Increased Thievery in Online Games

by Albin on April 30th, 2009 in Security Alert.

Massive Multiplayer Online Role Playing Games (MMORPGs) have become a massive industry over the last decade. World of Warcraft alone has approximately 10 million active users. (1) That's more than Sweden’s total population! A lot of users and money involved means that malware writers have a good opportunity to earn some "easy cash".

In MMORPGs, players socialize, battle and discover a whole new world. It’s a never ending story but even online games has its drawbacks. The games include characters which can be upgraded. It may take several months or even years to get the highest skills and earn all the “cool” items.  It’s also possible to upgrade the character by buying virtual property; to do that, “real money” is applied. A character may become invaluable and highly attractive for thieves to steal and sell to others.

There are tons of rogue servers for MMORPGs out there. These servers offer free versions of the virtual worlds. The rogue servers are popular among people who cannot afford to play on the legitimate servers. But, the game quality is worse than on official ones and may cause support problems for users. (2)

“Any valuable item in an online game can have a monetary equivalent in the real world. This is when demand arises and when other peoples' virtual property is stolen.” (2)

The system which verifies the player’s authenticity is most likely based on the username together with a password. This means thieves can steal passwords to be able to get items and sell them to other players. A known strategy is to use phishing techniques where the burglar pretends to be the administrator of the server and ask the victim to authenticate the account, if not they will be suspended. Another way is to make use of the “Have you forgotten your password?” function. The thief searches for known answers to security questions. Then he/she gets the option to change the password and “hijack” the account. (2)

There are known trojans which are developed with the specific purpose to steal passwords from MMORPGs. Lavasoft Malware Labs calls this family of threats Win32.TrojanPWS.OnlineGames. There are also families related to specific games, like, for example, Win32.TrojanPWS.WOW and Win32.TrojanPWS.Lmir. They are often constructed to harvest passwords while users visit certain game-servers and fill in their login data.

Gamers in China and South Korea have a much higher probability of being hit by trojan password stealers compared to users in other areas. According to statistics, 90% of password stealers are written to target users in China. (2) This doesn’t, though, necessarily mean that it’s impossible to be a victim in other parts of the world.

MMORPGs are a massive industry - one that's growing every day. In 2008, Western consumers spent over $1.4 billion on subscriptions. (3) My conclusion is that the amount of malware will increase in proportion to the amount of new subscribers to the various MMORPGs games. 

Lavasoft Malware Labs tries to prevent this type of fraud by constantly updating our definition file and including MMORPGs threats.

(1) h**p://eu.blizzard.com/en/press/081223.html
(2) VirusList, Online games and fraud: using games as bait, h**p://www.viruslist.com/en/analysis?pubid=204791963
(3) Harding-Rolls, Piers (PDF). Subscription MMOGs: Life Beyond World of Warcraft. London, UK: Screen Digest. h**p://www.screendigest.com/press/releases/pdf/PR-LifeBeyondWorldOfWarcraft-240309.pdf. Retrieved on 2009-03-30.


Albin Bodahl

Lavasoft Malware Labs