Major Spike in Security Threats To Online Games 48
Gamasutra reports on data from security software firm ESET, which shows a major increase in the number of gaming-related security threats over the last year. They attribute the rise in attacks to the amount of money involved in the games industry these days. ESET's full report (PDF) is also available.
"[ESET's research director, Jeff Debrosse] explains: 'It's a two-phase attack. If someone's account was compromised, then someone else can actually [using their avatar] during a chat session, or through in-game communication... they could leverage that people trust this person and point them at various URLs, and those URLs will either have drive-by malware or a specific [malware] executable. What ends up happening is that folks may end up downloading and using it. This is just one methodology.' These attackers also target gamers in external community sites, says Debrosse, through 'banners on websites or URLs in chat rooms or forums' — which can lead to unsafe URLs. 'If [users] don't have adequate protection, they could very well be downloading malware without their knowledge.'"
Considering the Rush Job... (Score:3, Insightful)
Re: (Score:3, Informative)
This being /. and all, I didn't bother to read TFA, but phishing targeting online games is out there, too. I maintain an anti-phishing ruleset, and I first published rules targeting WoW phish over 6 months ago. The target of the phish was login credentials for WoW.
Re: (Score:1)
I'm sure someone can come up with the step-by-step directions on how to profit, but I'm feeling lazy atm.
Re: (Score:1, Funny)
1. Make Keylogger
2. Post on WoW site
3. ???
4. PROFIT!!!
5. Lawsute from various people
Re: (Score:2)
6. Laugh, because you are in some ass-backwards country where the lawsuits can't reach you.
Re: (Score:3, Interesting)
And this is where you can easily put a stop on the problem: Ask for a phone number. If you have known someone for years, it is likely that you know where they live, or at least that you have a more or less good idea from the things you two discussed. When your friend refuses to give you their phone no when they want money from you, I guess it can't be so dire. And when they give you a phone number in Malaysia or Whateverstan, you can pretty much assume as well that this isn't the friend you're looking for.
Re: (Score:2)
When I call you, you will hear an accent. I speak decent English, but it's anything but accent free. And I do hear where someone comes from when he speaks my language. I can tell an English from a French speaker, a Russian from a Chinese. It's not hard. When you're a native speaker, you hear immediately what's cooking.
Racism/Xenophobia (Score:2)
..when they give you a phone number in Malaysia or Whateverstan, you can pretty much assume as well that this isn't the friend you're looking for.
Yeah one time I almost bought a car from someone on Craigslist, but I could tell by his voice that he was black, so I knew what was up.</racism>
What problem is this supposed to solve? The thread you posted in was discussing hackers stealing WoW logins and looting their gold, then selling it. How is asking someone for their phone number going to fix it?
Re: (Score:3, Interesting)
Step 1: Steal (or scam or otherwise obtain) login info for one character.
Step 2: Log in as that character.
Step 3: Find another player that appears to have a pre-existing relationship with the account owner.
Step 4: Convince that player that a family member suddenly died, and that he can't afford the bus/plane ticket to be able to attend the funeral.
Step 5: Profit (via Western Union).
Unfortunately this actually happened to someone I know. She was out $300 as a result of this scam. Normally she wouldn't fall
Re: (Score:2, Interesting)
The games themselves (Score:4, Insightful)
It actually can be a problem with the games themselves. Let me recount one example. I was once a coder for a free MMORPG. Nothing huge -- usually a couple hundred people online at any given point in time -- but still relevant. Just in the random course of looking through the code during my work, I encountered some *glaring*, as in "OMG, I can't believe these are in here" security holes. Example: there was no server validation. None, at all. If a packet had the server's IP, they automatically trusted it, and made all kinds of assumption's about the packet's size, direct-copied it into memory with that assumption, etc; if anyone was able to compromise or spoof the server's IP, every last user's computer connected to the game could have been compromised. The management refused to act on that one. In fact, there was only one issue I was able to get them to act on, and that only because I wrote a freaking exploit for it. It was due to them using popen for opening webbrowsers on URLs, and they weren't bothering to check for injection. My exploit was a bit of text that anyone could have said on a chat line or in person that would have caused the computers of anyone who clicked on the link to have their hard drives wiped (assuming adequate permissions). That's what it took to get them to patch security holes; I couldn't convince them to let me fix it until I wrote an exploit. Unbelievable. They operated for years with that timebomb just sitting around.
