Forgot your password?
typodupeerror
Security Games

Major Spike in Security Threats To Online Games 48

Posted by Soulskill
from the i-blame-world-of-warcraft dept.
Gamasutra reports on data from security software firm ESET, which shows a major increase in the number of gaming-related security threats over the last year. They attribute the rise in attacks to the amount of money involved in the games industry these days. ESET's full report (PDF) is also available. "[ESET's research director, Jeff Debrosse] explains: 'It's a two-phase attack. If someone's account was compromised, then someone else can actually [using their avatar] during a chat session, or through in-game communication... they could leverage that people trust this person and point them at various URLs, and those URLs will either have drive-by malware or a specific [malware] executable. What ends up happening is that folks may end up downloading and using it. This is just one methodology.' These attackers also target gamers in external community sites, says Debrosse, through 'banners on websites or URLs in chat rooms or forums' — which can lead to unsafe URLs. 'If [users] don't have adequate protection, they could very well be downloading malware without their knowledge.'"
This discussion has been archived. No new comments can be posted.

Major Spike in Security Threats To Online Games

Comments Filter:
  • by WiiVault (1039946) on Friday February 06, 2009 @10:57PM (#26761179)
    that most games are these days it seems inevitable. The last few years it seems the mentality has been to ship first patch later.
    • Re: (Score:3, Informative)

      by gujo-odori (473191)

      This being /. and all, I didn't bother to read TFA, but phishing targeting online games is out there, too. I maintain an anti-phishing ruleset, and I first published rules targeting WoW phish over 6 months ago. The target of the phish was login credentials for WoW.

      • by TreyGeek (1391679)
        Yup, the big money being made from WoW is to steal a person's login information. Log into the compromised account and 'trade' the characters property and gold to another character, friendly with the attacker. The gold is then sold for real life money through a third-party website.

        I'm sure someone can come up with the step-by-step directions on how to profit, but I'm feeling lazy atm.
        • Re: (Score:1, Funny)

          by masshuu (1260516)

          1. Make Keylogger
          2. Post on WoW site
          3. ???
          4. PROFIT!!!
          5. Lawsute from various people

          • by X0563511 (793323)

            6. Laugh, because you are in some ass-backwards country where the lawsuits can't reach you.

            • Re: (Score:3, Interesting)

              by Opportunist (166417)

              And this is where you can easily put a stop on the problem: Ask for a phone number. If you have known someone for years, it is likely that you know where they live, or at least that you have a more or less good idea from the things you two discussed. When your friend refuses to give you their phone no when they want money from you, I guess it can't be so dire. And when they give you a phone number in Malaysia or Whateverstan, you can pretty much assume as well that this isn't the friend you're looking for.

              • ..when they give you a phone number in Malaysia or Whateverstan, you can pretty much assume as well that this isn't the friend you're looking for.

                Yeah one time I almost bought a car from someone on Craigslist, but I could tell by his voice that he was black, so I knew what was up.</racism>

                What problem is this supposed to solve? The thread you posted in was discussing hackers stealing WoW logins and looting their gold, then selling it. How is asking someone for their phone number going to fix it?

        • Re: (Score:3, Interesting)

          Step 1: Steal (or scam or otherwise obtain) login info for one character.
          Step 2: Log in as that character.
          Step 3: Find another player that appears to have a pre-existing relationship with the account owner.
          Step 4: Convince that player that a family member suddenly died, and that he can't afford the bus/plane ticket to be able to attend the funeral.
          Step 5: Profit (via Western Union).

          Unfortunately this actually happened to someone I know. She was out $300 as a result of this scam. Normally she wouldn't fall

    • Re: (Score:2, Interesting)

      This isn't a problem with the games themselves, just the users who are playing the games. There have to be very strict punishments for people who are caught abusing the trust of the community. Good rule of thumb: If it's not in the game, don't click it. This applies to clan sites, FAQ's, Walkthroughs, all of it. Just don't do it unless you can be certain that it's a reputable site you're going to.
      • by Rei (128717) on Saturday February 07, 2009 @03:29AM (#26762285) Homepage

