back to article Trojans besiege online gamers

Online games have become a major target for fraud in recent years. A study from Kaspersky Labs, published today, dissects the techniques and targets used by hackers to make "easy money" by selling stolen login credentials of users or in-game items on the black market. Online games and fraud: using games as bait by Sergey …

COMMENTS

This topic is closed for new posts.
  1. Anonymous Coward
    Anonymous Coward

    Actually ...

    The chief reason for the existence of these Trojans is gain - not vandalism.

    Most of the games mentioned have a thriving (black) market in items, characters and other virtual goodies -- if the developers are serious about expelling such behavior they should, instead of building in pseudo-security (because that's what "cooperation with antivirus vendors" means - and let's not even discuss the performance impact this unlikely will have) that still won't fend off bad password discipline and user ignorance, do something about the (often publicly advertising, both ingame and out of game) sites & online shops that engage in these sales.

    Remove the gain, remove the bulk of the problem. Educate your users and develop defensively against 3rd party tools beingused in conjunction with your online game, and all but the most persistent attackers and the stupidest gamers will remain unharmed.

    And the anti-virus vendors ? They can continue to develop snake oil solutions for easily impressed middle management - that's where the money is.

  2. Anonymous Coward
    Anonymous Coward

    Re: Actually ...

    "hear hear" or is it "here here". Well what ever it is its over there there <---

  3. Chad H.

    In a lot of cases, its the players own fault.

    Sadly, no matter how many times you tell em, players just dont listen.

    I'm a regular at the WoW Eu forums, and the amount of times we're asked if a certain email is real or fake is amazing, no matter how obvious they are.

    The newest one is an email offering "free Beta Keys" for the new WoW expansion, this is despite many times Blizzard saying "we dont know if we're doing a public beta yet", the emails full of typos and mistakes, asking for their email address (if blizzard realy sent it, they'd know that, right?) and the email asking for their password, which blizzard tells you and reminds you at every opportunity they will not ask for.

    Its not as if players dont have a reason to be lazy, when their gear is gone, it usualy doesnt get restored! This means if you loose it, you can expect to play with a naked character for the forseeable future.

  4. Morely Dotes

    How to protect yourself

    There are some incredibly easy ways to protect yourself against the most-common malware vectors. I won't bother to outline simple email safety; if you're smart enough to be reading this article, you're probably already deleting email from unknown senders unread.

    1. Don't surf the web using Internet Explorer. Use Firefox, Safari, Opera, Lynx, or any other browser of your choice. The vast majority of Web-based attacks rely on ActiveX, whcih is almost tailor-made for remote compromise of a PC. A certain Web site which carries a lot of addons for World of Warcraft was running banner ads which carried ActiveX installers for a keylogger almost continuously for over 6 weeks in Fall of 2006. Only IE users were infected.

    2. Use a "hardware firewall" (aka "router") between your PC(s) and the Internet. Firewall off (using the "drop" tables if you have a choice; this makes your connection effectively invisible to attackers) the ranges found in the .htaccess file at http://www.wizcrafts.net/chinese-blocklist.html

    3. If you run Windows XP, use Mike Lin's Startup Monitor http://www.mlin.net/StartupMonitor.shtml and Startup Control Panel http://www.mlin.net/StartupCPL.shtml to monitor what's set to run itself at startup.

    4. Don't hire "power levelers" and don't buy "gold" using real money. The people behind those services are already breaking the game's acceptable use policy; why would you trust a cheater to treat *you* fairly? Don't be an idiot.

  5. ratfox

    I especially love...

    The fake videos you can see on youTube, the one which pretend to show how you can hack somebody else's account... And then tell you that to do it, you need to send your own login and password to some hotmail address.

    The best is, people who get their account stolen that way are those who tried to hack another one in the first place. Call that poetic justice...

    From the number of such videos you can find, many people have fallen into the trap ^^

  6. Anonymous Coward
    Anonymous Coward

    Pricks

    Not you, the people that do it - and Blizzard. A friend of mine lost his WoW account to a keylogger, and the worst part was Blizzard refused to reset the password and return it to him - because apparently they have no way of verifying his credentials.

    The thing with online games like WoW is they are more than just playing a game, they are social gathering platforms, and in order to keep playing (and therefore chatting, joking and having fun) with your friends, you need everyone to keep pace with each other.