Re: (Score:3, Informative)
What should be punished? A person you have known for years tells you "Oh Bob, this is SO cool, you gotta check it out!" Problem is just, it's not the person you knew but someone who hacked his account.
Imagine NewYorkCountryLawyer posting a link here. Will you follow it? Probably. Why? Because you know that his links are usually quite informative. And this here is /., the average computer clue level here is way above anything you find in WoW or similar games. You might still be wary where it leads to, but I
Re: (Score:2, Funny)
Re: (Score:3, Insightful)
Only the last few years?
Games have frequently been crap for the first release for a decade or more. I think the only reason it's really coming to the fore now is that it's only in the last couple of years that games have moved from standalone or local networks to the Internet.
Not that good programming would prevent problems for idiots that get caught by phishing scams, though.
Re: (Score:2)
"I think the only reason it's really coming to the fore now is that it's only in the last couple of years that games have moved from standalone or local networks to the Internet."
Huh? How did you get modded insightful? Internet gameplay is way more than 2 years old.
I was playing Quake II on the Internet back in '97.
I was logging 40 hours a week in online clan play for Star Trek Voyager from 1999 to 2002.
This new fangled Internet thingie has had games being played on it for more than a decade now.
Re: (Score:3, Informative)
Sure, but WoW and the like are immensely more popular than Quake II Internet play.
It's also not possible to play WoW solo, is it?
Sure, you were playing STV online from 1999 to 2002, along with a few hundred other people.
World of Warcraft hit 10 million subscribers in January of 2008. It's probably bigger now, a year later.
It's a significantly different situation than it was in 1997 when you were playing Quake online.
And come on. 40 hours a week gaming for 4 years? Do you seriously think you're statistica
Re: (Score:2)
Just looked it up. Yes, WoW is bigger, now. It's over 11.5 million subscribers.
Seriously....tell me that there were as many online gamers for all Internet-capable games in 2000 as there currently are for just WoW.
You can't do it, because the very idea is laughable.
Re: (Score:3, Informative)
You're not listening.
Yes, these types of games existed in 2000 or so.
But the category is massively more popular now than it's ever been. I'd guess there were a few hundred thousand people worldwide during any given month that played games online in 2000.
Now, there are over 11.5 million people that are paying a subscription to play just one particular online-only game in a given month. That says nothing of all the other games that can be played online today.
Also, WoW has individual accounts that persist fo
Re: (Score:1)
Are you trying to tell me that there was no 8.0Gbit high speed servers in 2000? SERIOUSLY???!!!111
Of *course* the market is different. We've steadily increased the things we can do with a home computer, along with the speed and capacity of the 'affordable' internet services. What you're arguing is akin to "well, a 2008 Mustang is WAY faster than a Model A man!!!"
As a side note, the idea of PAYING for a game over and over and over and over again is just strange to me. Granted over the past few months I've do
Re: (Score:2)
You seem to be confusing the idea of currently online players with subscribers. Truth is, it's very difficult to tell how many users there were on any particular game back in 2000. Most of the games weren't strictly subscriber based, and without monthly fees even the ones that were (like TEN, Internet Gaming Zone, Mplayer, etc) all had free options so many users could have multiple accounts.
In truth there probably were a few less than 10 million users playing online games, but that's considering users pla
Re: (Score:2)
More, much more. Over twenty years ago, the first release of Pools of Radiance crashed if you entered any of several dungeons. Pretty ballsy when you had to call a telephone number to have someone snail mail you a stack of floppy disks.
