Online Games and Fraud: Using Games as Bait
by Sergey Golovanov - Kaspersky Lab - Wednesday, 12 September 2007.
As a result, malicious users don't have to worry much about their actions on rogue servers, since in most cases there won't be any comeback. On official servers the situation is much better. Players who are involved in theft will have their accounts closed and in some case their IP addresses will be blocked.

Overall, the theft of online game passwords is a serious issue. Every player is a potential target for malicious users.

How passwords for online games are stolen

As a rule, malicious users are only interested in a victimís username and password, not the address of the server where the victim plays. The malicious user knows which server the victim plays on and is likely a player on the same server. This is the case both for thieves who earn their money on rogue servers and for those on official servers, even though the likelihood of players losing in-game items to thieves on rogue servers is much higher. Letís take a look at some of the methods used by cyber criminals to steal passwords.

Social engineering

One method used by cyber criminals is to enter a game or a forum on a game server and offer a bonus, or help in the game, in exchange for other playersí passwords. The cyber criminal who makes such an offer is not as naive as he may initially seem. Instead, it is the players who are looking for ways to make play easier, and who respond to such offers, who are naive. The malicious user achieves his goal (getting hold of passwords) and leaves his/ her victims with nothing.

Another well-known social engineering method is phishing, where the cyber criminal sends phishing emails, purportedly from the server administrators, which invite the player to authenticate his/ her account via a website linked in the message.

Exploiting game server vulnerabilities

A game server is a collection of system services, programs and databases designed to support gameplay. Just like any other software, the server code contains programming errors and bugs. Such potential vulnerabilities can be exploited by cyber criminals to gain access to server databases and harvest player passwords or password hashes (encrypted passwords that can be decrypted using dedicated programs).

For instance, there is a known vulnerability linked to in-game player chat. If the chat environment is not isolated from the game's database and if special symbols/ commands are not checked, then a malicious user can access the player database directly from player chat either manually or by using a dedicated utility.

The number of vulnerabilities which a malicious user can exploit to gain access to internal server databases depends on the server. Creating special patches for vulnerabilities on rogue servers is a time-consuming process, more so than for official servers (if, of course, the administrator of a rogue server even feels it necessary to patch a vulnerability).

Another way to get passwords is by exploiting the mechanism used to remind users of forgotten passwords. Cyber criminals send specially crafted requests to the system (or simply use a brute force approach, running through possible answers to security questions), then change the victim's password and enter the game using the new password, which of course the user doesn't know.

Exploiting server vulnerabilities can be complex, and preparing and conducting an attack requires a great deal of intellectual effort. The result is often wasted time and effort as many hackers simply don't have the technical skills necessary to conduct a successful attack.


What's the real cost of a security breach?

The majority of business decision makers admit that their organisation will suffer an information security breach and that the cost of recovery could start from around $1 million.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Thu, Feb 11th