Slashdot Mirror

← Back to Stories (view on slashdot.org)

Major Spike in Security Threats To Online Games

Posted by Soulskill on from the i-blame-world-of-warcraft dept.

Gamasutra reports on data from security software firm ESET, which shows a major increase in the number of gaming-related security threats over the last year. They attribute the rise in attacks to the amount of money involved in the games industry these days. ESET's full report (PDF) is also available. "[ESET's research director, Jeff Debrosse] explains: 'It's a two-phase attack. If someone's account was compromised, then someone else can actually [using their avatar] during a chat session, or through in-game communication... they could leverage that people trust this person and point them at various URLs, and those URLs will either have drive-by malware or a specific [malware] executable. What ends up happening is that folks may end up downloading and using it. This is just one methodology.' These attackers also target gamers in external community sites, says Debrosse, through 'banners on websites or URLs in chat rooms or forums' — which can lead to unsafe URLs. 'If [users] don't have adequate protection, they could very well be downloading malware without their knowledge.'"

48 comments

  1. Considering the Rush Job... by WiiVault · · Score: 2, Insightful

    that most games are these days it seems inevitable. The last few years it seems the mentality has been to ship first patch later.

    1. Re:Considering the Rush Job... by gujo-odori · · Score: 3, Informative

      This being /. and all, I didn't bother to read TFA, but phishing targeting online games is out there, too. I maintain an anti-phishing ruleset, and I first published rules targeting WoW phish over 6 months ago. The target of the phish was login credentials for WoW.

    2. Re:Considering the Rush Job... by Drumforyourlife · · Score: 2, Interesting

      This isn't a problem with the games themselves, just the users who are playing the games. There have to be very strict punishments for people who are caught abusing the trust of the community. Good rule of thumb: If it's not in the game, don't click it. This applies to clan sites, FAQ's, Walkthroughs, all of it. Just don't do it unless you can be certain that it's a reputable site you're going to.

    3. Re:Considering the Rush Job... by TreyGeek · · Score: 1

      Yup, the big money being made from WoW is to steal a person's login information. Log into the compromised account and 'trade' the characters property and gold to another character, friendly with the attacker. The gold is then sold for real life money through a third-party website.

      I'm sure someone can come up with the step-by-step directions on how to profit, but I'm feeling lazy atm.

    4. Re:Considering the Rush Job... by cb_is_cool · · Score: 2, Funny

      http://penny-arcade.com/comic/1998/12/21/ Prophetic!

      --
      cb_is_cool knows where his towel is.
    5. Re:Considering the Rush Job... by masshuu · · Score: 1, Funny

      1. Make Keylogger
      2. Post on WoW site
      3. ???
      4. PROFIT!!!
      5. Lawsute from various people

      --
      O.o
    6. Re:Considering the Rush Job... by cbiltcliffe · · Score: 2, Insightful

      Only the last few years?

      Games have frequently been crap for the first release for a decade or more. I think the only reason it's really coming to the fore now is that it's only in the last couple of years that games have moved from standalone or local networks to the Internet.

      Not that good programming would prevent problems for idiots that get caught by phishing scams, though.

      --
      "City hall" in German is "Rathaus" Kinda explains a few things......
    7. Re:Considering the Rush Job... by Ambiguous+Puzuma · · Score: 2, Interesting

      Step 1: Steal (or scam or otherwise obtain) login info for one character.
      Step 2: Log in as that character.
      Step 3: Find another player that appears to have a pre-existing relationship with the account owner.
      Step 4: Convince that player that a family member suddenly died, and that he can't afford the bus/plane ticket to be able to attend the funeral.
      Step 5: Profit (via Western Union).

      Unfortunately this actually happened to someone I know. She was out $300 as a result of this scam. Normally she wouldn't fall for something like this, but the compromised account happened to belong to someone she had known for several years.

      Note that this doesn't require a game bug or other vulnerability--it can be accomplished entirely through social engineering.