Malwareness (Score:2)
As opposed to all of the people downloading malware intentionally?
Disclaimer (Score:5, Informative)
How convenient that ESET, the author of the report, offers a product [wikipedia.org] to protect against that.
Re: (Score:3, Insightful)
Yes, fortunate indeed. I would have thought that if you were going to go to the trouble of stealing account credentials, you'd engage in item theft or swindling money from a person's contacts like earlier posters mentioned. Fortunately, we had someone with a vested financial interest in setting them straight. The most valuable asset you accumulate in a MMORPG is the credibility with which you can display a hyperl
Re: (Score:3, Funny)
Hah! You almost caught me with that link, but as George W put it, "Fool me once..."
Astro Turf (Score:2, Funny)
How is the astro turf growing in YOUR stadium?
Our stadium uses ACME ASTRO TURF (TM*)! Because ACME ASTRO TURF (TM*) is shiny and greener than your average astro turf.
Look at our scientific astro turf results [wikipedia.org]!
pwned! (Score:1)
Possible solution... a SecurID like card (Score:4, Informative)
Similar to the concept of OpenID, perhaps the solution to password theft would be a SecurID card that all the main game companies would have as an option to attach to an account. Right now, Blizzard has one, which is an OEM-ed Vasco Digipass Go 6. I just wish SOE, Valve, and other networked games would offer this.
Of course, this brings with it its own can of worms, like what to do if a token is lost, disables itself, or stolen. Blizzard requires a fax of a lot of RL info before it releases control of an account if a token is lost. PayPal/eBay have a mechanism of calling one of the phone numbers on file.
The advantage of two factor authentication is a big thing, as game accounts are worth a lot of money. Not just for characters to sell, but to use as farming/exploiting/spam bots until the MMO company bans the account.
Re: (Score:2)
Blizzard requires a fax of a lot of RL info before it releases control of an account if a token is lost. PayPal/eBay have a mechanism of calling one of the phone numbers on file.
Sounds to me like Blizzard should take a page from eBay.
Re: (Score:2)
I agree. Thankfully I've never had to deal with a dead token yet, but the battery life of those are only a couple years. I wish these type of tokens would have some mechanism to replace their battery and resync them with the atomic clock so one doesn't have to worry what to do when the words "disabled" or runs out of battery.
Re: (Score:2)
That would be a flaw in the security however.
If you provide a stronger clock signal (not hard) you could sync a key repeatedly to a specific time, and theoretically derive the private key. Game over.
That said, providing a way to charge the battery BEFORE it dies would be nice. An induction charger like electric toothbrushes have, for instance.
Exploits? (Score:1)
Paradox (Score:2, Insightful)
The main paradox of this story is that, people believe other people inside a game over internet, pretending knowing them, but can't differentiate between a "standard" behaviour or a copycat, meaning they don't know them at all. Most people can easily recognise who is on the other side of the phone just by they way of speaking, even if they change their voice.
I will never understand how you can have full confiance in someone you never meet and with who you never shared a beer, but well, maybe it is just me..
Re: (Score:2)
I'll never understand why people think they know someone merely because they've met them or drank with them in a bar. Being too trusting didn't become an issue just at the launch of the Internet. Not by a long shot.
Nonsensical risks... (Score:2)
The threst of attackers pointing others to websites during chat is nonsense. Anybody with a legit account could do the same and an attacker is more likely to be identified as attacker in this. The real risk is just theft of online property and sending of spam with the account. A well-stocked WoW account can be worth 100 EUR or more.
Why are these people writing about risks in online games allways so incompetent? Are these people without a clue of online gaming or security, just construction some threat to cr
Re: (Score:2)
A Larger Threat Exposed (Score:5, Funny)
I would think that a larger threat when getting a link from a friend (or an imitated friend) would be something similar to this: http://www.youtube.com/watch?v=oHg5SJYRHA0 [youtube.com]
a way around it (Score:1)