MMO Security: Are Players Getting Played?
The design of online game architecture creates an open door for hackers, whose methods of operating thrive on exploits to enhance the opportunity for cheating. For instance, players' coordinates can be manipulated without other players knowing it. Cheaters can make real money at these games by generating counterfeit virtual wealth that can be distributed and converted into real wealth.
11/27/07 4:00 AM PT
The video gaming industry has seen huge growth over the past few years with the emergence of the massive multiplayer online (MMO) model. These video games, examples of which include "World of Warcraft" and "Everquest II," allow thousands of players to interact simultaneously over the Internet in a persistent virtual world.
Free multiplayer games abound on the Internet, but millions of hard-core players ultimately gravitate to the subscription-based wares. For instance, "World of Warcraft," the largest of these games, recently surpassed nine million subscribers worldwide. Each of these subscribers to "World of Warcraft" is paying US$15 a month to play the game.
In the bad-guy realm of life online, hackers and malware hoodlums go where the pickings are easy -- where the crowds gather. Thus, Internet security experts warn game players that they face a greater risk of attack playing games online because few protections exist.
"Online gaming sites are a major distribution vehicle for malware. Malware payloads target specific games," John Carmichael, security trainer and engineer for Security Innovation, told TechNewsWorld.
Much of the security risk lies in the game distribution platform itself. This structural situation all but wipes out the reliability of consumer-based computer security measures.
The gaming platform can't synchronize too many users at one time, so the game providers put a large chunk of their software on the client computer.
"This is outside the control of the Web site's trusted zone in players' Web browsers," Gary McGraw, security expert and author of the book Exploiting Online Games, told TechNewsWorld.
As a result, traditional firewall and antimalware software applications can't see any intrusions. Game players have no defenses.
"All the virus and malware software is reactive in nature. Nothing exists yet which is proactive. This is a similar problem faced by banking Web sites," explained Carmichael.
Safer at Work
Online game providers can take steps to shore up security issues, according to McGraw, but many do not. This is a critical problem, because online game sites attract one of the largest user bases for Web 2.0 applications.
Enterprise computer networks, ironically, are much more prepared to fend off intrusions aimed at Web 2.0 apps than are home-based consumer computers, he noted.
"In the enterprise space, networks are protected by intrusion protection systems. This involves much more security than the firewall used by consumers. The firewall is completely useless against game site malware," cautioned Carmichael.
Intrusion protection systems rely on high-volume traffic for their packet inspection techniques. This would cause a lot of interference to game players if run on home computer systems. In the game-playing world, unencumbered performance is essential to beat competitors in virtual challenges.
"So a temporary protection is for game players to play at work," Paul Henry, security expert and vice president of technology evangelism at Secure Computing, told TechNewsWorld, discussing the risks consumers face in pursuing their online game passions.
New Attack Vectors
Lots of people, especially in Southeast Asia, play online games for real money. This has created a vast underground of black hat hackers, Henry said. The payload targets game players' credentials. Of course, other aspects of cheating are involved as well.
Security researchers recently discovered a new attack methodology that uses Java scripts planted on Web sites populated by game players, Henry said. The script is designed to steal gaming credentials. A recent investigation found 66,000 Web sites had this Java attack script.
"These attack scripts and Trojans are under the radar," he added. "They are not detectable by antivirus scanners. Hackers have gotten pretty smart. Every version they pump out has new signatures to defy detection."
The evidence is growing that Web sites themselves are one of the primary attack methods used by hackers. The same servers that hosted malware used in the recent Super Bowl NFL security breach also host the malware used for online gaming attacks, Henry noted.
Organized cheating is often the driving factor behind attacks on gamers. The design of online game architecture creates an open door for hackers, whose methods of operating thrive on exploits to enhance the opportunity for cheating, according to McGraw.
For instance, players' coordinates can be manipulated without other players knowing it, he explained. Cheaters can make real money at these games by generating counterfeit virtual wealth that can be distributed and converted into real wealth.
"Cheating is a big factor in the security issues. The hacking underground deals with $200 million per month in players' money," said Carmichael. "This affects customer retention. It is no fun anymore if somebody is cheating."
This unfair playing field, coupled with the malware attacking gamers, makes for a bleak, no-man's land mentality. The game provider industry is aware of the problem, he asserted. However, dealing with it involves performance and reliability issues that pose problems for gamers.
"This is viewed as one of the top 10 concerns in the industry today," Carmichael remarked.
Some Web sites with malicious content attempt to lure gamers to access them or download Trojans and password stealers. Very common are tricks for stealing "World of Warcraft" account information, for instance.
"The reason is that this game world has become a micro economy with goods being sold for real money. Links to malicious sites and malicious code itself can be sent in e-mail, instant messengers and even appear in hacked Web pages or Web ads sponsored by attackers and published in legitimate sites," said Ofer Elzam, director of product management for Aladdin eSafe at Aladdin Knowledge Systems.
Various malicious codes target gamers and try to steal product keys of games so pirates can play illegally obtained copies using a legitimate buyer's code. Also, gamers could be tempted to download and install various beta games and free add-on content that might contain malicious code, Elzam warned.
Online game players can protect themselves somewhat by practicing rigid safe computing. This will help them avoid some of the lures that would attract them to malicious Web sites. Keeping systems up to date and scanned regularly will also provide some assurances that infections have not succeeded.
However, many of the stealth attack methods will remain undiscovered, even with a higher level of awareness. Players who use Microsoft Internet Explorer will remain directly in the line of hackers' fire.
"Most of these gaming attacks target ActiveX exploits in Microsoft IE. So the biggest risk is for Windows users," warned Henry.
However, the other platforms are not perfectly safe, he said.
Aladdin eSafe provides online protection from malicious code and infected Web sites. The company's security products help block exploits in hacked sites, blogs and gamer-targeted spam attacks. It also blocks access to known malicious sites.
Released as a free public beta in September, Check Point's ZoneAlarm ForceField is a browser-based security product designed to safeguard Web surfing and online activities such as game playing. ForceField checks downloads for malicious content and protects Web sessions from threats already on the PC, like spyware and keyloggers.
Trend Micro recently released a Web security service for PlayStation 3 that will be free of charge until the end of April 2008. This service is developed as a module especially for PS3 using Trend Micro's own URL filtering technology. Users can block access to Web sites based on specific categories by going to the PS3 Internet Browser menu.