    8. Re:Considering the Rush Job... by Buelldozer · · Score: 1

      "I think the only reason it's really coming to the fore now is that it's only in the last couple of years that games have moved from standalone or local networks to the Internet."

      Huh? How did you get modded insightful? Internet gameplay is way more than 2 years old.

      I was playing Quake II on the Internet back in '97.

      I was logging 40 hours a week in online clan play for Star Trek Voyager from 1999 to 2002.

      This new fangled Internet thingie has had games being played on it for more than a decade now.

    9. Re:Considering the Rush Job... by cbiltcliffe · · Score: 2, Informative

      Sure, but WoW and the like are immensely more popular than Quake II Internet play.

      It's also not possible to play WoW solo, is it?

      Sure, you were playing STV online from 1999 to 2002, along with a few hundred other people.

      World of Warcraft hit 10 million subscribers in January of 2008. It's probably bigger now, a year later.

      It's a significantly different situation than it was in 1997 when you were playing Quake online.

      And come on. 40 hours a week gaming for 4 years? Do you seriously think you're statistically average with that? You're probably an outlier to the outliers......

      --
      "City hall" in German is "Rathaus" Kinda explains a few things......
    10. Re:Considering the Rush Job... by cbiltcliffe · · Score: 1

      Just looked it up. Yes, WoW is bigger, now. It's over 11.5 million subscribers.

      Seriously....tell me that there were as many online gamers for all Internet-capable games in 2000 as there currently are for just WoW.

      You can't do it, because the very idea is laughable.

      --
      "City hall" in German is "Rathaus" Kinda explains a few things......
    11. Re:Considering the Rush Job... by 4e617474 · · Score: 1

      Games have frequently been crap for the first release for a decade or more.

      More, much more. Over twenty years ago, the first release of Pools of Radiance crashed if you entered any of several dungeons. Pretty ballsy when you had to call a telephone number to have someone snail mail you a stack of floppy disks.

      --
      Finally modding someone offtopic when they rant about what "Begging the Question" means: priceless.
    12. Re:Considering the Rush Job... by X0563511 · · Score: 1

      6. Laugh, because you are in some ass-backwards country where the lawsuits can't reach you.

      --
      For large sets, this will be our guide even unto death, for the LORD will work for each type of data it is applied to...
    13. Re:Considering the Rush Job... by Opportunist · · Score: 2, Interesting

      And this is where you can easily put a stop on the problem: Ask for a phone number. If you have known someone for years, it is likely that you know where they live, or at least that you have a more or less good idea from the things you two discussed. When your friend refuses to give you their phone no when they want money from you, I guess it can't be so dire. And when they give you a phone number in Malaysia or Whateverstan, you can pretty much assume as well that this isn't the friend you're looking for.

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
    14. Re:Considering the Rush Job... by Opportunist · · Score: 2, Informative

      What should be punished? A person you have known for years tells you "Oh Bob, this is SO cool, you gotta check it out!" Problem is just, it's not the person you knew but someone who hacked his account.

      Imagine NewYorkCountryLawyer posting a link here. Will you follow it? Probably. Why? Because you know that his links are usually quite informative. And this here is /., the average computer clue level here is way above anything you find in WoW or similar games. You might still be wary where it leads to, but I guess many will follow it. Some of the better hidden info is on more or less obscure pages. And how many here check EVERY SINGLE link they follow, especially when in an article where the usual information about the real target URL is not displayed? It's after all an "approved" article...

      I can't see how anyone can be punished for anything. The person who followed the link? Why? The person whose account has been hacked? Why? The person who hacked the account? How?

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
    15. Re:Considering the Rush Job... by Anonymous Coward · · Score: 0

      A little something called VOIP ruins your plans - it's as easy as can be for anyone, anywhere, to get a valid phone number that looks like your next door neighbor

    16. Re:Considering the Rush Job... by cbiltcliffe · · Score: 2, Informative

      You're not listening.

      Yes, these types of games existed in 2000 or so.
      But the category is massively more popular now than it's ever been. I'd guess there were a few hundred thousand people worldwide during any given month that played games online in 2000.

