Cloud
10/11/2016
11:00 AM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Online Gaming Currency Funds Cybercrime In Real Life

You really needed Cristiano Ronaldo or that Doomhammer. Cybercriminals will help you get it for a price, and it's not even entirely illegal.

The online gaming industry (and some of its less patient players) are getting walloped by cyberattackers who are exploiting games, stealing in-game currency, and selling them for real-life profits that may fund more serious cybercrime. A key attraction for attackers is that much of its criminal process is not, strictly speaking, criminal at all.

Worldwide, online gaming is a $91.8 billion industry, according to Newzoo's latest Global Games Market report. A new Trend Micro report published today uncovers cybercrime in online gaming, specifically in the context of competitive games that require the user to be connected to the Internet.

For some games, "real-money trading" is an expected part of the community. As an expedient to earning in-game currency - tokens, coins, Elder Charms of Good Fortune - players exchange their real money for in-game currencies so they can buy their warriors new tools or help them survive difficult challenges. Players may also barter their possessions with other players in online marketplaces.

The majority of the games, however, consider this sort of trading -- particularly when cash, not in-game goods are exchanged -- against the spirit of competition. They prohibit it and if they suspect a user has advanced through these means, they may suspend the account.

The activity may be prohibited by the gaming company and frowned upon by some players, but it isn't illegal. Because trading in gaming currencies, even when real money is involved, is not illegal and governments do not intercede to shut the sites down. According to the Trend Micro report, "There are also no laws set to indict a person involved in hacking, glitching, or even buying online gaming currencies, even if it were done through the use [of] third-party programs or exploits."

Attackers have used a variety of exploits to steal not only users' in-game items and currency, but also their credentials -- which might be used in subsequent attacks outside of the game. Some sneak their way into game add-ons, others into malvertisements. Some go after development software or gaming company Web servers. 

Remote Access Trojans (RATs) have become the preferred type of malware for attacking gamers because they can grab credentials in addition to other items, the report says. Password stealers like Lolyda, Helpud, and Dozmod, affect a variety of games.

The report also calls out other malware, including Frethog, Stimlik, Winnti, Legmir, Onlineg, Enterok, Kuoog, Tarcloin, Zuten, Usteal, Urelas, and Cryptlock. 

Another trick in the game-attacker's toolbox is "glitching." That's where the attacker causes a glitch in the game that tricks a player into buying the same item over and over, and sending that money elsewhere, for example, or tricks the game into granting the player a larger sum of currency in a shorter period of time than it should.

Perhaps the most dreadful method is "gold farming." That's a methodical process of repeatedly grinding out the same actions over and over to earn currency. So valuable has gaming currency become that gold farming has actually led to sweatshops. The Trend Micro report cites a 2011 report by The Guardian that a Chinese prison profited by forcing its prisoners into gold farming. 

Attackers have also used "duping," which is simply making multiple copies of the same virtual item to sell it, and phishing. 

Exempting the behemoth mobile device target of Pokemon Go, researchers named the most-targeted platform to be PCs. Attackers already have more experience with, access to, and exploit tools for PCs than they have for discrete gaming systems, which contributes to the appeal of targeting PCs.

The games that were most commonly targeted by currency thieves were those that were most popular and/or most competitive. Players may compete to amass the most rare or valuable loot; acquire assets that will help them level-up to beat other players or surpass difficult levels; or simply save time by buying stronger characters/teams instead of building them.

Many of the most commonly targeted are massively-multiplayer online role-playing games (MMORPGs) like World of Warcraft (5.5 million paying players strong), Final Fantasy, League of Legends, and Guild Wars. There also are a smattering of sports and platform games, including FIFA 16, Grand Theft Auto V, and Minecraft.

Attackers advertise for their stolen currency and power-ups on Facebook and other social networks. They also advertise their game exploits on the Deep Web, and provide live chat support for customers.

Once purchases are complete, attackers launder money by converting it to cryptocurrency, then may further clean it by mixing it with other cryptocurrencies from other sources. Trend Micro researchers point to easy laundering-as-a-service providers CleanCoin and Bitcoin Mixer. The attackers may then cash out through bank accounts, shop for bank cards, reinvest, or invest in other crimes.

The researchers hint that online gaming exploits may be a sort of gateway drug for amateur attackers -- an activity that may inspire them to engage in more serious criminal endeavors. Researchers present the example of  Saudi Arabian hacking group OurMine, which began attacking Minecraft and FIFA, then progressed to DDoSing the financial sector.

Further, experienced cybercriminals -- including Lizard Squad and the Armada Collective hacking groups -- are already using the profits made from online gaming attacks to finance other illegal endeavors.   

"There is evidence," says the report, "that these threat actors used their ill-gotten gains to commit damaging forms of cybercrime."

Trend Micro points out that involuntary human workers forced into "gold farms" and impressionable youth are some of the victims of online gaming attacks. 

But the biggest victims are the gaming companies. The vast majority of games prohibit real-money trading and players "invest a certain amount of trust in the game–which revolves around the belief that advancement in the game is done in a fair method. Therefore, this trust is shattered when players learn about the prevalence of RMT for gaming currency," says the report.

"Upon learning that, players may opt to abandon the game completely. This reaction shall immediately translate into a huge loss of revenue for the game publishers and developers."

Related content:

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: just wondering...Thanx
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.