McAfee: Securing Virtual Worlds Against Real Attacks – The Challenges of Online Game Development
August 2008 by McAfee
Online games are a lucrative business – for game developers, players, and cybercrooks. Revenues for virtual worlds topped $1.1 billion in 2006 and are expected to triple by 2009, and as such, online games have become a prime target for cybercriminals looking to exploit vulnerabilities for money-making gains.
McAfee’s Avert Labs researcher Dr. Igor Muttik delved into the virtual worlds and detail the security challenges in a new whitepaper titled “Securing Virtual Worlds Against Real Attacks – The Challenges of Online Game Development.”
Cybercrooks use virtual worlds to exchange funds achieved through their other criminal activities, they still passwords, data and virtual goods from online users – often without getting caught.
McAfee reveals specific threats within virtual worlds, costs of vulnerabilities on the black market, and details how game developers can keep games safe for their users:
• Money laundering: The in-game economies of virtual worlds have been hijacked in many cases by cybercriminals attempting to hide their profits through the exchange of virtual currencies
• Economic value: As virtual items become rarer or more difficult to achieve, their inherent time value creates a fiscal worth in the game’s currency and real life
• User created content: A user-created code in Second Life caused a virtual terrorist attack
• Unforeseen consequences of in-game events: A virtual illness created for World of Warcraft wiped out entire servers of users when a flaw in its design allowed the disease to spread throughout low-level players
• Scripting holes: Sloppy scripting allows viruses to achieve persistency, auto-execution, and propagation
• Messaging spam: The internal messaging services of most online games have often been leveraged for spam by malicious users
• Phishing: One example is a spam campaign related to W32/Nuwar (also known as Stormworm) The bad guys created a web page offering “free” games. Links to it were widely spammed, but clicking anywhere on this web page led visitors to malware. Perhaps worst spamming runs were related to W32/Nuwar (also known as Stormworm), used a gaming theme.
• Data-Stealing Trojans: In a typical attack, data-stealing programs record user IDs and passwords along with the IP addresses or the names of the servers they use. This is done with a keylogger, which records all keystrokes. In more sophisticated attacks, the web forms are captured, as are mouse movements and even screenshots. The attacker can log into the compromised account and retrieve anything of value. Typically, when a gaming account is compromised, attackers will convert the objects they steal from online gamers into virtual currency—and then convert the virtual currency into real money.
The exponentially growing economy and population of virtual worlds can open the door into a new, flexible age of interaction online, both socially and visually.