Slashdot Mirror
Major Spike in Security Threats To Online Games
Gamasutra reports on data from security software firm ESET, which shows a major increase in the number of gaming-related security threats over the last year. They attribute the rise in attacks to the amount of money involved in the games industry these days. ESET's full report (PDF) is also available.
"[ESET's research director, Jeff Debrosse] explains: 'It's a two-phase attack. If someone's account was compromised, then someone else can actually [using their avatar] during a chat session, or through in-game communication... they could leverage that people trust this person and point them at various URLs, and those URLs will either have drive-by malware or a specific [malware] executable. What ends up happening is that folks may end up downloading and using it. This is just one methodology.' These attackers also target gamers in external community sites, says Debrosse, through 'banners on websites or URLs in chat rooms or forums' — which can lead to unsafe URLs. 'If [users] don't have adequate protection, they could very well be downloading malware without their knowledge.'"
This being /. and all, I didn't bother to read TFA, but phishing targeting online games is out there, too. I maintain an anti-phishing ruleset, and I first published rules targeting WoW phish over 6 months ago. The target of the phish was login credentials for WoW.
How convenient that ESET, the author of the report, offers a product to protect against that.
No existe.
Similar to the concept of OpenID, perhaps the solution to password theft would be a SecurID card that all the main game companies would have as an option to attach to an account. Right now, Blizzard has one, which is an OEM-ed Vasco Digipass Go 6. I just wish SOE, Valve, and other networked games would offer this.
Of course, this brings with it its own can of worms, like what to do if a token is lost, disables itself, or stolen. Blizzard requires a fax of a lot of RL info before it releases control of an account if a token is lost. PayPal/eBay have a mechanism of calling one of the phone numbers on file.
The advantage of two factor authentication is a big thing, as game accounts are worth a lot of money. Not just for characters to sell, but to use as farming/exploiting/spam bots until the MMO company bans the account.
I would think that a larger threat when getting a link from a friend (or an imitated friend) would be something similar to this: http://www.youtube.com/watch?v=oHg5SJYRHA0
Karnal
It actually can be a problem with the games themselves. Let me recount one example. I was once a coder for a free MMORPG. Nothing huge -- usually a couple hundred people online at any given point in time -- but still relevant. Just in the random course of looking through the code during my work, I encountered some *glaring*, as in "OMG, I can't believe these are in here" security holes. Example: there was no server validation. None, at all. If a packet had the server's IP, they automatically trusted it, and made all kinds of assumption's about the packet's size, direct-copied it into memory with that assumption, etc; if anyone was able to compromise or spoof the server's IP, every last user's computer connected to the game could have been compromised. The management refused to act on that one. In fact, there was only one issue I was able to get them to act on, and that only because I wrote a freaking exploit for it. It was due to them using popen for opening webbrowsers on URLs, and they weren't bothering to check for injection. My exploit was a bit of text that anyone could have said on a chat line or in person that would have caused the computers of anyone who clicked on the link to have their hard drives wiped (assuming adequate permissions). That's what it took to get them to patch security holes; I couldn't convince them to let me fix it until I wrote an exploit. Unbelievable. They operated for years with that timebomb just sitting around.
Nothing says 'welcome to the neighborhood' like a gunny sack full of dead squirrels.