Wednesday, November 26, 2008

Cybercriminals making a killing on magic swords

(via Pangloss) The European Network and Information Security Agency (ENISA) has published a report about the prevalence of cybercrime against virtual world inhabitants. The report states that:

"2007 was the year of online gaming fraud – with malicious programs that specifically target online games and virtual worlds increasing by 145% and the emergence of over 30,000 new programs aimed at stealing online game passwords. Such malware is invariably aimed at the theft of virtual property accumulated in a user’s account and its sale for real money."
Pretty interesting, considering that the real-world value of virtual goods is growing in value, with some experts placing the total GDP of virtual worlds in the trillion of dollars. As these virtual goods become more likely to be exchanged for real money, they will continue to be the target for hackers and cyber-criminals with the intention of removing online gold and other valuables in order to sell them on the virtual markets in exchange for real currency.

The likeliest scenario of a virtual robber is that of a gamer who has his/her password stolen, and then the criminal enters into their account, removing all gold and tradeable valuables, which are then sent to a third party, and probably removed once more to remove traces of the goods. The gold then is sold to third-party gold sellers in China, where it is exchanged to real money when some gamer buys it.

The report also has a likely scenario for attacking guild banks.
"In games such as World of Warcraft, in-game guilds have banks where they store their most valuable items. Full access to such guild banks is limited to players high in the guild hierarchy. However guilds often have web sites open to guests where information such as email addresses, instant messaging usernames and social networking details, are available. Members of the guilds are also active in forums. This leads to the following attack scenario:
• Attacker visits guild sites or forums and checks in the MMO/VW to gather a list of high-ranking officers in the guild and their contact information.
• This is used to gain account information that can be used for social engineering, phishing, hacking, etc.
• Attacker logs in as a player, accesses guild bank, and sells all items.
• Attacker changes account details so a player cannot login. "
I have heard from WoW players and guilds who have been victims of such attacks, but I had no idea of the scale of the problem. As the report rightly points out, this type of cybercrime usually goes unreported, and it is not hard to imagine that law enforcement bodies around the world will be highly sceptical about crime that amounts to someone stealing a magic sword, or currency that is not seen as any different from Monopoly money. However, these crimes have real value, and they are a worrying trend.

Hmmm... I wonder if my online characters still have their gold intact.

No comments: