Last week, I posted a blog item that explained how gamers face a growing security threat in phishing Trojans — software that can steal the passwords to online games, or the license keys for offline games, and pass them along to far-flung criminal groups. We know why organized Internet criminals engage in these kinds of activities, because the reason is always the same: There’s a great potential for financial rewards, with very little personal risk.
So I thought I’d wrap up this discussion with some analysis of how the bad guys monetize their stolen stuff. After all, how do you fence stolen virtual goods? And knowing that, is there a way to put the kibosh on game account pickpockets?
Just as a refresher, I’ve put together a short video that shows just how many phishing Trojans a single infection can bring down to your machine. In the video, about a minute after executing the downloader, it begins bringing down phishing Trojans, adware, and other malware. Over the next four minutes, the downloader pulls down a total of 42 separate installers, each of which executes and installs one or more malicious files — keyloggers, phishers, and other nasty stuff.
On the left is a list of the running processes, or applications, on the test system. On the right is a list of the URLs from which the downloader obtains its Trojan files. You’ll notice that nothing flashy or even outwardly obvious gives notice that the infection process is ongoing. The silent, low-key nature of these installers makes them more effective.
Fencing the stolen property
How much is a stolen game account really worth? As it turns out, there’s significant value placed on the accounts of players of persistent, massively-multiplayer online (MMO) games, and the fantasy goods and currency (I’ll just refer to it as gold from now on) within those accounts.
Dozens of sites act as brokers between sellers and buyers of virtual items. These sites do not act with the permission of the game publishers — in fact, publishers usually explicitly forbid this kind of out-of-band trading in their license agreements. But enforcement of the trading ban is another story altogether.
Consider that the typical account on a massively multiplayer game has some or all of the following assets:
– the license, or CD-key, which permits you to install the game, create an account, and get a month or two of free play
– the various characters a player may have created within the game. Most games permit you to create several characters, playable on a large number of servers. Character development represents time and effort spent in the game.
– the possessions of each of those characters, including in-game currency, armor, weapons, and other tradeable items
Beyond the strictly supply-and-demand market forces, there are a few caveats that restrict the value of in-game goods. For instance, characters are usually locked to the server in which they were created, and the character’s assets or possessions cannot be transferred to other servers. This can sometimes lead to a glut of for-sale currency or items that are transferable within a particular server, which can, at times, temporarily reduce the value of goods sold by players using that server, or lead traders to suspend trading goods on a particular server altogether.
And some “special items” cannot be traded to another player once the player who acquired the items equips them (puts on the fancy armor, for example) to the character he or she is playing.
The grey market economy that has sprung up around virtual goods in MMO games is vibrant, and prices are volatile, varying daily or even hourly.
As you can see from the screenshots above, taken from some of these out-of-game trading sites, there’s a lot of money to be made from a stolen account — both for the thief and the trading site. Gold traders seem to sell gold for, on the average, three to ten times the price they pay to buy it. That’s a hell of a commission, no matter how you look at it. Each character in the account may have significant quantities of tradeable goods. And then there’s the accounts themselves: If an account is stolen then sold to someone else, the gamer has limited recourse to the game publisher. Maybe the publisher will simply reset the password, but by then, the damage has already been done.
What gamers can do
In addition to the general advice we gave in an earlier post, there are a few things gamers can do to stem the tide of game fraud.
Barter within the game. Many games have trading systems that permit players to earn gold by selling or auctioning valuable goods; conversely, you can pick up that special armor if you have something worth trading. Use these systems.
Beware of scams. If an offer from a stranger to buy your gold, or to sell you some item worth far more than the seller is offering, sounds too lucrative to be true, it probably is. Don’t be a sucker.
Stop buying gold. Period. Selling gold isn’t as bad as buying it, because these grey markets wouldn’t exist if buyers weren’t lining up to get that extra gold or special sword. If there’s no demand for gold, there’s no profit in stealing it, and therefore less of an incentive for thefts to happen in the first place.
Protect one another. Look out for your fellow gamers, and if you’ve been scammed, post a detailed account to your favorite forum/message board as a warning to others.
Let us know. If you’re a gamer who has been victimized by a phishing Trojan, I’d like to hear your story. Post your comment here.