The online gaming industry (and some of its less patient players) are getting walloped by cyberattackers who are exploiting games, stealing in-game currency, and selling them for real-life profits that may fund more serious cybercrime. A key attraction for attackers is that much of its criminal process is not, strictly speaking, criminal at all.
Worldwide, online gaming is a $91.8 billion industry, according to Newzoo's latest Global Games Market report. A new Trend Micro report published today uncovers cybercrime in online gaming, specifically in the context of competitive games that require the user to be connected to the Internet.
For some games, "real-money trading" is an expected part of the community. As an expedient to earning in-game currency - tokens, coins, Elder Charms of Good Fortune - players exchange their real money for in-game currencies so they can buy their warriors new tools or help them survive difficult challenges. Players may also barter their possessions with other players in online marketplaces.
The majority of the games, however, consider this sort of trading -- particularly when cash, not in-game goods are exchanged -- against the spirit of competition. They prohibit it and if they suspect a user has advanced through these means, they may suspend the account.
The activity may be prohibited by the gaming company and frowned upon by some players, but it isn't illegal. Because trading in gaming currencies, even when real money is involved, is not illegal and governments do not intercede to shut the sites down. According to the Trend Micro report, "There are also no laws set to indict a person involved in hacking, glitching, or even buying online gaming currencies, even if it were done through the use [of] third-party programs or exploits."
Attackers have used a variety of exploits to steal not only users' in-game items and currency, but also their credentials -- which might be used in subsequent attacks outside of the game. Some sneak their way into game add-ons, others into malvertisements. Some go after development software or gaming company Web servers.
Remote Access Trojans (RATs) have become the preferred type of malware for attacking gamers because they can grab credentials in addition to other items, the report says. Password stealers like Lolyda, Helpud, and Dozmod, affect a variety of games.
The report also calls out other malware, including Frethog, Stimlik, Winnti, Legmir, Onlineg, Enterok, Kuoog, Tarcloin, Zuten, Usteal, Urelas, and Cryptlock.
Another trick in the game-attacker's toolbox is "glitching." That's where the attacker causes a glitch in the game that tricks a player into buying the same item over and over, and sending that money elsewhere, for example, or tricks the game into granting the player a larger sum of currency in a shorter period of time than it should.
Perhaps the most dreadful method is "gold farming." That's a methodical process of repeatedly grinding out the same actions over and over to earn currency. So valuable has gaming currency become that gold farming has actually led to sweatshops. The Trend Micro report cites a 2011 report by The Guardian that a Chinese prison profited by forcing its prisoners into gold farming.
Attackers have also used "duping," which is simply making multiple copies of the same virtual item to sell it, and phishing.
Exempting the behemoth mobile device target of Pokemon Go, researchers named the most-targeted platform to be PCs. Attackers already have more experience with, access to, and exploit tools for PCs than they have for discrete gaming systems, which contributes to the appeal of targeting PCs.
The games that were most commonly targeted by currency thieves were those that were most popular and/or most competitive. Players may compete to amass the most rare or valuable loot; acquire assets that will help them level-up to beat other players or surpass difficult levels; or simply save time by buying stronger characters/teams instead of building them.
Many of the most commonly targeted are massively-multiplayer online role-playing games (MMORPGs) like World of Warcraft (5.5 million paying players strong), Final Fantasy, League of Legends, and Guild Wars. There also are a smattering of sports and platform games, including FIFA 16, Grand Theft Auto V, and Minecraft.
Attackers advertise for their stolen currency and power-ups on Facebook and other social networks. They also advertise their game exploits on the Deep Web, and provide live chat support for customers.
Once purchases are complete, attackers launder money by converting it to cryptocurrency, then may further clean it by mixing it with other cryptocurrencies from other sources. Trend Micro researchers point to easy laundering-as-a-service providers CleanCoin and Bitcoin Mixer. The attackers may then cash out through bank accounts, shop for bank cards, reinvest, or invest in other crimes.
The researchers hint that online gaming exploits may be a sort of gateway drug for amateur attackers -- an activity that may inspire them to engage in more serious criminal endeavors. Researchers present the example of Saudi Arabian hacking group OurMine, which began attacking Minecraft and FIFA, then progressed to DDoSing the financial sector.
Further, experienced cybercriminals -- including Lizard Squad and the Armada Collective hacking groups -- are already using the profits made from online gaming attacks to finance other illegal endeavors.
"There is evidence," says the report, "that these threat actors used their ill-gotten gains to commit damaging forms of cybercrime."
Trend Micro points out that involuntary human workers forced into "gold farms" and impressionable youth are some of the victims of online gaming attacks.
But the biggest victims are the gaming companies. The vast majority of games prohibit real-money trading and players "invest a certain amount of trust in the game–which revolves around the belief that advancement in the game is done in a fair method. Therefore, this trust is shattered when players learn about the prevalence of RMT for gaming currency," says the report.
"Upon learning that, players may opt to abandon the game completely. This reaction shall immediately translate into a huge loss of revenue for the game publishers and developers."