Major Spike in Security Threats To Online Games

← Back to Stories (view on slashdot.org)

Major Spike in Security Threats To Online Games

Posted by Soulskill on Friday February 6, 2009 @02:56PM from the i-blame-world-of-warcraft dept.

Gamasutra reports on data from security software firm ESET, which shows a major increase in the number of gaming-related security threats over the last year. They attribute the rise in attacks to the amount of money involved in the games industry these days. ESET's full report (PDF) is also available. "[ESET's research director, Jeff Debrosse] explains: 'It's a two-phase attack. If someone's account was compromised, then someone else can actually [using their avatar] during a chat session, or through in-game communication... they could leverage that people trust this person and point them at various URLs, and those URLs will either have drive-by malware or a specific [malware] executable. What ends up happening is that folks may end up downloading and using it. This is just one methodology.' These attackers also target gamers in external community sites, says Debrosse, through 'banners on websites or URLs in chat rooms or forums' — which can lead to unsafe URLs. 'If [users] don't have adequate protection, they could very well be downloading malware without their knowledge.'"

18 of 48 comments (clear)

Min score:

Reason:

Sort:

Considering the Rush Job... by WiiVault · 2009-02-06 14:57 · Score: 2, Insightful

that most games are these days it seems inevitable. The last few years it seems the mentality has been to ship first patch later.
1. Re:Considering the Rush Job... by gujo-odori · 2009-02-06 15:01 · Score: 3, Informative
  
  This being /. and all, I didn't bother to read TFA, but phishing targeting online games is out there, too. I maintain an anti-phishing ruleset, and I first published rules targeting WoW phish over 6 months ago. The target of the phish was login credentials for WoW.
2. Re:Considering the Rush Job... by Drumforyourlife · 2009-02-06 15:22 · Score: 2, Interesting
  
  This isn't a problem with the games themselves, just the users who are playing the games. There have to be very strict punishments for people who are caught abusing the trust of the community. Good rule of thumb: If it's not in the game, don't click it. This applies to clan sites, FAQ's, Walkthroughs, all of it. Just don't do it unless you can be certain that it's a reputable site you're going to.
3. Re:Considering the Rush Job... by cb_is_cool · 2009-02-06 15:41 · Score: 2, Funny
  
  http://penny-arcade.com/comic/1998/12/21/ Prophetic!
  
  --
  cb_is_cool knows where his towel is.
4. Re:Considering the Rush Job... by cbiltcliffe · 2009-02-06 15:59 · Score: 2, Insightful
  
  Only the last few years?
  Games have frequently been crap for the first release for a decade or more. I think the only reason it's really coming to the fore now is that it's only in the last couple of years that games have moved from standalone or local networks to the Internet.
  Not that good programming would prevent problems for idiots that get caught by phishing scams, though.
  
  --
  "City hall" in German is "Rathaus" Kinda explains a few things......
5. Re:Considering the Rush Job... by Ambiguous+Puzuma · 2009-02-06 16:12 · Score: 2, Interesting
  
  Step 1: Steal (or scam or otherwise obtain) login info for one character.
  Step 2: Log in as that character.
  Step 3: Find another player that appears to have a pre-existing relationship with the account owner.
  Step 4: Convince that player that a family member suddenly died, and that he can't afford the bus/plane ticket to be able to attend the funeral.
  Step 5: Profit (via Western Union).
  Unfortunately this actually happened to someone I know. She was out $300 as a result of this scam. Normally she wouldn't fall for something like this, but the compromised account happened to belong to someone she had known for several years.
  Note that this doesn't require a game bug or other vulnerability--it can be accomplished entirely through social engineering.
6. Re:Considering the Rush Job... by cbiltcliffe · 2009-02-06 17:58 · Score: 2, Informative
  
  Sure, but WoW and the like are immensely more popular than Quake II Internet play.
  It's also not possible to play WoW solo, is it?
  Sure, you were playing STV online from 1999 to 2002, along with a few hundred other people.
  World of Warcraft hit 10 million subscribers in January of 2008. It's probably bigger now, a year later.
  It's a significantly different situation than it was in 1997 when you were playing Quake online.
  And come on. 40 hours a week gaming for 4 years? Do you seriously think you're statistically average with that? You're probably an outlier to the outliers......
  
  --
  "City hall" in German is "Rathaus" Kinda explains a few things......
7. Re:Considering the Rush Job... by Opportunist · 2009-02-06 23:51 · Score: 2, Interesting
  
  And this is where you can easily put a stop on the problem: Ask for a phone number. If you have known someone for years, it is likely that you know where they live, or at least that you have a more or less good idea from the things you two discussed. When your friend refuses to give you their phone no when they want money from you, I guess it can't be so dire. And when they give you a phone number in Malaysia or Whateverstan, you can pretty much assume as well that this isn't the friend you're looking for.
  
  --
  We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
8. Re:Considering the Rush Job... by Opportunist · 2009-02-06 23:59 · Score: 2, Informative
  
  What should be punished? A person you have known for years tells you "Oh Bob, this is SO cool, you gotta check it out!" Problem is just, it's not the person you knew but someone who hacked his account.
  Imagine NewYorkCountryLawyer posting a link here. Will you follow it? Probably. Why? Because you know that his links are usually quite informative. And this here is /., the average computer clue level here is way above anything you find in WoW or similar games. You might still be wary where it leads to, but I guess many will follow it. Some of the better hidden info is on more or less obscure pages. And how many here check EVERY SINGLE link they follow, especially when in an article where the usual information about the real target URL is not displayed? It's after all an "approved" article...
  I can't see how anyone can be punished for anything. The person who followed the link? Why? The person whose account has been hacked? Why? The person who hacked the account? How?
  
