11:00 AM
Connect Directly

Online Gaming Currency Funds Cybercrime In Real Life

You really needed Cristiano Ronaldo or that Doomhammer. Cybercriminals will help you get it for a price, and it's not even entirely illegal.

The online gaming industry (and some of its less patient players) are getting walloped by cyberattackers who are exploiting games, stealing in-game currency, and selling them for real-life profits that may fund more serious cybercrime. A key attraction for attackers is that much of its criminal process is not, strictly speaking, criminal at all.

Worldwide, online gaming is a $91.8 billion industry, according to Newzoo's latest Global Games Market report. A new Trend Micro report published today uncovers cybercrime in online gaming, specifically in the context of competitive games that require the user to be connected to the Internet.

For some games, "real-money trading" is an expected part of the community. As an expedient to earning in-game currency - tokens, coins, Elder Charms of Good Fortune - players exchange their real money for in-game currencies so they can buy their warriors new tools or help them survive difficult challenges. Players may also barter their possessions with other players in online marketplaces.

The majority of the games, however, consider this sort of trading -- particularly when cash, not in-game goods are exchanged -- against the spirit of competition. They prohibit it and if they suspect a user has advanced through these means, they may suspend the account.

The activity may be prohibited by the gaming company and frowned upon by some players, but it isn't illegal. Because trading in gaming currencies, even when real money is involved, is not illegal and governments do not intercede to shut the sites down. According to the Trend Micro report, "There are also no laws set to indict a person involved in hacking, glitching, or even buying online gaming currencies, even if it were done through the use [of] third-party programs or exploits."

Attackers have used a variety of exploits to steal not only users' in-game items and currency, but also their credentials -- which might be used in subsequent attacks outside of the game. Some sneak their way into game add-ons, others into malvertisements. Some go after development software or gaming company Web servers. 

Remote Access Trojans (RATs) have become the preferred type of malware for attacking gamers because they can grab credentials in addition to other items, the report says. Password stealers like Lolyda, Helpud, and Dozmod, affect a variety of games.

The report also calls out other malware, including Frethog, Stimlik, Winnti, Legmir, Onlineg, Enterok, Kuoog, Tarcloin, Zuten, Usteal, Urelas, and Cryptlock. 

Another trick in the game-attacker's toolbox is "glitching." That's where the attacker causes a glitch in the game that tricks a player into buying the same item over and over, and sending that money elsewhere, for example, or tricks the game into granting the player a larger sum of currency in a shorter period of time than it should.

Perhaps the most dreadful method is "gold farming." That's a methodical process of repeatedly grinding out the same actions over and over to earn currency. So valuable has gaming currency become that gold farming has actually led to sweatshops. The Trend Micro report cites a 2011 report by The Guardian that a Chinese prison profited by forcing its prisoners into gold farming. 

Attackers have also used "duping," which is simply making multiple copies of the same virtual item to sell it, and phishing. 

Exempting the behemoth mobile device target of Pokemon Go, researchers named the most-targeted platform to be PCs. Attackers already have more experience with, access to, and exploit tools for PCs than they have for discrete gaming systems, which contributes to the appeal of targeting PCs.

The games that were most commonly targeted by currency thieves were those that were most popular and/or most competitive. Players may compete to amass the most rare or valuable loot; acquire assets that will help them level-up to beat other players or surpass difficult levels; or simply save time by buying stronger characters/teams instead of building them.

Many of the most commonly targeted are massively-multiplayer online role-playing games (MMORPGs) like World of Warcraft (5.5 million paying players strong), Final Fantasy, League of Legends, and Guild Wars. There also are a smattering of sports and platform games, including FIFA 16, Grand Theft Auto V, and Minecraft.

Attackers advertise for their stolen currency and power-ups on Facebook and other social networks. They also advertise their game exploits on the Deep Web, and provide live chat support for customers.

Once purchases are complete, attackers launder money by converting it to cryptocurrency, then may further clean it by mixing it with other cryptocurrencies from other sources. Trend Micro researchers point to easy laundering-as-a-service providers CleanCoin and Bitcoin Mixer. The attackers may then cash out through bank accounts, shop for bank cards, reinvest, or invest in other crimes.

The researchers hint that online gaming exploits may be a sort of gateway drug for amateur attackers -- an activity that may inspire them to engage in more serious criminal endeavors. Researchers present the example of  Saudi Arabian hacking group OurMine, which began attacking Minecraft and FIFA, then progressed to DDoSing the financial sector.

Further, experienced cybercriminals -- including Lizard Squad and the Armada Collective hacking groups -- are already using the profits made from online gaming attacks to finance other illegal endeavors.   

"There is evidence," says the report, "that these threat actors used their ill-gotten gains to commit damaging forms of cybercrime."

Trend Micro points out that involuntary human workers forced into "gold farms" and impressionable youth are some of the victims of online gaming attacks. 

But the biggest victims are the gaming companies. The vast majority of games prohibit real-money trading and players "invest a certain amount of trust in the game–which revolves around the belief that advancement in the game is done in a fair method. Therefore, this trust is shattered when players learn about the prevalence of RMT for gaming currency," says the report.

"Upon learning that, players may opt to abandon the game completely. This reaction shall immediately translate into a huge loss of revenue for the game publishers and developers."

Related content:

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
6 Security Trends for 2018/2019
Curtis Franklin Jr., Senior Editor at Dark Reading,  10/15/2018
6 Reasons Why Employees Violate Security Policies
Ericka Chickowski, Contributing Writer, Dark Reading,  10/16/2018
Getting Up to Speed with "Always-On SSL"
Tim Callan, Senior Fellow, Comodo CA,  10/18/2018
Register for Dark Reading Newsletters
White Papers
Latest Comment: Too funny!
Current Issue
Flash Poll
The Risk Management Struggle
The Risk Management Struggle
The majority of organizations are struggling to implement a risk-based approach to security even though risk reduction has become the primary metric for measuring the effectiveness of enterprise security strategies. Read the report and get more details today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2018-10-16
Qemu emulator <= 3.0.0 built with the NE2000 NIC emulation support is vulnerable to an integer overflow, which could lead to buffer overflow issue. It could occur when receiving packets over the network. A user inside guest could use this flaw to crash the Qemu process resulting in DoS.
PUBLISHED: 2018-10-16
The Microsoft Windows Installer for Atlassian Fisheye and Crucible before version 4.6.1 allows local attackers to escalate privileges because of weak permissions on the installation directory.
PUBLISHED: 2018-10-16
Z-BlogPHP (Zero) has a stored XSS Vulnerability in zb_system/function/c_system_admin.php via the Content-Type header during the uploading of image attachments.
PUBLISHED: 2018-10-16
Advanced HRM 1.6 allows Remote Code Execution via PHP code in a .php file to the user/update-user-avatar URI, which can be accessed through an "Update Profile" "Change Picture" (aka user/edit-profile) action.
PUBLISHED: 2018-10-16
XSS exists in the MetInfo 6.1.2 admin/index.php page via the anyid parameter.