Video Screencast Help

Security 1:1 - Part 5 - Online gaming fraud, scam and phishing attempts

Created: 02 Jan 2014 • Updated: 07 Jan 2014
Language Translations
SebastianZ's picture
+2 2 Votes
Login to vote

symantec_logo.png

Online gaming - "En Taro Adun" to the Part 5 of the Security 1:1 Series

Online gaming just like any other branch of internet community is being targeted for scam, fraud and hacks. Few years back the scope of the scams involving online players may not have been that visible - but with time as online games (here especially MMORPG games) became more popular with several different communication channels between the players, they made it to be very often an easy prey for the attackers. At the moment we speaking here of a base reaching millions of users - majority of them be nor IT-Security aware neither adolescent. Adding to this that the most of the game systems are based on password security only (with few exceptions offering additional two-factor authentication) - the field to exploit looks really promising for any attacker. Property theft be it either physical or virtual is still a theft and in this article we will explore several various means being utilized by malicious attackers to get hold of players credentials, accounts and virtual items.

 

The Security 1:1 series consist so far of following articles:

 

 

"If no mistake have you made, yet losing you are... a different game you should play"

The are many reasons for attackers to target the online game community - as more and more online games have some kind of online store, your gaming account if often already connected to your payment information. Once the attackers have access to the account itself they can further compromise your credit card information. Other most obvious reason is your online account itself and the value of the "virtual stuff" you collected on it. Despite some beliefs that "virtual gaming things" cannot be worth that much, it is as a matter of fact sometimes worth a lot in real world currency. Both items and virtual gold are sold or either some kind of auction houses or auction websites (like Ebay). Getting access to your gaming account and ransack all your characters - its one way for the attacker to make some easy money.

The accounts itself may be sold as well with prices ranging from couple of Euros up to thousands depending on the level of the characters on the account, completed achievements and collected gear. All this in normal process takes time - the more time invested into an account, the more it is worth. Please note on this occasion that gold, items or account resale violate the term of use in most of the online games and game providers will ban the accounts itself if such activities are detected.

 

 

"Hail to the Horde!" - about phishing emails

Phishing is by all means the most widespread type of online gaming frauds. The purpose of this kind of attack at gamers is most commonly targeted at getting unauthorized access to gamer's account information. With this kind of access the attacker may later on exploit the account further for other fraud activities. Wave of game-related phishing attacks started for good few years back and still up to this day hundreds of examples can be found of such malicious attempts - the scale of how those phishing attempts are widespread can only confirm one thing - that still a lot of players are falling to them and become unaware victims!

Another grave danger comes from compromised game accounts - most of the players tend to use the same credentials for their gaming account as for their private or corporate access - if the attackers already got access to your video game account, what stops them from accessing your other accounts, that may contain much more sensitive information.

 

The attack pattern of phishing emails can vary slightly but there are some common elements that you should be vigilant of:

  • source email address ("From" field) - this will be 100% a spoofed address. What you see will resemble as much as possible the real, legitimate email address that could come from your game provider. Only by examining the source code of the email and viewing the email header you can check exactly what is the source of the message and that it is in reality completely different that way you see in your mail browser.
  • your email address ("To" field) - beware that many times the address to which you receive the email is not the same email address you're using with your gaming account. Many gamers are simply not checking this field. This is very important and allows already from beginning to classify the email as phishing attempt even without reading its content.
  • email greeting - you will most likely never be addressed directly by your first or last name. What you will see here will be a brief "Hallo", "Dear valued customer", "Greetings" or similar.
  • email signature - will indicate that it was send by Support Team, Account Team, Billing Team, Management Team or similar to stress the importance of the email, in most cases it does not mention any person by name. Signature will include as well links to the game provider - links here can be also spoofed or be legitimate to convince the recipient that the message is legitimate.
  • email content will include a request for you to verify your data and access information by following a given link and providing input of those information in the browser. At this point we have the most important element in the phishing email - the link provided in the content section will be 100% spoofed and re-directing you to a malicious website of the attacker. Other than request for verification the email may contain as well information that you have violated the conditions or rules of the game (very often the email will imply you are for example trying to sell your account and this is a breach of terms of service) and your account will be blocked unless you follow a given link and verify your data. Another popular pattern are emails stating that some of the information on your account has been modified (email, name, etc.) recently which could potentially mean that it has been compromised (!) or that you will loose access to it as a result of the change. As you obviously did not make any changes the requester ask you to follow the given link and verify your data.
  • redirection to fake website - the website itself may look very professional and be almost a mirror of the legitimate site to convince the user again of its authenticity. Later on we will have a look at the real-life examples of fake login website.