      Now, there are over 11.5 million people that are paying a subscription to play just one particular online-only game in a given month. That says nothing of all the other games that can be played online today.

      Also, WoW has individual accounts that persist for as long as the subscription, allowing the player to build up quite a reputation, significant abilities, and valuable in-game resources.

      Counterstrike, on the other hand, you start from scratch every time you play. No value, no persistence.

      Like I said...it's not the same market, and not even remotely the same size.

      --
      "City hall" in German is "Rathaus" Kinda explains a few things......
    17. Re:Considering the Rush Job... by Anonymous Coward · · Score: 0

      But he still sounds chinese.

    18. Re:Considering the Rush Job... by Penguinoflight · · Score: 1

      You seem to be confusing the idea of currently online players with subscribers. Truth is, it's very difficult to tell how many users there were on any particular game back in 2000. Most of the games weren't strictly subscriber based, and without monthly fees even the ones that were (like TEN, Internet Gaming Zone, Mplayer, etc) all had free options so many users could have multiple accounts.

      In truth there probably were a few less than 10 million users playing online games, but that's considering users played more than one game. I for example had accounts on TEN, IGZ, mplayer, and probably a few other services that I've forgotten by now. The same idea exists with WoW; check craigslist, I'm sure you'll find a few accounts being sold publicly for your area.

      --
      "And we have seen and do testify that the Father sent the Son to be the Savior of the World"
      1 John 4:14
    19. Re:Considering the Rush Job... by Archangel_Azazel · · Score: 1

      Are you trying to tell me that there was no 8.0Gbit high speed servers in 2000? SERIOUSLY???!!!111

      Of *course* the market is different. We've steadily increased the things we can do with a home computer, along with the speed and capacity of the 'affordable' internet services. What you're arguing is akin to "well, a 2008 Mustang is WAY faster than a Model A man!!!"

      As a side note, the idea of PAYING for a game over and over and over and over again is just strange to me. Granted over the past few months I've done some checking and it would seem that it's not just paying for the privilege of being able to play the game online, which is basically what it started out as. I can actually get behind the whole "downloadable expanded content" idea. Took them long enough though :P

      GET off my LAWN!! :)

      A.A.M

      --
      Your mind is like a parachute. It works best when it's been opened.
    20. Re:Considering the Rush Job... by Opportunist · · Score: 1

      When I call you, you will hear an accent. I speak decent English, but it's anything but accent free. And I do hear where someone comes from when he speaks my language. I can tell an English from a French speaker, a Russian from a Chinese. It's not hard. When you're a native speaker, you hear immediately what's cooking.

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
    21. Re:Considering the Rush Job... by Anonymous Coward · · Score: 0

      Why's this still modded insightful? Account security has nothing to do with what a "rush job" games are.

      What's more, malware that targets specific games can be really difficult to detect, so one user's AV software might not catch a security threat for months after infection. Here's an interesting thread from the WoW Tech Support forums about a trojan designed for a previous patch that still seems to slip past a lot of popular AV software: http://forums.worldofwarcraft.com/thread.html?topicId=14498530767&sid=1

  2. Malwareness by Quinn_Inuit · · Score: 1

    ...they could very well be downloading malware without their knowledge.

    As opposed to all of the people downloading malware intentionally?

    --

    Stop learning! Only you can prevent esoterrorism.
    1. Re:Malwareness by Anonymous Coward · · Score: 0

      You didn't read what Google has been up to, did you?

  3. Disclaimer by Mozk · · Score: 5, Informative

    If [users] don't have adequate protection, they could very well be downloading malware without their knowledge.

    How convenient that ESET, the author of the report, offers a product to protect against that.

    --
    No existe.
    1. Re:Disclaimer by 4e617474 · · Score: 2, Insightful

      How convenient that ESET, the author of the report, offers a product to protect against that.

