Online games and fraud: a source of easy money

Written by renxue February 25, 2008 09:56

Kaspersky Lab has released an analytical article entitled "Online games and fraud: a source of easy money". The article is authored by Sergey Golovanov, a virus analyst with the company.

The article explains why online games have become so popular in recent years: they involve exploring magnificent virtual worlds and completing tasks - known as quests - which gain the players money, valuables and experience, not points as in a more traditional computer game. They can be purchased at stores or downloaded from the Internet, but in order to play there is usually a monthly subscription fee. The money from these monthly fees covers traffic costs, support for game servers and game development. New online games appear every year, and the number of players is constantly increasing.

Online games are played on both legitimate and rogue game servers, which appear in approximately equal numbers. Rogue servers are very popular among users such as students and adolescents who have very little money - why waste money on subscription fees if it's possible to play the same game for free on a rogue server? However, the author stresses that rogue servers are often set up with the aim of making money not from subscription fees, but from the sale of virtual items to players in exchange for real money. Such sales may also be conducted by the administrators of official servers, depending on the server policy.

The author does pose an interesting question - if server administrators are selling in-game items, is it legitimate for the players themselves to sell such items? The answer is yes, and this is often done in defiance of administrative rules. Certain sites on the Internet contain detailed information on the price of various in-game items, although the deals often are, more often than not, illegal.

Any in-game item can have a price in real money, which depends on demand. If there is a demand for certain in-game items or confidential data, they will be stolen. With particular knowledge, it is relatively easy to conduct such thefts - most game servers use passwords for authentication. Ñyber criminal activity is often blocked by the administrators of official game servers. However, criminal or dubious activity is unlikely to be investigated by the administrators of rogue servers, and victims cannot rely on the support of the administrators.

Online gamers are constantly targeted by cyber criminals, who use several methods in order to steal confidential data:

One method used by cyber criminals is to enter a game or a forum on a game server and offer a bonus, or help in the game, in exchange for other players' passwords. Naïve players looking for ways to make their life easier will often be tempted by such offers.

Another well-known social engineering method is phishing, where the cyber criminal sends phishing emails, purportedly from the server administrators, which invite the player to authenticate his/ her account via a website linked in the message.

Although such password harvesting techniques are simple and reasonably effective, they don't result in much profit for malicious users, as more advanced, "wealthy" players don't take the bait.

Just like any other software, game server code contains programming errors and bugs. Such potential vulnerabilities can be exploited by cyber criminals to gain access to server databases and harvest player passwords or password hashes (encrypted passwords that can be decrypted using dedicated programs). For instance, there is a known vulnerability linked to in-game player chat which arises if the chat environment is not isolated from the game database. This makes it possible for a malicious user to harvest passwords directly from in-game chat.

The author highlights the fact that malicious users can exploit the system designed to remind users of forgotten passwords. The article also stresses that the number and type of vulnerabilities are directly linked to serve status - creating patches for rogue servers (if the administrators bother to do this) takes longer than patching vulnerabilities on official servers.

Exploiting game server vulnerabilities does require a certain amount of technical skill, which is why this method is not widely used.

This topic is covered extensively in the article. Malicious programs designed to steal passwords are spread using all means possible. Both malicious programs specifically tailored to steal any passwords and malicious programs which only target online game passwords may be used.

Programs classified by Kaspersky Lab as Trojan-PSW and Trojan-Spy (which intercept data entered via the keyboard and then transmit it to a remote malicious user) and variants of the Trojan.Win32.Qhost family (which modifies the hosts file containing the mapping of network addresses to domain names) are used to harvest passwords. Trojan-Spy.Win32.Delf has similar functionality, but configures a fake proxy server within the browser which is used when connecting to online game servers.

Using malicious programs to harvest passwords has proved effective and simple, and consequently very popular.

The article also covers the evolution of malicious programs which harvest passwords. The first recorded use of a malicious program to steal user passwords to online games was in 1997. Cyber criminals initially used classic keyloggers. The first Trojan specifically designed to target online games was Trojan-PSW.Win32.Lmir.a, which harvests passwords to "Legend of Mir". This program was the forerunner of a generation of Trojans targeting a wide range of online games.

Trojan-PSW.Win32.OnLineGames.a was another significant development, as this Trojan targets nearly all popular online games. Each new variant includes new games to be targeted.

A modern Trojan designed to steal passwords for online games is typically be a dynamic library written in Delphi that automatically connects to all applications launched in the system. When it detects that an online game has been launched, this kind of malicious program intercepts the password entered via the keyboard, sends the data to the malicious user's email and then deletes itself.

In addition to using Trojans to steal passwords, worms are also widely used. Their advantage is that they are able to infect executable files and to copy themselves to removable and network disks, as well as spreading via email.

Currently, the most recent achievement by those writing viruses for online games is the polymorphic Virus.Win32.Alman.a and its successor, Virus.Win32.Hala.a. In addition to the ability to infect executable files, these programs are able to spread via network resources, mask their present in the system, and contain a backdoor function.

The authors of malicious code also attempt to protect their programs against antivirus solutions by using packers, anti-antivirus technologies, and rootkit technologies, which mask the presence of the malicious program in the system. Recent malicious programs which target online games include all three types of self-defense mechanism.

The article also examines how attacks are conducted using a worm in order to harvest online gaming passwords. Malicious users create a worm with multiple functions: an email worm, network worm, p2p worm, rootkit, executable file infector and password stealing functionality all in one package. The worm will then be mass mailed, and an incautious user who clicks on a link in a malicious message can find himself in an unenviable position.

The author covers password theft in terms of geographical location, stating that over 90% of all Trojans targeting online games are written in China, and 90% of the passwords stolen by these Trojans belong to players on South Korean sites. Computerization and the rapid growth of IT in Russia have naturally also had an impact on the evolution of computer entertainment - online games which do not have a separate client, but which are played within the browser have become extremely popular. This popularity has led to an increase in phishing attacks in which messages containing links to cloned gaming sites are spread. The article also includes statistics demonstrating the increase in the number of malicious programs, and the extent to which individual games are targeted by cyber criminals.

The author concludes that those making a living from other people's virtual property are almost immune from a legal point of view. It is the game developers themselves who should tackle this issue, in conjunction with antivirus companies. In 2004, an agreement between Kaspersky Lab and the developers of the Russian online game Fight Club made it possible to prevent the theft of thousands of passwords and the sale of in-game items which would have been worth a five figure sum in 'real' US dollars.

The article concludes by expressing the opinion that those who are being targeted (i.e. the gamers) should take matters into their own hands by using common sense, exercising caution and installing the best security solution available.