 

Below references will provide some examples and show that many online games are being targeted for potential phishing attacks. Don't feel secure though if your game haven't been listed here or targeted in the past - there is a really big chance the phishing attacks on it were/are happening as well.

Reference:
Phishing scam invades Star Wars online game
http://www.gmanetwork.com/news/story/266007/scitech/geeksandgaming/phishing-scam-invades-star-wars-online-game
Star Wars The Old Republic Phish: Scam You, it Will
http://www.threattracksecurity.com/it-blog/star-wars-the-old-republic-phish-scams-you-it-does
Guild Wars 2 players targeted in phishing attacks
http://www.techspot.com/news/50087-guild-wars-2-players-targeted-in-phishing-attacks.html
Hackers target Guild Wars 2 players
http://www.bbc.co.uk/news/technology-19543035

 

 

"Your gold is welcome here" - phishing targeting Battle.Net

video_blizz.png

Video: About scam attempts - World of Warcraft (WoW) / Battle.net

 

One thing to consider is that most attacker may not even know which game you play or if you play at all. Phishing is simply send to everyone "on the list" - one of the reasons most phishing attempts target most popular games that have the biggest base of players - the bigger the gaming community is, the higher possibility that the phishing attack will reach certain percentage of real players. The "cherry on the pie" for online attackers nowadayas is Blizzard - as all of its online games (World of Warcraft, Diablo, Starcraft) are currently managed by one shared account - Battle.net. Considering that the Battle.net account may include not only your gaming data but as well real payment information - be that either Paypal details or Credit Card information - the stakes go up as you realise the compromise of this account will cause damage not only to your virtual stuff but can potentially affect your real assets as well.

 

enlightened Size of the gaming community is one of several factors playing a definitive role when attackers select their target. Another factor is the willingness of this community to pay with real money for virtual items. This willingness is much higher in case of players that already pay monthly fee for a game itself and attackers are aware of this fact as well.

Reference:
Phishing in a World of Warcraft
http://nakedsecurity.sophos.com/2011/01/20/phishing-in-a-world-of-warcraft
Phishing scam hits World of Warcraft
http://www.gmanetwork.com/news/story/265872/scitech/geeksandgaming/phishing-scam-hits-world-of-warcraft

 

Being a big player on the gaming market, Blizzard is fully aware of the phishing threat targeted at unaware gamers and attempts to educated them about the looming danger. Under the the following link (http://us.battle.net/en/security/theft) you can find information and recommendations from Blizzard about several of account theft types and what can be done to prevent further damage. The sites provides as well examples on the phishing emails with Blizzard recommendations what "not-to-do" in case you find yourself to be potential target of phishing.

Further reference:
Battle.net - Phishing
https://us.battle.net/support/en/article/phishing

 

  • Below I have posted example of the legitimate Battle.Net login website and second one of a faked login website. On the first look there are really not many differences but let's analyze both:

♦ During my testing the fake website triggered right away an alarm from Microsoft Smart Screen:

smartscreen.png

♦ In the address bar you can observe as well IE is reporting an unsafe website while on the legitimate one we see that it has been "Identified by Digicert"

♦ There is slight font different on certain words between both sites.

♦ Obviously the web page address in the address bar is different - but it is similar enough to trick users not paying attention to this (due to security concerns I covered the fake address).