        It actually can be a problem with the games themselves. Let me recount one example. I was once a coder for a free MMORPG. Nothing huge -- usually a couple hundred people online at any given point in time -- but still relevant. Just in the random course of looking through the code during my work, I encountered some *glaring*, as in "OMG, I can't believe these are in here" security holes. Example: there was no server validation. None, at all. If a packet had the server's IP, they automatically trusted it, and made all kinds of assumption's about the packet's size, direct-copied it into memory with that assumption, etc; if anyone was able to compromise or spoof the server's IP, every last user's computer connected to the game could have been compromised. The management refused to act on that one. In fact, there was only one issue I was able to get them to act on, and that only because I wrote a freaking exploit for it. It was due to them using popen for opening webbrowsers on URLs, and they weren't bothering to check for injection. My exploit was a bit of text that anyone could have said on a chat line or in person that would have caused the computers of anyone who clicked on the link to have their hard drives wiped (assuming adequate permissions). That's what it took to get them to patch security holes; I couldn't convince them to let me fix it until I wrote an exploit. Unbelievable. They operated for years with that timebomb just sitting around.

      • Re: (Score:3, Informative)

        by Opportunist (166417)

        What should be punished? A person you have known for years tells you "Oh Bob, this is SO cool, you gotta check it out!" Problem is just, it's not the person you knew but someone who hacked his account.

        Imagine NewYorkCountryLawyer posting a link here. Will you follow it? Probably. Why? Because you know that his links are usually quite informative. And this here is /., the average computer clue level here is way above anything you find in WoW or similar games. You might still be wary where it leads to, but I

    • Re: (Score:2, Funny)

      by cb_is_cool (1084665)
      http://penny-arcade.com/comic/1998/12/21/ [penny-arcade.com] Prophetic!
    • Re: (Score:3, Insightful)

      by cbiltcliffe (186293)

      Only the last few years?

      Games have frequently been crap for the first release for a decade or more. I think the only reason it's really coming to the fore now is that it's only in the last couple of years that games have moved from standalone or local networks to the Internet.

      Not that good programming would prevent problems for idiots that get caught by phishing scams, though.

      • "I think the only reason it's really coming to the fore now is that it's only in the last couple of years that games have moved from standalone or local networks to the Internet."

        Huh? How did you get modded insightful? Internet gameplay is way more than 2 years old.

        I was playing Quake II on the Internet back in '97.

        I was logging 40 hours a week in online clan play for Star Trek Voyager from 1999 to 2002.

        This new fangled Internet thingie has had games being played on it for more than a decade now.

        • Re: (Score:3, Informative)

          by cbiltcliffe (186293)

          Sure, but WoW and the like are immensely more popular than Quake II Internet play.

          It's also not possible to play WoW solo, is it?

          Sure, you were playing STV online from 1999 to 2002, along with a few hundred other people.

          World of Warcraft hit 10 million subscribers in January of 2008. It's probably bigger now, a year later.

          It's a significantly different situation than it was in 1997 when you were playing Quake online.

          And come on. 40 hours a week gaming for 4 years? Do you seriously think you're statistica

          • Just looked it up. Yes, WoW is bigger, now. It's over 11.5 million subscribers.

            Seriously....tell me that there were as many online gamers for all Internet-capable games in 2000 as there currently are for just WoW.

            You can't do it, because the very idea is laughable.

            • You seem to be confusing the idea of currently online players with subscribers. Truth is, it's very difficult to tell how many users there were on any particular game back in 2000. Most of the games weren't strictly subscriber based, and without monthly fees even the ones that were (like TEN, Internet Gaming Zone, Mplayer, etc) all had free options so many users could have multiple accounts.

              In truth there probably were a few less than 10 million users playing online games, but that's considering users pla

      • by 4e617474 (945414)

        Games have frequently been crap for the first release for a decade or more.

        More, much more. Over twenty years ago, the first release of Pools of Radiance crashed if you entered any of several dungeons. Pretty ballsy when you had to call a telephone number to have someone snail mail you a stack of floppy disks.

  • ...they could very well be downloading malware without their knowledge.

    As opposed to all of the people downloading malware intentionally?

  • Disclaimer (Score:5, Informative)

    by Mozk (844858) on Friday February 06, 2009 @11:32PM (#26761355)

    If [users] don't have adequate protection, they could very well be downloading malware without their knowledge.

    How convenient that ESET, the author of the report, offers a product [wikipedia.org] to protect against that.

    • Re: (Score:3, Insightful)

      by 4e617474 (945414)

      How convenient that ESET, the author of the report, offers a product to protect against that.

      Yes, fortunate indeed. I would have thought that if you were going to go to the trouble of stealing account credentials, you'd engage in item theft or swindling money from a person's contacts like earlier posters mentioned. Fortunately, we had someone with a vested financial interest in setting them straight. The most valuable asset you accumulate in a MMORPG is the credibility with which you can display a hyperl

      • Re: (Score:3, Funny)

        by pjt33 (739471)

        Hah! You almost caught me with that link, but as George W put it, "Fool me once..."

