A scenario involving cybercriminals using techniques developed by state-sponsored cyberespionage groups sounds like a plot point in a video game, but the Winnti crew aren’t the villains in some new release. These Chinese hackers are very real, and online games are their target.
The group has been conducting a long-running cybercrime campaign targeting online gaming companies worldwide, Kaspersky Lab reported this week.
Winnti has been stealing digital certificates signed by legitimate software vendors, along with intellectual property including source code, Kaspersky said.
Kaspersky discovered in 2011 that many gamers were infected with the same malicious Trojan, but it wasn’t the gamers or their respective information that Winnti was apparently after — it was the game developers’ code. The group targeted more than 30 companies across the world and, among other things, may have stolen in-game currency to sell for real money.
“The Winnti operators are actively harvesting legitimate digital certificates that are used by these victim companies to sign broadly installed software, which is of high value to attackers,” said Kurt Baumgartner, senior security researcher for Kaspersky Lab.
“These certificates further enable future Winnti attacks and other threat actors in their further attacks around the globe,” he added.
“Secondly, the Winnti group potentially is monetizing their own access to intellectual property and game servers, but we cannot verify these strong possibilities,” Baumgartner told TechNewsWorld. “It seems reasonable that a coordinated multiyear effort like this one would need financial support of some sort.”
Virtual Money Worth Big Dollars
While it might sound like a lot of effort would be involved to steal currency that can be used only for virtual items in a game, the fact is that many online games have thriving economies.
“There could well be (US)$1 billion in virtual currency stored in gamers’ accounts worldwide,” said Lewis Ward, IDC’s research manager for gaming.
Some players will pay good real-world money to acquire something that is virtual; hence this has become a new opportunity that might simply be too good for thieves to pass by.
“It is a huge market, and it is still growing,” said Scott Schober, CEO of Berkeley Varitronics Systems. “If the thieves can get access to the source code, they can slip in some stuff that can scarf up the information, and this could include skimming some virtual currency so that gamers don’t even notice.”
Still, online currency can be just as difficult to fence as real currency, diamonds or other stolen loot.
“Perhaps the idea was to fly under the radar and amass this currency and then quietly sell it to gamers in a virtual black market at a discount,” Ward told TechNewsWorld. “In any event, this breach is yet more evidence that all game companies need to remain vigilant from a security perspective, because MMOGs in particular are becoming significant repositories of digital cash.”
Stopping the Thieves
One of the reasons this continues to be a problem is that gamers don’t often consider these threats.
“When you’re buying something with your credit card, you associate it to your money and wallet, and in games you aren’t thinking of the risks of getting hacked,” Schober added. “It is a newer threat, as it has only been done on a smaller scale, but there will likely be copycats that will try to outdo this larger hack.”
What’s crucial is how the software developers react. This is important, because the developers and game publishers must protect their respective investments — not only to protect users’ data, but to ensure that criminals don’t destroy a game’s economy.
“Some gaming developers’ awareness and practices have been improved since the start of the events, and we hope that will spread to other potential victims,” said Kaspersky’s Baumgartner. “The security community is also more aware and continues to investigate malware signed with Winnti-stolen certificates to better defend their customers as well.”
The fact that these economies are now so large is only going to ensure that this problem continues, and thieves will look at new opportunities to steal the virtual cash. However, this could just be a precursor to threats against virtual currency used outside of gaming.
“The defense against theft is to further harden the systems that control this economy,” said Rob Enderle, principal analyst at the Enderle Group. “The bigger concern is that the systems governing the electronic transfer of real cash are often not that much more advanced, and artificial cash like Bitcoin has been trending up.”
With gaming devices increasingly requiring always-on connections, thieves will be finding new opportunities to exploit holes and penetrate systems.
“The always on exposure comes down to how the client systems are secured and monitored,” explained Enderle.
“This isn’t just game systems — the entire security structure is based on catching a thief after they break in, which is increasingly too late,” he pointed out.
“They can make as many attempts as it takes to break into a system, largely unnoticed,” Enderle said. “An always-on system that isn’t monitored for this activity — and most game and client systems aren’t — almost ensures a hacker will eventually find a way to the cash, virtual or otherwise.”