Cloud

10/11/2016
11:00 AM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Online Gaming Currency Funds Cybercrime In Real Life

You really needed Cristiano Ronaldo or that Doomhammer. Cybercriminals will help you get it for a price, and it's not even entirely illegal.

The online gaming industry (and some of its less patient players) are getting walloped by cyberattackers who are exploiting games, stealing in-game currency, and selling them for real-life profits that may fund more serious cybercrime. A key attraction for attackers is that much of its criminal process is not, strictly speaking, criminal at all.

Worldwide, online gaming is a $91.8 billion industry, according to Newzoo's latest Global Games Market report. A new Trend Micro report published today uncovers cybercrime in online gaming, specifically in the context of competitive games that require the user to be connected to the Internet.

For some games, "real-money trading" is an expected part of the community. As an expedient to earning in-game currency - tokens, coins, Elder Charms of Good Fortune - players exchange their real money for in-game currencies so they can buy their warriors new tools or help them survive difficult challenges. Players may also barter their possessions with other players in online marketplaces.

The majority of the games, however, consider this sort of trading -- particularly when cash, not in-game goods are exchanged -- against the spirit of competition. They prohibit it and if they suspect a user has advanced through these means, they may suspend the account.

The activity may be prohibited by the gaming company and frowned upon by some players, but it isn't illegal. Because trading in gaming currencies, even when real money is involved, is not illegal and governments do not intercede to shut the sites down. According to the Trend Micro report, "There are also no laws set to indict a person involved in hacking, glitching, or even buying online gaming currencies, even if it were done through the use [of] third-party programs or exploits."

Attackers have used a variety of exploits to steal not only users' in-game items and currency, but also their credentials -- which might be used in subsequent attacks outside of the game. Some sneak their way into game add-ons, others into malvertisements. Some go after development software or gaming company Web servers. 

Remote Access Trojans (RATs) have become the preferred type of malware for attacking gamers because they can grab credentials in addition to other items, the report says. Password stealers like Lolyda, Helpud, and Dozmod, affect a variety of games.

The report also calls out other malware, including Frethog, Stimlik, Winnti, Legmir, Onlineg, Enterok, Kuoog, Tarcloin, Zuten, Usteal, Urelas, and Cryptlock. 

Another trick in the game-attacker's toolbox is "glitching." That's where the attacker causes a glitch in the game that tricks a player into buying the same item over and over, and sending that money elsewhere, for example, or tricks the game into granting the player a larger sum of currency in a shorter period of time than it should.

Perhaps the most dreadful method is "gold farming." That's a methodical process of repeatedly grinding out the same actions over and over to earn currency. So valuable has gaming currency become that gold farming has actually led to sweatshops. The Trend Micro report cites a 2011 report by The Guardian that a Chinese prison profited by forcing its prisoners into gold farming. 

Attackers have also used "duping," which is simply making multiple copies of the same virtual item to sell it, and phishing. 

Exempting the behemoth mobile device target of Pokemon Go, researchers named the most-targeted platform to be PCs. Attackers already have more experience with, access to, and exploit tools for PCs than they have for discrete gaming systems, which contributes to the appeal of targeting PCs.

The games that were most commonly targeted by currency thieves were those that were most popular and/or most competitive. Players may compete to amass the most rare or valuable loot; acquire assets that will help them level-up to beat other players or surpass difficult levels; or simply save time by buying stronger characters/teams instead of building them.

Many of the most commonly targeted are massively-multiplayer online role-playing games (MMORPGs) like World of Warcraft (5.5 million paying players strong), Final Fantasy, League of Legends, and Guild Wars. There also are a smattering of sports and platform games, including FIFA 16, Grand Theft Auto V, and Minecraft.

Attackers advertise for their stolen currency and power-ups on Facebook and other social networks. They also advertise their game exploits on the Deep Web, and provide live chat support for customers.

Once purchases are complete, attackers launder money by converting it to cryptocurrency, then may further clean it by mixing it with other cryptocurrencies from other sources. Trend Micro researchers point to easy laundering-as-a-service providers CleanCoin and Bitcoin Mixer. The attackers may then cash out through bank accounts, shop for bank cards, reinvest, or invest in other crimes.

The researchers hint that online gaming exploits may be a sort of gateway drug for amateur attackers -- an activity that may inspire them to engage in more serious criminal endeavors. Researchers present the example of  Saudi Arabian hacking group OurMine, which began attacking Minecraft and FIFA, then progressed to DDoSing the financial sector.

Further, experienced cybercriminals -- including Lizard Squad and the Armada Collective hacking groups -- are already using the profits made from online gaming attacks to finance other illegal endeavors.   

"There is evidence," says the report, "that these threat actors used their ill-gotten gains to commit damaging forms of cybercrime."

Trend Micro points out that involuntary human workers forced into "gold farms" and impressionable youth are some of the victims of online gaming attacks. 

But the biggest victims are the gaming companies. The vast majority of games prohibit real-money trading and players "invest a certain amount of trust in the game–which revolves around the belief that advancement in the game is done in a fair method. Therefore, this trust is shattered when players learn about the prevalence of RMT for gaming currency," says the report.

"Upon learning that, players may opt to abandon the game completely. This reaction shall immediately translate into a huge loss of revenue for the game publishers and developers."

Related content:

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Why CISOs Need a Security Reality Check
Joel Fulton, Chief Information Security Officer for Splunk,  6/13/2018
Cisco Talos Summit: Network Defenders Not Serious Enough About Attacks
Curtis Franklin Jr., Senior Editor at Dark Reading,  6/13/2018
Four Faces of Fraud: Identity, 'Fake' Identity, Ransomware & Digital
David Shefter, Chief Technology Officer at Ziften Technologies,  6/14/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-8030
PUBLISHED: 2018-06-20
A Denial of Service vulnerability was found in Apache Qpid Broker-J versions 7.0.0-7.0.4 when AMQP protocols 0-8, 0-9 or 0-91 are used to publish messages with size greater than allowed maximum message size limit (100MB by default). The broker crashes due to the defect. AMQP protocols 0-10 and 1.0 a...
CVE-2018-1117
PUBLISHED: 2018-06-20
ovirt-ansible-roles before version 1.0.6 has a vulnerability due to a missing no_log directive, resulting in the 'Add oVirt Provider to ManageIQ/CloudForms' playbook inadvertently disclosing admin passwords in the provisioning log. In an environment where logs are shared with other parties, this cou...
CVE-2018-11701
PUBLISHED: 2018-06-20
FastStone Image Viewer 6.2 has a User Mode Write AV at 0x005cb509, triggered when the user opens a malformed JPEG file that is mishandled by FSViewer.exe. Attackers could exploit this issue for DoS (Access Violation) or possibly unspecified other impact.
CVE-2018-11702
PUBLISHED: 2018-06-20
FastStone Image Viewer 6.2 has a User Mode Write AV at 0x00578cb3, triggered when the user opens a malformed JPEG file that is mishandled by FSViewer.exe. Attackers could exploit this issue for DoS (Access Violation) or possibly unspecified other impact.
CVE-2018-11703
PUBLISHED: 2018-06-20
FastStone Image Viewer 6.2 has a User Mode Write AV at 0x00402d6a, triggered when the user opens a malformed JPEG file that is mishandled by FSViewer.exe. Attackers could exploit this issue for DoS (Access Violation) or possibly unspecified other impact.