    • Astro Turf (Score:2, Funny)

      by mfh (56)

      How is the astro turf growing in YOUR stadium?

      Our stadium uses ACME ASTRO TURF (TM*)! Because ACME ASTRO TURF (TM*) is shiny and greener than your average astro turf.

      Look at our scientific astro turf results [wikipedia.org]!

  • taking the PWNED to a new level!
  • by mlts (1038732) * on Saturday February 07, 2009 @12:38AM (#26761693)

    Similar to the concept of OpenID, perhaps the solution to password theft would be a SecurID card that all the main game companies would have as an option to attach to an account. Right now, Blizzard has one, which is an OEM-ed Vasco Digipass Go 6. I just wish SOE, Valve, and other networked games would offer this.

    Of course, this brings with it its own can of worms, like what to do if a token is lost, disables itself, or stolen. Blizzard requires a fax of a lot of RL info before it releases control of an account if a token is lost. PayPal/eBay have a mechanism of calling one of the phone numbers on file.

    The advantage of two factor authentication is a big thing, as game accounts are worth a lot of money. Not just for characters to sell, but to use as farming/exploiting/spam bots until the MMO company bans the account.

    • Blizzard requires a fax of a lot of RL info before it releases control of an account if a token is lost. PayPal/eBay have a mechanism of calling one of the phone numbers on file.

      Sounds to me like Blizzard should take a page from eBay.

      • by mlts (1038732) *

        I agree. Thankfully I've never had to deal with a dead token yet, but the battery life of those are only a couple years. I wish these type of tokens would have some mechanism to replace their battery and resync them with the atomic clock so one doesn't have to worry what to do when the words "disabled" or runs out of battery.

        • by X0563511 (793323)

          That would be a flaw in the security however.

          If you provide a stronger clock signal (not hard) you could sync a key repeatedly to a specific time, and theoretically derive the private key. Game over.

          That said, providing a way to charge the battery BEFORE it dies would be nice. An induction charger like electric toothbrushes have, for instance.

  • Even though social attacks are easy and possible, aren't technical attacks a threat? Eg, buffer overflows using chat rooms, a game server designed to spew out infections code, the like. There really isn't much a user could do against this besides waiting for the next patch, unlike social attacks which can be deflected with a little education and caution.
  • Paradox (Score:2, Insightful)

    by ProfMobius (1313701)

    The main paradox of this story is that, people believe other people inside a game over internet, pretending knowing them, but can't differentiate between a "standard" behaviour or a copycat, meaning they don't know them at all. Most people can easily recognise who is on the other side of the phone just by they way of speaking, even if they change their voice.

    I will never understand how you can have full confiance in someone you never meet and with who you never shared a beer, but well, maybe it is just me..

    • I will never understand how you can have full confiance in someone you never meet and with who you never shared a beer, but well, maybe it is just me...

      I'll never understand why people think they know someone merely because they've met them or drank with them in a bar. Being too trusting didn't become an issue just at the launch of the Internet. Not by a long shot.

  • The threst of attackers pointing others to websites during chat is nonsense. Anybody with a legit account could do the same and an attacker is more likely to be identified as attacker in this. The real risk is just theft of online property and sending of spam with the account. A well-stocked WoW account can be worth 100 EUR or more.

    Why are these people writing about risks in online games allways so incompetent? Are these people without a clue of online gaming or security, just construction some threat to cr

    • by Xylaan (795464)
      Unless of course, the attacker sends out the URL as spam after they clean out the account. Once the account is gone, they can try a few times to get suckers to go to their URL.
  • by karnal (22275) on Saturday February 07, 2009 @02:02AM (#26761999)

    I would think that a larger threat when getting a link from a friend (or an imitated friend) would be something similar to this: http://www.youtube.com/watch?v=oHg5SJYRHA0 [youtube.com]

  • in Runescape they set up trade limits. If you log into someone's account and want to dump all their stuff off onto your account, you can't unless you compensate them with a matching amount of money based on what the current market price is (which is determined by the giant, in-game ebay type of system for selling in game items for in game currency). So they worst they can do is just destroy or drop all your stuff but there is no way to get the items off their account and onto yours (except one loophole bu

If a subordinate asks you a pertinent question, look at him as if he had lost his senses. When he looks down, paraphrase the question back at him.

Working...