Stolen items are put up for auction (on sites such as ebay.com and forums), and can be sold to other players for virtual or real money. A cyber criminal may also demand a ransom for the stolen items. Sad as it may seem, malicious users can really rake in the money from online games.
Buying stolen goods is, of course, punishable according to server rules. Players on official game servers know that if there is an incident, the administrators will act in their favor. A player can file a request or a complaint at any time and problems will be addressed as quickly as possible so that s/he can keep playing.
Rogue servers - which greatly outnumber official servers – are a different case. Since players don't pay for support, the administration doesn't have to deal with problems. Victims have almost no opportunity to prove that they were not involved in problems which arise with their in-game items. Proof that a password has been stolen is usually ignored; the justification for this is that any conversation can be falsified, and screenshots can be faked. False evidence can be used to accuse an innocent player who is a bothersome opponent and get him/ her removed from the game (e.g. there are penalties for using inappropriate language in-game, with the most stringent being banned from the game for several days). Money can also be made from faking the theft of items and then demanding a ransom. Administrators of rogue servers have no way of dealing with such issues, and no desire to do so.
As a result, malicious users don't have to worry much about their actions on rogue servers, since in most cases there won't be any comeback. On official servers the situation is much better. Players who are involved in theft will have their accounts closed and in some case their IP addresses will be blocked.
Overall, the theft of online game passwords is a serious issue. Every player is a potential target for malicious users.
How passwords for online games are stolen
As a rule, malicious users are only interested in a victim’s username and password, not the address of the server where the victim plays. The malicious user knows which server the victim plays on and is likely a player on the same server. This is the case both for thieves who earn their money on rogue servers and for those on official servers, even though the likelihood of players losing in-game items to thieves on rogue servers is much higher. Let’s take a look at some of the methods used by cyber criminals to steal passwords.
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.