♦ Interesting thing to mention is that the fake website contains only one fake link - "LOG IN". All the other links on the bottom of the page, even the create an account button are legitimate and redirecting to the official battle.net website.

 

battlenet_true.png

US Battle.Net official legitimate website

 

battlenet_fake.png

US Battle.Net fake website

 

 

Let's have a look at some real live examples of Phishing emails targeted at Blizzard players:
 

phish_email1.png

Example 1: "From" field indicates Blizzard Entertainment but after checking the email belongs private account from "@gmail.com". Many sentences in the email are not grammatical what already makes one suspicious. The first link is spoofed, the other two are legitimate. The recipient is addressed as "Dear Customer" while legitimate correspondence would address the recipient directly by name.

----------------------------------------------------------------------------

phish_email2_1.png

Example 2: Again source as Blizzard Entertainment with spoofed email that after checking again comes from private account at @gmail.com. Email contains Blizzard post address to trick user of its authenticity.

 

 

"Look. More hidden footprints!" - about In-Game Phishing

Phishing means not always email. In almost every on-line game nowadays you will find either an on-line chat system or in-game mail system - both of those communication channels can be exploitet by malicious attackers. As an example to visualise the in-game phishing attack we take World of Warcraft and information published by TrendLabs (see references below). In the example provided by TrendLabs attackers were tempting the gamers by sending them invitations to beta-testing of World of Warcragt expansion -> Mists of Pandaria. As a reward for participation gamers are being offered free in-game mount - everything they need to do to get it is to register on the website following the provided link. The link takes the player to website that poses as legitimate Battle.net page. As soon as they login on the website to claim their reward the account is being compromised.

 

The second example brought up by TrendLabs describes misuse of the in-game chat system, where attacker poses as a Blizzard employee and whispers the unaware player to offer him a free in-game gift items or other rewards. Again to claim it the user is required to login on the given website. Same as in case of standard email phishing or in-game email phishing the links will often include phrases or words known to player - related to the games itself and should both attract the players and convince them of the authenticity. In-game chat phishing may as well include a threat to the player regarding account violation and pending ban procedures - this will have exact same meaning as the email phishing - only the transport channel is different. Blizzard on its own warns the player about fake/malicious whispers in-game and provides guidance on how to identify a fake whisper (https://eu.battle.net/support/en/article/phishing).

Reference:
World of Warcraft Scams: Mist of Pandaria, Free Mounts and Phishing Galore
http://blog.trendmicro.com/trendlabs-security-intelligence/world-of-warcraft-scams-mist-of-pandaria-free-mounts-and-phishing-galore
World of Warcraft Scams: Free Gifts and Fake Account Suspension Threats
http://blog.trendmicro.com/trendlabs-security-intelligence/world-of-warcraft-scams-free-gifts-and-fake-suspend-account-threats

 

 

"We cannot prevail against so many!" - about Keyloggers and Infostealer Trojans

If you are already aware about the phishing attempts and know how to recognize them on the sight - good for you, but still there are other means to get to your online gaming account credentials. Being an active player you certainly visit not only official game forums but as well other third-party or even private websites, forums, channels etc. Keep in mind those not always are harmless and can indeed be malicious. Often they will offer a third-party add-ons or tools that will make your gaming experience better - with the tool comes a gratis obligatory bonus - a keylogger trojan. As soon as it is installed on the target machine it will start recording all your keystrokes - including the credentials used to login the game. Don't expect to logon your game the next day - even if you do, do not expect to find your characters in the same state you left them. To protect yourself make sure you fulfil two easy steps: do not visit untrustworthy websites, do have a proper antivirus/antimalware solution. Be aware that many game providers will deny you any account restoration if they find out that it was compromised because of credentials leak on your side.