      Yes, fortunate indeed. I would have thought that if you were going to go to the trouble of stealing account credentials, you'd engage in item theft or swindling money from a person's contacts like earlier posters mentioned. Fortunately, we had someone with a vested financial interest in setting them straight. The most valuable asset you accumulate in a MMORPG is the credibility with which you can display a hyperlink. I mean it's not like people will click on suspicious links from strangers.

      --
      Finally modding someone offtopic when they rant about what "Begging the Question" means: priceless.
    2. Re:Disclaimer by pjt33 · · Score: 2, Funny

      Hah! You almost caught me with that link, but as George W put it, "Fool me once..."

  4. pwned! by indi0144 · · Score: 1

    taking the PWNED to a new level!

  5. Possible solution... a SecurID like card by mlts · · Score: 3, Informative

    Similar to the concept of OpenID, perhaps the solution to password theft would be a SecurID card that all the main game companies would have as an option to attach to an account. Right now, Blizzard has one, which is an OEM-ed Vasco Digipass Go 6. I just wish SOE, Valve, and other networked games would offer this.

    Of course, this brings with it its own can of worms, like what to do if a token is lost, disables itself, or stolen. Blizzard requires a fax of a lot of RL info before it releases control of an account if a token is lost. PayPal/eBay have a mechanism of calling one of the phone numbers on file.

    The advantage of two factor authentication is a big thing, as game accounts are worth a lot of money. Not just for characters to sell, but to use as farming/exploiting/spam bots until the MMO company bans the account.

    1. Re:Possible solution... a SecurID like card by SupremoMan · · Score: 1

      Blizzard requires a fax of a lot of RL info before it releases control of an account if a token is lost. PayPal/eBay have a mechanism of calling one of the phone numbers on file.

      Sounds to me like Blizzard should take a page from eBay.

    2. Re:Possible solution... a SecurID like card by mlts · · Score: 1

      I agree. Thankfully I've never had to deal with a dead token yet, but the battery life of those are only a couple years. I wish these type of tokens would have some mechanism to replace their battery and resync them with the atomic clock so one doesn't have to worry what to do when the words "disabled" or runs out of battery.

    3. Re:Possible solution... a SecurID like card by X0563511 · · Score: 1

      That would be a flaw in the security however.

      If you provide a stronger clock signal (not hard) you could sync a key repeatedly to a specific time, and theoretically derive the private key. Game over.

      That said, providing a way to charge the battery BEFORE it dies would be nice. An induction charger like electric toothbrushes have, for instance.

      --
      For large sets, this will be our guide even unto death, for the LORD will work for each type of data it is applied to...
    4. Re:Possible solution... a SecurID like card by Anonymous Coward · · Score: 0

      A RCE MMO I have been playing for years uses this. I don't know if what you were talking about with blizzard is the same, but this gold card from EU is the most secure form of authentication I've seen in an MMO. And seeing as several items in this MMO fetch tens of thousands of U.S. dollars (not in game currency) it needs to be. Not one case ever of a gold card protected account compromised afaik.

  6. Exploits? by mail2345 · · Score: 1

    Even though social attacks are easy and possible, aren't technical attacks a threat? Eg, buffer overflows using chat rooms, a game server designed to spew out infections code, the like. There really isn't much a user could do against this besides waiting for the next patch, unlike social attacks which can be deflected with a little education and caution.

  7. Paradox by ProfMobius · · Score: 2, Insightful

    The main paradox of this story is that, people believe other people inside a game over internet, pretending knowing them, but can't differentiate between a "standard" behaviour or a copycat, meaning they don't know them at all. Most people can easily recognise who is on the other side of the phone just by they way of speaking, even if they change their voice.

    I will never understand how you can have full confiance in someone you never meet and with who you never shared a beer, but well, maybe it is just me...

    Ha well, another day in gullible land...

    --
    EULA : By reading the above message, you agree that I now own your soul.
    1. Re:Paradox by analog_line · · Score: 1

      I will never understand how you can have full confiance in someone you never meet and with who you never shared a beer, but well, maybe it is just me...

      I'll never understand why people think they know someone merely because they've met them or drank with them in a bar. Being too trusting didn't become an issue just at the launch of the Internet. Not by a long shot.

