, I am confident one of the two sellers either is the one who originally phished my accounts or is very close to whoever did. Apparently, he has a reputation in the community for doing this. But, the point of my post is not to witch hunt this person. All I’ll say is don’t buy accounts, because the account you buy might have been phished.
Unfortunately, I could not get two of my accounts back. I’ve given up hope at this point as multiple accounts of mine are now serving month-long bans after trying to recover the lost accounts. For one of them, I have screenshots and receipts from several years ago. For the other, I competed in an ESL tournament with it a few years ago, where I reached the latter stages and was on streams and everything. I have plenty of proof they are mine, but apparently not enough proof for SC. Weirdly it took less proof than that to recover some of my other accounts. But this also isn’t the point of my post, or else it would just be another in the countless stream of posts about people losing accounts that were theirs. I came to terms with those accounts being gone.
Here’s where it gets interesting, though.
I talked to a ton of people in the buy/sell/trade community about phishing, who does it, and how it is done. I felt like I had a pretty good understanding of how my accounts were phished (I’ll avoid being too specific lest it happen again). I thought it seemed scary easy. I wanted to try it. So, I texted a friend of mine who used to play CoC many years ago. I asked him if I could try to phish his account. He said sure.
I used an API website to find the account’s game tag and clan. I also checked its activity levels and any recent clan movements (nothing). Then I opened up a ticket in-game using a newly created account. This was from a device and location never associated with the target account before. I said I last played a few years ago, had lost access to the email that I originally used for Apple ID and SC ID, and was looking to get back into the game. I gave them the target account’s tag and clan.
Support got back to me and asked a few questions. Note that I know the owner of this account in real life and had previously played CoC with him many years ago. But, I did not ask him for answers until after I recovered the account and I think the answers I gave could have been given by anyone. Also note that I worked with the mods of this subreddit in drafting this post, and they asked me to be more vague than I initially was in my descriptions of how to find information and answer support’s questions.
First, support asked when I created the account. I based my answer on the Christmas trees and other obstacles I could see on the home village, along with the length of the player tag (newer accounts have nine characters, for example). After I recovered the account, I found out I guessed roughly correctly here.
Second, they asked when I last played. Using publicly accessible information from an API website, or a lack thereof, I knew it had been a while. I said about three years but I wasn’t sure. After recovering the account, I found out I was off by over two years (he had played a bit within the last year, unbeknownst to me).
Third, they asked what devices (brands & models) I played on. I was roughly correct in my guess. This is the toughest question support asks you, so I am being deliberately vague about how to answer this one.
Fourth, they asked for a receipt. I just told them I did not have access to that anymore as I lost access to the email account. In recovering my accounts, I found that sometimes they asked for this and sometimes they wouldn’t even accept a receipt if I said wanted to send them one (see one of my accounts above).
I also provided them with a lot of unnecessary information that made it look like I knew the account, but was publicly visible. Stuff like “my xp level is 120,” “I am a th10,” “my base layout looks like three squares,” “I have these Christmas trees in these locations,” etc. All of it was stuff you could find just by looking at the account in-game.
Six minutes later, without any follow-up questions, SC support asked what email I wanted the account linked to. I contacted my friend, got his email, and while on FaceTime with him linked the account to a new email address of his. He has the account now, but if I were a nefarious hacker looking to obtain accounts and sell them, I could have stolen it. All it takes is a few educated guesses (which could be tried again from a fresh account if I was incorrect), maneuvering around information I did not know, and specificity about publicly viewable information I did know.
It blew my mind that it was this easy. Even if I was wrong, I could have tried again from a different newly-created account with some new answers. The whole process took like 15 minutes, and most of that was waiting on SC support to respond. There are other questions support can ask you, but those are about as easy to answer as the questions I saw.
This is a problem. Anyone can do this, and people are learning how easy it is. Supercell needs to wake up and do something about it.
[link] [comments]
0 comments:
Post a Comment