    That doesn't mean he's been ostricated or abandoned, it just means it'll take weeks maybe months before he can join in the best part of WoW - the end game raids.

    Sure this is hardly the end of the world - but it is a definite downer when you're forced to redo what took months to complete, most of the progression is great first time round, but going from 1 - 70 is a laborious task. In terms of rewards and items, perhaps never regaining what you lost due to the low percentage that such things will appear or drop.

  7. Alistair

    Re: How to protect yourself

    install linux

    install wine

    install WoW

    Play.

  8. Anonymous Coward
    Anonymous Coward

    WoW

    I have a spam filtering mod for WoW and the number of say, whispers, etc caught in 1 day is unbelievable.

    They have even changed tactics when they have a bot standing outside the bank spouting their crap. The bot repeats the message a couple of times then "deletes" and after awhile another one will appear.

    Also they are now using emote command to spout their rubbish since spam filters dont check for it.

  9. Andy Worth

    Alistair

    Thanks, but it's not going to help the people who are stupid enough to give away their login details to others, is it?

    My opinion?

    If people are stupid enough to give away their details, they deserve everything they get. If one WoW nerd is forced to get a real life after all his gear gets stolen and his account trashed, then it's been a worthwhile exercise.

  10. Pascal Monett Silver badge

    Easy to avoid social engineering

    I have a hardware firewall, and I don't use IE nor Outlook. Funny how I have never had a virus-related problem yet.

    As far as phishing and social engineering, my rule is simple : mail from approved users is treated with circumspection, for the rest, if you don't know how to write, you're mail is immediately deleted.

    No one I know writes "sto ck", or "medic_ation". My friends do not worry about "enlarging" myself, nor do they fret about my self-confidence. My friends have never, ever written the word "penis", not to mention "pen1s", or "pen_is" or whatever other unbelievable variation you can possibly conjure up after a week-long LSD session. And other examples are legion.

    Thus, the only way to get me to read your mail is either I already know you (you know, from Real Life), or you write without any mistake at all. For me, that is 99.999% good most of the time, and whatever false negatives are left are quickly dealt with.

    Bonus ? There are no false positives. Whatsoever. So what is left ? Well, mail from people I actually want to hear from. Thus, no account-stealing problems ever.

    Of course, even from a friend I am wary when there is an attachment. Constant vigilance ! as said by one of the Harry Potter characters (Mad-Eye Moody for those in the know). That is the price of security, and where email is concerned, it is entirely true.

  11. Anonymous Coward
    Anonymous Coward

    Content???

    "...it just means it'll take weeks maybe months before he can join in the best part of WoW - the end game raids."

    If most players think that all that is worth playing in wow is the endgame raids, then I can say it's just better to skip the game altogether. (imho in a good mmo game level is less important than teamplay and user interactions) And besides all that, what's the difference between someone playing with a slot machine and waiting for a big win and someone playing with wow and waiting for a rare drop? The level of 'fun' is sure the same...

  12. John

    I don't undestand

    Why people fall for these blatant fraudulent emails.

    It wouldn't happen in real life imagine:

    Someone knocks at the door, it's a foreign bloke and his English is so bad you can barely understand him, but you just about make out something along the lines of "can you give us the code for your alarm, we want to test it for security purposes".

    How many people would actually fall for that?

  13. Parax

    Legend of Mir...

    Ahh that takes me back.. all the way to 2001!

    So many hours... so many levels...

    Bichon.... Sabuk...

    but GameNetwork were so bad!! - except hober alaria of course!

    shame about QGO..

  14. Matthew Sinclair

    Honestly.

    If people fall for a stupid phising email or some ones stupid little offer and don't have the brains or common sense to realize its a fraud.... they deserve to lose everything they got.

    I swear... 99% of the crap I get has IP address's in place of domain names.

    Thats a dead give away!!!

    DUH!

    Never go to an raw IP address.... no one uses public websites that way.... even then...

    Take the monster jobs incident... emails show up and ask for bank account information.

    Who the frik would wana do that?

    If people don't have brains enough to think things through... can't blame the game developers or programmers for being a brain dead end user.

    A lot of what takes place can be solved by simple common sense.

    Like never using IE ever again. (Unless you need it for windows updates HAHAH)

  15. fridge

    Irony

    @Pascal Monett

    "for the rest, if you don't know how to write, you're mail is immediately deleted."

    That'd be 'your mail' then?