Reference:
How to protect your system from keyloggers [Updated]
http://wow.joystiq.com/2007/06/05/how-to-protect-your-system-from-keyloggers

 

There are many variants of Infostealer Trojans - some of them have functionality typical for keyloggers (capturing all your keystrokes), others are directly targeting data stored on the machine in search for credentials. Many of them are targeting not only only games but have multiple purposes and can as well collect other information like your online banking details and send them back to the author. Many of the malware attackes targeting gaming community will involve several attack vectors - phishing emails will re-direct players to spoofed websites offering fake patches or add-ons infected with malware. Those will contain both trojans that users will execute unwillingly by installing the fake updates and worms that will spread by itself to increase the scope of infection. Malware can as well perform actions killing antivirus processes to avoid detection or even have rootkit characteristics to stay completely hidden on the system.

 

Some of the examples of gaming trojans seen in the past or reported to Symantec:

  • Trojan.Xilon [2002]. Trojan comes disguised as a patch for the Diablo II game. It also allows a hacker to steal Diablo II user account and character information.
  • W32.HLLW.Gotorm  [2003]. Worm designed to steal sensitive account information and CD keys for popular games, including Half Life, Warcraft 3, Counterstrike, Starcraft, and Diablo 2, and attempts to spread through the KaZaA file-sharing network.
  • Infostealer.Wowcraft (or PWSteal.Wowcraft) [2005] - Trojan attempting to steal password to the "World of Warcraft" MMORPG
  • Trojan.Jasbom (or PWSteal.Lineage) [2005] - Trojan logs keystrokes, mouse clicks, and application memory, when playing MMORPG Lineage.
  • Infostealer.Gampass [2006] - Trojan targetting MMORPG games and stealing registration keys.
  • Infostealer.Maplosty [2006] - Trojan attempts to steal information related to the MapleStory online game, and send it to a predetermined email address.
  • Infostealer.Onlinegame [2008] - Trojan steals online game password information from the compromised computer. This trojan was targetting mostly MapleStory, World of Warcraft and MSN Games.
  • Trojan.Grolker [2013] - Trojan used both to steal gaming and online banking credentials from compromised machines.

 

Reference:
Trojan targets World of Warcraft gamers
http://arstechnica.com/uncategorized/2006/05/6778-2

Leveling Up: Gaming Trojan Adds Banks to Target List
https://www-secure.symantec.com/connect/blogs/leveling-gaming-trojan-adds-banks-target-list

 

2010 Symantec Teams came across a malicious server hosting over 44 million stolen gaming credentials from a variety of online games. Important to notice is that the credentials were not only collected (using most likely Trojans like Infostealer.Gampass) and stored but a large part of it was as well validated as being active by another Trojan specifically designed for this purpose - Trojan.Loginck. If you think of it obtaining amount of 44 million accounts credentials is one thing, another one is to validate them in order to find out the ones being still active and potentially available for exploit. Have a look at the whole story described in the Symantec blog as per reference below.

Reference:
44 Million Stolen Gaming Credentials Uncovered
https://www-secure.symantec.com/connect/blogs/44-million-stolen-gaming-credentials-uncovered

 

 

"A Jedi uses the Force for knowledge and defense, never for attack” - Scammers and Phishers will use your interests against you and attack when the time is right

Any major events in the online games or releases of new expansions will mark the time where an increased scam/phishing attack is to be expected. Attackers are fully aware where the interests for the particular game are the greatest and will precisely choose this time to strike, offering free bonuses, in-game items, free beta passes - all of this related to the new add-on or update, even when it wasn't yet released officially. This is as well a reoccurring trend - every time a new expansion is being released a new wave of phishing attacks hits to gain access to accounts and new in-game items, mounts, pets, etc. The value of those items is highest just after the release of the expansion and will drop significantly while the time pass, which in the end leads to decreased income from potential sale.

TrendLabs reported in one of its articles (see reference) of increased amount of scams just before the release of Diablo 3. Apparently the browsing search results for "diablo 3 free download" were giving a bunch of scam sites offering the free beta version prior to official release

Reference:
Diablo 3 Scams Preempt Game Release
http://blog.trendmicro.com/trendlabs-security-intelligence/diablo-3-scams-preempt-game-release

 

In another attempt scammers did hit during the release of Starcraft 2 sending out phish scam supposedly coming from Blizzard Store and already confirming the purchase of the game. The only action required from end user was to login the spoofed website to redeem the code and claim the copy of the game.

