Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


11:00 AM
Connect Directly

Online Gaming Currency Funds Cybercrime In Real Life

You really needed Cristiano Ronaldo or that Doomhammer. Cybercriminals will help you get it for a price, and it's not even entirely illegal.

The online gaming industry (and some of its less patient players) are getting walloped by cyberattackers who are exploiting games, stealing in-game currency, and selling them for real-life profits that may fund more serious cybercrime. A key attraction for attackers is that much of its criminal process is not, strictly speaking, criminal at all.

Worldwide, online gaming is a $91.8 billion industry, according to Newzoo's latest Global Games Market report. A new Trend Micro report published today uncovers cybercrime in online gaming, specifically in the context of competitive games that require the user to be connected to the Internet.

For some games, "real-money trading" is an expected part of the community. As an expedient to earning in-game currency - tokens, coins, Elder Charms of Good Fortune - players exchange their real money for in-game currencies so they can buy their warriors new tools or help them survive difficult challenges. Players may also barter their possessions with other players in online marketplaces.

The majority of the games, however, consider this sort of trading -- particularly when cash, not in-game goods are exchanged -- against the spirit of competition. They prohibit it and if they suspect a user has advanced through these means, they may suspend the account.

The activity may be prohibited by the gaming company and frowned upon by some players, but it isn't illegal. Because trading in gaming currencies, even when real money is involved, is not illegal and governments do not intercede to shut the sites down. According to the Trend Micro report, "There are also no laws set to indict a person involved in hacking, glitching, or even buying online gaming currencies, even if it were done through the use [of] third-party programs or exploits."

Attackers have used a variety of exploits to steal not only users' in-game items and currency, but also their credentials -- which might be used in subsequent attacks outside of the game. Some sneak their way into game add-ons, others into malvertisements. Some go after development software or gaming company Web servers. 

Remote Access Trojans (RATs) have become the preferred type of malware for attacking gamers because they can grab credentials in addition to other items, the report says. Password stealers like Lolyda, Helpud, and Dozmod, affect a variety of games.

The report also calls out other malware, including Frethog, Stimlik, Winnti, Legmir, Onlineg, Enterok, Kuoog, Tarcloin, Zuten, Usteal, Urelas, and Cryptlock. 

Another trick in the game-attacker's toolbox is "glitching." That's where the attacker causes a glitch in the game that tricks a player into buying the same item over and over, and sending that money elsewhere, for example, or tricks the game into granting the player a larger sum of currency in a shorter period of time than it should.

Perhaps the most dreadful method is "gold farming." That's a methodical process of repeatedly grinding out the same actions over and over to earn currency. So valuable has gaming currency become that gold farming has actually led to sweatshops. The Trend Micro report cites a 2011 report by The Guardian that a Chinese prison profited by forcing its prisoners into gold farming. 

Attackers have also used "duping," which is simply making multiple copies of the same virtual item to sell it, and phishing. 

Exempting the behemoth mobile device target of Pokemon Go, researchers named the most-targeted platform to be PCs. Attackers already have more experience with, access to, and exploit tools for PCs than they have for discrete gaming systems, which contributes to the appeal of targeting PCs.

The games that were most commonly targeted by currency thieves were those that were most popular and/or most competitive. Players may compete to amass the most rare or valuable loot; acquire assets that will help them level-up to beat other players or surpass difficult levels; or simply save time by buying stronger characters/teams instead of building them.

Many of the most commonly targeted are massively-multiplayer online role-playing games (MMORPGs) like World of Warcraft (5.5 million paying players strong), Final Fantasy, League of Legends, and Guild Wars. There also are a smattering of sports and platform games, including FIFA 16, Grand Theft Auto V, and Minecraft.

Attackers advertise for their stolen currency and power-ups on Facebook and other social networks. They also advertise their game exploits on the Deep Web, and provide live chat support for customers.

Once purchases are complete, attackers launder money by converting it to cryptocurrency, then may further clean it by mixing it with other cryptocurrencies from other sources. Trend Micro researchers point to easy laundering-as-a-service providers CleanCoin and Bitcoin Mixer. The attackers may then cash out through bank accounts, shop for bank cards, reinvest, or invest in other crimes.

The researchers hint that online gaming exploits may be a sort of gateway drug for amateur attackers -- an activity that may inspire them to engage in more serious criminal endeavors. Researchers present the example of  Saudi Arabian hacking group OurMine, which began attacking Minecraft and FIFA, then progressed to DDoSing the financial sector.

Further, experienced cybercriminals -- including Lizard Squad and the Armada Collective hacking groups -- are already using the profits made from online gaming attacks to finance other illegal endeavors.   

"There is evidence," says the report, "that these threat actors used their ill-gotten gains to commit damaging forms of cybercrime."

Trend Micro points out that involuntary human workers forced into "gold farms" and impressionable youth are some of the victims of online gaming attacks. 

But the biggest victims are the gaming companies. The vast majority of games prohibit real-money trading and players "invest a certain amount of trust in the game–which revolves around the belief that advancement in the game is done in a fair method. Therefore, this trust is shattered when players learn about the prevalence of RMT for gaming currency," says the report.

"Upon learning that, players may opt to abandon the game completely. This reaction shall immediately translate into a huge loss of revenue for the game publishers and developers."

Related content:

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/2/2020
Ripple20 Threatens Increasingly Connected Medical Devices
Kelly Sheridan, Staff Editor, Dark Reading,  6/30/2020
DDoS Attacks Jump 542% from Q4 2019 to Q1 2020
Dark Reading Staff 6/30/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-07-02
Apache Guacamole 1.1.0 and older may mishandle pointers involved inprocessing data received via RDP static virtual channels. If a userconnects to a malicious or compromised RDP server, a series ofspecially-crafted PDUs could result in memory corruption, possiblyallowing arbitrary code to be executed...
PUBLISHED: 2020-07-02
A vulnerability in the web-based management interface of Cisco Unified Communications Manager, Cisco Unified Communications Manager Session Management Edition, Cisco Unified Communications Manager IM & Presence Service, and Cisco Unity Connection could allow an unauthenticated, remote attack...
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, when users run the command displayed in NGINX Controller user interface (UI) to fetch the agent installer, the server TLS certificate is not verified.
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, the Neural Autonomic Transport System (NATS) messaging services in use by the NGINX Controller do not require any form of authentication, so any successful connection would be authorized.
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, the NGINX Controller installer starts the download of Kubernetes packages from an HTTP URL On Debian/Ubuntu system.