    : )

  16. Andy Bright

    I just don't agree with the stupidity anlge

    There are idiots, no mistake, and plenty of them - but for some reason they are either insanely lucky and are never affected - or it just doesn't matter, because they have attained the legendary item [Real Life]. Sometimes even [Friends] drop if you clever enough, or the rarest of all (and I believe only obtainable after completing the Black Temple raid) - a [Wife].

    But the reason why 3/4 of users that lose their accounts do so has nothing to do with sensible surfing or recognising obvious email scams. It comes down to OS vulnerabilities and vulnerabilities in the gaming software itself.

    Look, we get paid good money as IT professionals because we have knowledge the average pleb doesn't.

    We understand that flashy graphics stolen from OSX doesn't really equal security, no matter how often Microsoft claim it does.

    We are fully aware of the consequences of running cheap systems (Wintel) as opposed to Macs. We are aware that choosing to have software over having a decent OS (Linux) brings a number of risks.

    But then we also understand how to setup hardware firewalls, backed up by the software needed for safe surfing and trouble-free online gaming.

    Unfortunately even the best of us can still be undone by Microsoft and Blizzard's sloppiness.

    Yes I'm afraid I do admit to knowing far too much about WoW. However I balance that but installing hax that have enabled me to obtain those rare drops [Real Life], [Friends] and a [Wife] - without completing any of the normally required attunement.

    The other reason behind much of this really falls down to people like us - only the lazy version. They are the ones responsible for selling computers and operating systems to the people that pay our salaries (and thus our online gaming fees). They are the ones that make asinine claims their hardware and software is foolproof, and can be installed with no more complexity than your average VCR or microwave.

    Unfortunately no one will sue Microsoft because Congress have made it impossible to do so. They belong to the only industry that has been officially sanctioned by the necessary laws to produce shite. There is an actual law that says we can't sue software and hardware manufacturers if their products are crap, no matter what damage they cause in real terms - financial or otherwise.

    Ours is the only industry allowed to shovel shite into people's homes, often knowingly without protections in place that people need to keep themselves safe.

    Sort of like the software equivalent of boilers with open flames and discharge pipes deliberately built at face height.

    Our industry is filled with greedy pricks who should know better, and they have absolutely no incentive to act otherwise.

  17. Anonymous Coward
    Anonymous Coward

    Re Content

    "And besides all that, what's the difference between someone playing with a slot machine and waiting for a big win and someone playing with wow and waiting for a rare drop? The level of 'fun' is sure the same..."

    First off I think you just may have hit upon the exact reason WoW is so addictive. Gambling. Yes, the instances (dungeons to the uneducated) and raids (after they've been completed a few times) certainly do resemble a complex form of gambling. Sort of like slot machines with intricate game elements to win the top money prizes. I have no argument with that point of view, it's probably very true.

    Secondly I said the best part, not the only good part. The questing and leveling in WoW certainly is fun the first time around - but if you are trying to rebuild a character stolen from you, the fun is gone because you've already done it, probably several times.

    Look we started playing WoW because it enabled us to enjoy online gaming together as a group of friends. We don't spend more than a few ours a week playing this game, and we have maintained a slow, deliberate pace so that we get to enjoy each element as a team.

    There are many other ways of playing this game and I'm sure other players enjoy the other aspects as much as we enjoy raiding. I'm also sure there are other games just as good, if not better, than WoW, and eventually we will probably find those and play them too.

    But what Blizzard have done (and through sloppy programing, Microsoft, because it was their vulnerability that allowed this keylogger onto his system) is to ruin the experience somewhat for one of my friends. They've done by having no way of validating a user's ownership of a particular character. I find that an astonishing oversight in an age of trojans, keyloggers and internet insecurity. Yes, we gave serious thought to abandoning the game altogether and starting something new.

    However we are only about 1/4 of the way through the end game, and we're enjoying it enough to give it a few more months. We (rather sadly I admit) enjoy micro managing our toons, and in order to stay at the same point we have to stop raiding and wait for someone who has already completed the questing many times, to go through the whole process again. He chose this character after trying various types with each faction. He has every right to want to play the game with the type of character he enjoys most, and as his friends, he has every right to expect us to wait until he completes (what we now consider) the tedious bits again. So we will, and in the mean time grind our teeth in frustration that corporate developers can't seem to produce secure systems (we're not rich enough to own Macs, or clever enough to run Linux).

This topic is closed for new posts.