  8. Nonsensical risks... by gweihir · · Score: 1

    The threst of attackers pointing others to websites during chat is nonsense. Anybody with a legit account could do the same and an attacker is more likely to be identified as attacker in this. The real risk is just theft of online property and sending of spam with the account. A well-stocked WoW account can be worth 100 EUR or more.

    Why are these people writing about risks in online games allways so incompetent? Are these people without a clue of online gaming or security, just construction some threat to create attention?

    --
    Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
    1. Re:Nonsensical risks... by Xylaan · · Score: 1

      Unless of course, the attacker sends out the URL as spam after they clean out the account. Once the account is gone, they can try a few times to get suckers to go to their URL.

  9. A Larger Threat Exposed by karnal · · Score: 4, Funny

    I would think that a larger threat when getting a link from a friend (or an imitated friend) would be something similar to this: http://www.youtube.com/watch?v=oHg5SJYRHA0

    --
    Karnal
    1. Re:A Larger Threat Exposed by Anonymous Coward · · Score: 0

      How is that funny?

  10. The games themselves by Rei · · Score: 3, Insightful

    It actually can be a problem with the games themselves. Let me recount one example. I was once a coder for a free MMORPG. Nothing huge -- usually a couple hundred people online at any given point in time -- but still relevant. Just in the random course of looking through the code during my work, I encountered some *glaring*, as in "OMG, I can't believe these are in here" security holes. Example: there was no server validation. None, at all. If a packet had the server's IP, they automatically trusted it, and made all kinds of assumption's about the packet's size, direct-copied it into memory with that assumption, etc; if anyone was able to compromise or spoof the server's IP, every last user's computer connected to the game could have been compromised. The management refused to act on that one. In fact, there was only one issue I was able to get them to act on, and that only because I wrote a freaking exploit for it. It was due to them using popen for opening webbrowsers on URLs, and they weren't bothering to check for injection. My exploit was a bit of text that anyone could have said on a chat line or in person that would have caused the computers of anyone who clicked on the link to have their hard drives wiped (assuming adequate permissions). That's what it took to get them to patch security holes; I couldn't convince them to let me fix it until I wrote an exploit. Unbelievable. They operated for years with that timebomb just sitting around.

    --
    Nothing says 'welcome to the neighborhood' like a gunny sack full of dead squirrels.
  11. Astro Turf by mfh · · Score: 2, Funny

    How is the astro turf growing in YOUR stadium?

    Our stadium uses ACME ASTRO TURF (TM*)! Because ACME ASTRO TURF (TM*) is shiny and greener than your average astro turf.

    Look at our scientific astro turf results!

    --
    The dangers of knowledge trigger emotional distress in human beings.
  12. a way around it by ILuvRamen · · Score: 1

    in Runescape they set up trade limits. If you log into someone's account and want to dump all their stuff off onto your account, you can't unless you compensate them with a matching amount of money based on what the current market price is (which is determined by the giant, in-game ebay type of system for selling in game items for in game currency). So they worst they can do is just destroy or drop all your stuff but there is no way to get the items off their account and onto yours (except one loophole but it's sketchy). Everyone hates it but at least it keeps the idiots safe. Speaking of idiots though, anyone who goes to a community site and reads a banner that says "download out 100% rare drop generator. You'll be richer than everyone else!" and they do it cuz they're a stupid cheater like that, they deserve to have their account stolen.

    --
    Google's Super Secret Search Algorithm: SELECT @search_results FROM internet WHERE @search_results = 'good'
  13. Racism/Xenophobia by hdon · · Score: 1

    ..when they give you a phone number in Malaysia or Whateverstan, you can pretty much assume as well that this isn't the friend you're looking for.

    Yeah one time I almost bought a car from someone on Craigslist, but I could tell by his voice that he was black, so I knew what was up.</racism>

    What problem is this supposed to solve? The thread you posted in was discussing hackers stealing WoW logins and looting their gold, then selling it. How is asking someone for their phone number going to fix it?