Gamers: Fight the Phishers

By Andrew Brandt

Add to FacebookAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to TwitterAdd to TechnoratiAdd to FurlAdd to Newsvine

20090616-gamephish2-selltous_cropLast week, I posted a blog item that explained how gamers face a growing security threat in phishing Trojans — software that can steal the passwords to online games, or the license keys for offline games, and pass them along to far-flung criminal groups. We know why organized Internet criminals engage in these kinds of activities, because the reason is always the same: There’s a great potential for financial rewards, with very little personal risk.

So I thought I’d wrap up this discussion with some analysis of how the bad guys monetize their stolen stuff. After all, how do you fence stolen virtual goods? And knowing that, is there a way to put the kibosh on game account pickpockets?

Just as a refresher, I’ve put together a short video that shows just how many phishing Trojans a single infection can bring down to your machine. In the video, about a minute after executing the downloader, it begins bringing down phishing Trojans, adware, and other malware. Over the next four minutes, the downloader pulls down a total of 42 separate installers, each of which executes and installs one or more malicious files — keyloggers, phishers, and other nasty stuff.

On the left is a list of the running processes, or applications, on the test system. On the right is a list of the URLs from which the downloader obtains its Trojan files. You’ll notice that nothing flashy or even outwardly obvious gives notice that the infection process is ongoing. The silent, low-key nature of these installers makes them more effective.

Fencing the stolen property

How much is a stolen game account really worth? As it turns out, there’s significant value placed on the accounts of players of persistent, massively-multiplayer online (MMO) games, and the fantasy goods and currency (I’ll just refer to it as gold from now on) within those accounts.

Dozens of sites act as brokers between sellers and buyers of virtual items. These sites do not act with the permission of the game publishers — in fact, publishers usually explicitly forbid this kind of out-of-band trading in their license agreements. But enforcement of the trading ban is another story altogether.

Consider that the typical account on a massively multiplayer game has some or all of the following assets:

— the license, or CD-key, which permits you to install the game, create an account, and get a month or two of free play


A sample CD-key price list

— the various characters a player may have created within the game. Most games permit you to create several characters, playable on a large number of servers. Character development represents time and effort spent in the game.


Selling an entire WoW account can be fairly lucrative

— the possessions of each of those characters, including in-game currency, armor, weapons, and other tradeable items


Got any gold in your shopping cart?

Beyond the strictly supply-and-demand market forces, there are a few caveats that restrict the value of in-game goods. For instance, characters are usually locked to the server in which they were created, and the character’s assets or possessions cannot be transferred to other servers. This can sometimes lead to a glut of for-sale currency or items that are transferable within a particular server, which can, at times, temporarily reduce the value of goods sold by players using that server, or lead traders to suspend trading goods on a particular server altogether.


Each faction on every World of Warcraft server is represented, but you can't always sell if there's too much supply -- or if the trader's account on that server gets suspended

And some “special items” cannot be traded to another player once the player who acquired the items equips them (puts on the fancy armor, for example) to the character he or she is playing.

The grey market economy that has sprung up around virtual goods in MMO games is vibrant, and prices are volatile, varying daily or even hourly.


A sample purchase price list for gold in various games. Prices are highly volatile and depend on supply, demand, and the difficulty of earning wealth.


A price list for potential Lord of the Rings Online gold sellers

As you can see from the screenshots above, taken from some of these out-of-game trading sites, there’s a lot of money to be made from a stolen account — both for the thief and the trading site. Gold traders seem to sell gold for, on the average, three to ten times the price they pay to buy it. That’s a hell of a commission, no matter how you look at it. Each character in the account may have significant quantities of tradeable goods. And then there’s the accounts themselves: If an account is stolen then sold to someone else, the gamer has limited recourse to the game publisher. Maybe the publisher will simply reset the password, but by then, the damage has already been done.

What gamers can do

In addition to the general advice we gave in an earlier post, there are a few things gamers can do to stem the tide of game fraud.

Barter within the game. Many games have trading systems that permit players to earn gold by selling or auctioning valuable goods; conversely, you can pick up that special armor if you have something worth trading. Use these systems.

Beware of scams. If an offer from a stranger to buy your gold, or to sell you some item worth far more than the seller is offering, sounds too lucrative to be true, it probably is. Don’t be a sucker.

Stop buying gold. Period.
Selling gold isn’t as bad as buying it, because these grey markets wouldn’t exist if buyers weren’t lining up to get that extra gold or special sword. If there’s no demand for gold, there’s no profit in stealing it, and therefore less of an incentive for thefts to happen in the first place.

Protect one another. Look out for your fellow gamers, and if you’ve been scammed, post a detailed account to your favorite forum/message board as a warning to others.

Let us know. If you’re a gamer who has been victimized by a phishing Trojan, I’d like to hear your story. Post your comment here.

wordpress blog stats

Join the Conversation

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s