Virtual worlds, real attacks; by Greg Day, Security Analyst, McAfee International Ltd.
Computer games have been around for as long as many of us can remember and during this time, they have evolved significantly. While one of the most obvious changes has been in the graphics we see as we play, there has also been a considerable evolution in terms of the role gaming plays in our lives and the opportunities it offers.
When gaming first became popular, it was primarily a solo activity and the only way to compete against other gamers was to huddle around one computer. The Internet has changed this: There is no longer a need to be physically in the same place in order to compete, and the growth of virtual worlds has taken gaming to another level, with the integration of the worlds of social networking and gaming. Nowadays, gaming provides the opportunity to live another life in parallel to the one you have in the real world and, as in reality, money often plays a pivotal role. As a result of this drastic change, online games are now a lucrative business – for game developers, players and cyber crooks. Revenues for virtual worlds topped $1.1 billion in 2006 and are expected to triple by 2009. As a result, online games have become a prime target for cybercriminals looking to exploit vulnerabilities for money-making gains.
The number of online games, especially multi-player online role-playing games (MMOGs), has grown rapidly in recent years and security and data issues have increased in line with this. Online gaming is now starting to suffer from real-world problems – theft of identity and virtual assets, extortion and even terrorist attacks.
MMOGs are supported by virtual online communities, where people compete, fight, buy, sell, trade, study, travel and do many other things that people do in real life. It is therefore not surprising that online gaming is beginning be plagued by almost all of the problems of the real world. Online communities can grow their own economies, and virtual currencies are converted into real money and then back to virtual funds, so it is only natural that virtual profits have become increasingly targeted by cybercriminals. If Willie Sutton, the accomplished twentieth century American bank robber, were alive today, he probably would have an avatar and would be writing password-stealing Trojans.
Online computer games are large, intricate programs that require permanent Internet connections, so exploitation of vulnerabilities in an online game could be used to steal user data from both real and virtual environments. Since the beginning of this century, we have seen significant growth in advertising and shopping within games, and this leads to spam, phishing, adware, and spyware.
The number of online games and their subscribers is growing at an extraordinarily rapid rate. According to one study, the online gaming market grew 288 percent from 2002 to 2005. According to market research firm Parks Associates, worldwide revenues from online gaming exceeded $1.1 billion in 2006 and the company predicts that the revenues will triple by 2009. The biggest share of this market is currently MMOGs; predictions are that this position will not change until as far ahead as 2009. Moreover, the amount of time people spend playing online games is considerable, with more than 25 percent of gamers playing for more than 30 hours every week.
So what does all really mean in terms of the potential for threats to become prevalent and for cybercrime to infiltrate the world of gaming? In most games, players collect and produce some sort of virtual commodities. These can be virtual objects, such as weapons, clothes, property, furniture, and music, as well as money and relationships – you can be a lord of a castle with many subordinates and even get married virtually. Even names of characters are valuable and can be resold at a profit, which is a virtual equivalent of cyber squatting (registering domain names to resell in the future). Virtual objects are traded in two connected markets – fully virtual and real. The intertwining of real and virtual markets is growing, and there are now real shops in virtual worlds (where you can buy real goods for virtual money). Both of these markets attract criminal elements.
Gaming is extremely popular in the Asia-Pacific countries and a worrying trend is emerging: According to a study in Taiwan, 37 percent of criminal offenses are related to online gaming. The level of penetration of virtual offenses into real life is alarmingly high. Many of the players are fairly young, and this is reflected in the statistics that show that most offenders belong to the 15-to-20-year-old bracket.
Many banks have already announced their plans to open virtual branches – a move that would eventually combine all the known risks of Internet banking with the risks of virtual identity and data theft.
In short, the threats are diverse and each needs to be considered by anyone joining the online gaming world. The main risks, including some examples that have been seen, are outlined below:
? Money laundering: The in-game economies of virtual worlds have been hijacked in many cases by cybercriminals attempting to hide their profits through the exchange of virtual currencies
? Economic value: As virtual items become rarer or more difficult to achieve, their inherent time value creates a fiscal worth in the game’s currency and real life
? User-created content: A user-created code in Second Life caused a visual simulation of a terrorist attack
? Unforeseen consequences of in-game events: A virtual illness created for World of Warcraft killed hundreds of players in several populated areas on multiple servers when a flaw in its design allowed the disease to spread throughout low-level players
? Scripting holes: Sloppy scripting allows viruses to achieve persistency, auto-execution, and propagation
? Messaging spam: The internal messaging services of most online games have often been leveraged for spam by malicious users
? Phishing: One example is a spam campaign related to W32/Nuwar (also known as Stormworm) – the perpetrators created a web page offering "free" games. Links to it were widely spammed, but clicking anywhere on this web page led visitors to malware. Perhaps the worst spamming runs were related to W32/Nuwar (also known as Stormworm), using a gaming theme.
? Data-Stealing Trojans: In a typical attack, data-stealing programs record user IDs and passwords along with the IP addresses or the names of the servers they use. This is done with a keylogger, which records all keystrokes. In more sophisticated attacks, the web forms are captured, as are mouse movements and even screenshots. The attacker can log into the compromised account and retrieve anything of value. Typically, when a gaming account is compromised, attackers will convert the objects they steal from online gamers into virtual currency – and then convert the virtual currency into real money.
Having seen such explosive growth of online gaming, in which gaming vendors overlooked security in their mission to be first to market the next big gaming phenomenon, it was always possible that the one area that would be overlooked was security. Developers need to build basic security foundations from the very beginning, as bolting security onto an existing product is a far-from-perfect approach. Most of the attacks that we have witnessed in real life will surface in virtual worlds unless the environment is built with security in mind. Security vendors and gaming vendors need to work together to avoid falling into the same trap again. It is possible to make most attacks in virtual life impossible or uneconomical and there are no good reasons why virtual characters should suffer from the same troubles – spam, phishing, adware, spyware, Trojans, viruses, worms, and other malware – that plague our real day-to-day lives.
About McAfee International Ltd
It’s exhibiting at Infosecurity Europe 2009 information security event. Now in its 14th year, the show has 300 exhibitors and 12,000 visitors, on April 28 to 30, 2009 in Earls Court, London.
