The Growing Perils of Online Game-Play
Sep 8, 2008 6:30 AM PT
As massively multiplayer online role playing games (MMORPGs) such as "World of Warcraft" (WoW) and virtual worlds such as Linden Labs' Second Life continue to attract millions of users, they have also begun to attract cybercriminals, according to a recent report from ESET, a software security vendor.
"Criminals follow the money trail, regardless if it's physical or not," Jeff Debrosse, director of research at ESET, told TechNewsWorld.
The security risk to online gamers has topped ESET's threat list for the past few months and the firm's statistics indicate the problem is growing.
"In July, Win32/PS@.OnLineGames -- a password-stealing Trojan -- was 12.72 percent of all threat detections," Debrosse noted. "One month later, [in] August, that same Trojan was at 16.13 percent. A 3.41 percent increase in the reported number of threats is tremendous."
Looking broadly at Internet security, online gaming-related threats are still a small minority, said Richard Wang, U.S. manager at SophosLabs.
"The most evident way in which the hackers are trying to separate the average user from their hard-earned cash is the massive effort to sell fake antivirus and security software," he told TechNewsWorld.
Hackers, according to Wang, principally target the most popular games -- "WoW" and "Lineage," for example -- as well as those for which a real-world market exists for virtual goods.
Cybercriminals find that real-world market in spades within "Second Life."
There's definitely money floating around in the virtual worlds -- and the amount is growing, Debrosse said.
Second Life residents are contributing to a growing trend called "real-money trading," (RMT) which involves the exchange of virtual assets for real-world currency. A lot of it is black-market activity with fraud and theft running rampant, but there are real grassroots efforts into legitimizing RMT, according to Debrosse.
For instance, in Second Life there is an exchange rate for converting Linden dollars to U.S. dollars. There are virtual millionaires who, if they were to liquidate their virtual assets, would be sitting on a large sum of money in the "real world."
With some in-game characters amassing substantial assets -- and considering the growth of the online gaming world -- it is easy to see how just 100 stolen accounts could support an independent criminal, Debrosse pointed out.
Adding to the problem are gamers who choose not to protect themselves, Debrosse pointed out.
"They have that typical human thought that 'it's not going to happen to me because I use safe practices and don't have questionable behavior online,'" he noted.
Online gamers can take action to protect themselves.
"Don't share your login details with anyone," advised SophosLabs' Wang.
"Ensure that security software is up to date on any computer you use to log into the game. Don't be tempted to use cracks or tools, which promise to play while you sleep," he warned.
"Some of these are just tricks used by the hackers to gain access to your computer so that they can steal your credentials next time you play. Your online gaming credentials are just another part of your identity. Players pay a monthly subscription to obtain and use those credentials and, sadly, anything that one person is willing to pay for, someone else is willing to steal," he observed.
Keeping game logins confidential is crucial. A criminal who has gained access to a player's login detail can choose to either sell the character completely, transfer virtual assets to other players for real-world cash, or use in-game account management systems to gain further information about the player for potential identity theft.
Players should avoid clicking on an unsolicited link sent by someone in an instant message or chat session, recommended Debrosse. The link may have been sent to the recipient via malware or an infected machine. Since gamers tend to chat with other gamers, this sort of attack can quickly go viral.
Gamers should also avoid going to gaming or other Web sites while logged into their primary gaming computer with administrator privileges. Even a site that is not intentionally malicious can be compromised via an SQL injection attack or some other method to implement XSS or XSRF (Cross-site Scripting or Cross-site Request Forgery). Then, casual visitors to the site could have malware -- password-stealing Trojans, keyloggers, etc. -- pushed to their machines, he explained.
Logging in without administrative privileges lessens the risk of malware installing itself on a host system.
Finally, users should not try to save money by purchasing a "cracked," or pirated, copy of gaming software. It could wind up costing them a lot more than a legitimate copy of the game would have cost.
"A lot of these 'free,' or cracked pieces of software have been intentionally infected to take advantage of the person willing to steal the software," Debrosse concluded.