I often get asked, “What made you interested in cybersecurity?” My usual response simplifies it to, “I enjoy technology, and it’s the only field I find interesting. I also love the continuous learning aspect of cybersecurity.” However, the truth is that my journey is more complex and, if I may say so, quite fascinating.
As a child, my mother signed me up for a multiplatform virtual world for kids called SecretBuilders. This online platform emphasized social interaction, allowing kids to explore a vibrant virtual world, chat with friends, and participate in activities like fashion shows. Players could customize treehouses and care for various pets, including dragons and unicorns. Overall, SecretBuilders combined creativity, socializing, and fun in a safe environment.
SecretBuilders offered memberships that provided access to a special currency—let’s call them Secret Bucks. All users received regular bucks, but Secret Bucks were exclusive to members and could only be obtained after a parent completed the payment process. My parents occasionally paid for my membership, but with siblings in the picture, they couldn’t cover it monthly.
In the game, users could view and trade each other’s inventories, but both parties had to agree to the trade. Additionally, some items were limited edition, making them rare and scarce among players. If you didn’t purchase these items while they were available in the marketplace, you would never have another chance to buy them.
I often approached players who wore outfits that required Secret Bucks, believing their polished appearances indicated valuable inventory. Frustrated by my limited options of apparel, I convinced my mother to pay for one month of membership. With the Secret Bucks I gained, I decorated my home and character, then sought out users with appealing items to trade.
That’s when I realized that all I needed to access any account was a username and password. The usernames were already visible during gameplay; the only challenge was convincing other kids to share their passwords with me. I used social engineering tactics – specifically pretexting – by creating scenarios where I posed as a wealthy player offering to share my riches by adding Secret Bucks to their accounts.
To enhance my credibility, I created a second account as my ‘bodyguard’ adding an air of legitimacy to my story. As long as I didn’t log into the same account twice, I could manage multiple accounts at once. When I found a player with desirable items, I introduced myself as a wealthy, high-status player. To further sell the illusion, I opened my main account in one browser, my bodyguard account in another, and a third account posing as a past trading partner to reinforce my legitimacy. By juggling three sessions simultaneously, I created a convincing network to vouch for myself.
Once the child provided their password, I would quickly log into their account, take the items I wanted, and transfer them to my main account. I even created a Parent SecretBuilders account to manage stolen accounts, allowing me continuous access – a backdoor.
After logging out of a user’s account, I would often block them to prevent any further communication. Then, I transferred the stolen items from my fraudulent account to my main gameplay account, ensuring my primary account remained safe from being banned.
Looking back, I recognize that I was exploiting the trust of other kids, and it makes me feel bad. While I found it thrilling, I wouldn’t encourage any child to do the same.
SecretBuilders shut down in January 2021, marking the end of a platform that had been around since 2008. It was bittersweet to see the game come to an end, signaling the loss of an era and all my hard work.
So, whenever I’m asked what sparked my interest in cybersecurity, this experience immediately comes to mind. However, I doubt that sharing with recruiters or potential employers that I once conned kids out of their accounts would leave a positive impression. It wasn’t until I explored various paths in computer technology that I discovered cybersecurity. The knowledge and passion for defending against attacks captivated me, and learning about different social engineering attempts made me realize that I, too, had once worn the shoes of a bad actor, successfully using social engineering to obtain sensitive information—even if it was from the most gullible community.
One area that particularly interests me is penetration testing. Reflecting on my past experiences, I find it impressive how those early encounters shaped my curiosity about the field. Perhaps I was destined to be in cybersecurity after all.
“The only way to do great work is to love what you do.” — Steve Jobs
Breaking Into Cyber Security 