Reference:
Beware: Email Scam Targeting StarCraft II Fans
http://www.tomshardware.com/news/StarCraft-II-Scams-Battle.net-Blizzard.com,10997.html

 

Similar attempts were reported again prior to release of again Diablo 3 and again before release of its expansion "Reaper of Souls" - below an example of such invitation email with fake game code and spoofed link to battle.net.

reaper_scam.png

Diablo III - Reaper of Souls Phishing Email

Reference:
Gaming the security – Beware of fake Diablo III beta invitations!
https://www.securelist.com/en/blog/208193131/Gaming_the_security_Beware_of_fake_Diablo_III_beta_invitations

 

 

"Now, go. Leave this place, and never return!" - about Power-Leveling and other in-game scams

Email phishing or in-game phishing are only a part of the threats that await unaware players. Many of the scams are to be found directly in the game - some of the scam attempts may come from players itself but many are performed by organized collectives or even companies. Noteworthy is that if you fall victim to any of the listed below - your only hope may be contact with the support staff of the particular game, but even then keep in mind that activities such as "gold or account resale" or "power-leveling" are deemed as violating the in-game terms of use and will most probably void your support, in worst case scenario even lead to the ban of your account.

 

Let's have a look at few most common of online game scams you can encounter:

  • In-game trade - bad trades are commonly known - you paid a price that is 10x exceeding the real value of the item. Game support will most likely not reimburse any items traded due to bad or misinformation about its price on the gamer's side. In-game trade scammers may as well exploit existing bugs in game to perform scammed trade in which you trade an item but receive nothing in return. Recommendation: Trade only with people you known and trust. Do not fall for trades that seem to good to be true.
  • Account trade or sale - action violating the game's term of use. Often legitimate players try to sell or trade their account when they get bored of a particular game. Account trade scammer may be both the seller and the buyer - you can find yourself in situation when you buy an realy great looking account but in reality it's not worth a penny. Or you may sell your pumped-up account for money and got scammed during the process. Game support will most probably be denied if you report any scam that was involving account resale or trade.
  • Gold and items sale - illegal by most of the game providers terms of use. You will find though quite many even professional companies offering tons of gold or high-level items for sale. Both the gold and items will most likely come from gold-farms or gold-bots. If the seller is scammer at the same time he may ask you for you account credentials during the sale process - don't ever fall for this. In any way your game account may become banned if in suspicion of in-game items or gold selling activities.
  • Power-Leveling - paid service offered to users mostly by companies. It involves providing the company with your game credentials in order for the company employees to level up your characters in game. Power-leveling comprises many various dangers to your account - you need to provide your credentials willingly (this already should be enough of a warning sign to prevent you from using such services), you need to be aware that your account will be most likely leveled up by bots and not real people and this way it will be violating game terms of use and may endanger your account, lastly you may get back your account with characters ransacked of anything of value and will be not able to get back any money you paid as well.

Reference:
How Not to Get Victimized by MMORPG Scams and Hackers
http://www.ereviewguide.com/news/2012/04/09/how-not-to-get-victimized-by-mmorpg-scams-and-hackers

 

 

"Black magic bars our way, but the will of the templar is stronger" - how to protect yourself against online game fraud

Here I would like to provide you with some recommendations on how to protect your gaming account against scam. Below in reference section you will find as well respective links to some of the game publishers and their best practices to secure online accounts.