  --
  We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
9. Re:Considering the Rush Job... by cbiltcliffe · 2009-02-07 02:49 · Score: 2, Informative
  
  You're not listening.
  Yes, these types of games existed in 2000 or so.
  But the category is massively more popular now than it's ever been. I'd guess there were a few hundred thousand people worldwide during any given month that played games online in 2000.
  Now, there are over 11.5 million people that are paying a subscription to play just one particular online-only game in a given month. That says nothing of all the other games that can be played online today.
  Also, WoW has individual accounts that persist for as long as the subscription, allowing the player to build up quite a reputation, significant abilities, and valuable in-game resources.
  Counterstrike, on the other hand, you start from scratch every time you play. No value, no persistence.
  Like I said...it's not the same market, and not even remotely the same size.
  
  --
  "City hall" in German is "Rathaus" Kinda explains a few things......
Disclaimer by Mozk · 2009-02-06 15:32 · Score: 5, Informative

If [users] don't have adequate protection, they could very well be downloading malware without their knowledge.
How convenient that ESET, the author of the report, offers a product to protect against that.

--
No existe.
1. Re:Disclaimer by 4e617474 · 2009-02-06 18:48 · Score: 2, Insightful
  
  How convenient that ESET, the author of the report, offers a product to protect against that.
  Yes, fortunate indeed. I would have thought that if you were going to go to the trouble of stealing account credentials, you'd engage in item theft or swindling money from a person's contacts like earlier posters mentioned. Fortunately, we had someone with a vested financial interest in setting them straight. The most valuable asset you accumulate in a MMORPG is the credibility with which you can display a hyperlink. I mean it's not like people will click on suspicious links from strangers.
  
  --
  Finally modding someone offtopic when they rant about what "Begging the Question" means: priceless.
2. Re:Disclaimer by pjt33 · 2009-02-06 22:43 · Score: 2, Funny
  
  Hah! You almost caught me with that link, but as George W put it, "Fool me once..."
Possible solution... a SecurID like card by mlts · 2009-02-06 16:38 · Score: 3, Informative

Similar to the concept of OpenID, perhaps the solution to password theft would be a SecurID card that all the main game companies would have as an option to attach to an account. Right now, Blizzard has one, which is an OEM-ed Vasco Digipass Go 6. I just wish SOE, Valve, and other networked games would offer this.
Of course, this brings with it its own can of worms, like what to do if a token is lost, disables itself, or stolen. Blizzard requires a fax of a lot of RL info before it releases control of an account if a token is lost. PayPal/eBay have a mechanism of calling one of the phone numbers on file.
The advantage of two factor authentication is a big thing, as game accounts are worth a lot of money. Not just for characters to sell, but to use as farming/exploiting/spam bots until the MMO company bans the account.
Paradox by ProfMobius · 2009-02-06 17:20 · Score: 2, Insightful

The main paradox of this story is that, people believe other people inside a game over internet, pretending knowing them, but can't differentiate between a "standard" behaviour or a copycat, meaning they don't know them at all. Most people can easily recognise who is on the other side of the phone just by they way of speaking, even if they change their voice.
I will never understand how you can have full confiance in someone you never meet and with who you never shared a beer, but well, maybe it is just me...
Ha well, another day in gullible land...

--
EULA : By reading the above message, you agree that I now own your soul.
A Larger Threat Exposed by karnal · 2009-02-06 18:02 · Score: 4, Funny

I would think that a larger threat when getting a link from a friend (or an imitated friend) would be something similar to this: http://www.youtube.com/watch?v=oHg5SJYRHA0

--
Karnal
The games themselves by Rei · 2009-02-06 19:29 · Score: 3, Insightful

It actually can be a problem with the games themselves. Let me recount one example. I was once a coder for a free MMORPG. Nothing huge -- usually a couple hundred people online at any given point in time -- but still relevant. Just in the random course of looking through the code during my work, I encountered some *glaring*, as in "OMG, I can't believe these are in here" security holes. Example: there was no server validation. None, at all. If a packet had the server's IP, they automatically trusted it, and made all kinds of assumption's about the packet's size, direct-copied it into memory with that assumption, etc; if anyone was able to compromise or spoof the server's IP, every last user's computer connected to the game could have been compromised. The management refused to act on that one. In fact, there was only one issue I was able to get them to act on, and that only because I wrote a freaking exploit for it. It was due to them using popen for opening webbrowsers on URLs, and they weren't bothering to check for injection. My exploit was a bit of text that anyone could have said on a chat line or in person that would have caused the computers of anyone who clicked on the link to have their hard drives wiped (assuming adequate permissions). That's what it took to get them to patch security holes; I couldn't convince them to let me fix it until I wrote an exploit. Unbelievable. They operated for years with that timebomb just sitting around.

--
Nothing says 'welcome to the neighborhood' like a gunny sack full of dead squirrels.
Astro Turf by mfh · 2009-02-06 23:25 · Score: 2, Funny

How is the astro turf growing in YOUR stadium?
Our stadium uses ACME ASTRO TURF (TM*)! Because ACME ASTRO TURF (TM*) is shiny and greener than your average astro turf.
Look at our scientific astro turf results!

--
The dangers of knowledge trigger emotional distress in human beings.