 

  1. Account security - protect your login credentials, refrain from account sharing where someone else knows as well your login data.
  2. Password security - make sure your password and user name are complex enough (to survive potential brute-force password cracking attack), do not reuse your gaming password again as your banking or corporate password, in case you have problems remembering the complex password make use of password manager software such as Norton Identifty Safe (https://identitysafe.norton.com).
  3. Additional credentials security - if your game provider offers additional two-actor authentication, make sure you sign up for this. Two-factor authentication will include your normal logon name with password credentials alongside with hardware-based token authenticator or tokens generated on your mobile/smartphone device.
  4. Email account security - make sure your email account adheres to same security regime as your gaming account, if attacker cannot gain access to your game account thay may try comprising first your email account
  5. Anti-virus software - make sure you are using legitimate antivirus/antimalware solutions (such as many of the Symantec or Norton Security Solutions) that can protect your machine from malware infestation
  6. Shared computers - if possible refrain from playing on shared or public computers that can compromise your account security
  7. Operating system - make sure your operating system is update to prevent unauthorized access by exploited vulnerabilities
  8. Beware of fan pages or third-party forums related to your games - those may be contain malicious downloads
  9. Beware what your download and where from - advertised patch or add-on may be in reality something else
  10. Learn how to recognize phishing emails, do not open unknown attachments, do not follow links included in HTML emails, do check the email header to find out the real originating email address
  11. Beware that in-game phishing also exist, make sure the person you whisper on the in-game chat is really the person you take him for
  12. Be sure that the legitimate game support will never ask you for you password details
  13. Do not buy or sell game accounts
  14. Do not buy items or gold from third-party companies - such actions may jeopardise security of your account and violate game terms of use
  15. Do not use power-leveling services - ask yourself why are you playing for if you want to powerlevel? What's the fun of someone else leveling your characters for you?
  16. In case of any suspicious activities targeted at you or your gaming account do contact the respective game support.

Reference:
ArenaNet - A Note about Phishing Emails
https://forum-en.guildwars2.com/forum/support/account/A-Note-about-Phishing-Emails/first
Battle.Net - Types of Account Thefts
http://us.battle.net/en/security/theft
Riot Games Security
http://www.riotgames.com/riot-games-security
League of Leagends - Protecting Your Account
https://support.leagueoflegends.com/entries/21552105-Protecting-Your-Account
Eve Online - Account security
https://wiki.eveonline.com/en/wiki/Account_security

 

 

"Your flesh is weak" - 18 GB of malware downloaded successfully?!

A quite recent example of scam hitting thousands of naive and impatient players. GTA 5 has been released in October 2013 for Xbox and PS3 exlusively. PC edition has not been even announced by that time by Rockstar, but despite this online search results were showing websites (mostly torrent sources) offering free GTA 5 PC version download, luring this way players eager to get this version ahead of its release. The installer looked quite convincing - 18GB in size, had a working executable setup.exe file. Attempting to install the game takes the user to a phishing website where he needs to input his personal information to register the game and fill out some surveys. What about the downloaded 18GB of files - most part most likely junk data, rest - malicious content. This is one more example that even with a much higher general awareness about phishing attacks and online gaming scams that ever before, people are still easily falling for scams as obvious as this one.

References:
Legit-Looking GTA V PC “Leaked” Setup Infects Thousands of PCs Worldwide
http://wccftech.com/gta-v-pc-scam-infects-thousands-pcs-world-wide
Torrent scam hits thousands eager for PC version of GTA V
http://news.cnet.com/8301-10797_3-57608943-235/torrent-scam-hits-thousands-eager-for-pc-version-of-gta-v
It's a trap! Malware disguises itself as Grand Theft Auto 5 for PC gamers
http://www.pcworld.com/article/2056566/its-a-trap-malware-disguises-itself-as-grand-theft-auto-5-for-pc-gamers.html
GTA 5 PC Torrent Fools Gamers: Installs 18 GB Malware
http://au.ibtimes.com/articles/517603/20131029/gta-pc-click-read-version-18-gb.htm

 

--------------------------

General article references:
Online Games: Fun or Risky?
http://us.norton.com/yoursecurityresource/detail.jsp?aid=online_games
Online gaming fraud: the evolution of the underground economy
https://www.securelist.com/en/analysis/204792139/Online_gaming_fraud_the_evolution_of_the_underground_economy
Online games and fraud: using games as bait
http://www.securelist.com/en/analysis/204791963/Online_games_and_fraud_using_games_as_bait