The online gaming industry has long been a big cybercriminal target. Year after year we see players being subjected to phishing attacks and account hacking, and game companies suffering attacks like DDoS and others. While these attacks occur outside of the games themselves, one of the threats we see is much closer to the gamers’ experience, and has a wide-reaching impact.
Our most recent research, “The Cybercriminal Roots of Selling Online Gaming Currency” presents our findings on a cybercriminal operation that involves cybercriminals maliciously acquiring online game currency, selling it to online gamers, and using the collected money to fund their cybercrime operations.
Exploiting Gamers’ Competitiveness
In this modus, cybercriminals exploit a particular subset of online game players that are willing to pay real money for in-game currency (specifically, the in-game currency of MMORPGs). MMORPGs are online roleplaying games that allow players from all over the world to play a fantasy adventure with each other. It is inherent to these types of games to have a competitive nature, with advantages between players usually revolving around acquiring the game’s currency and rare items.
Buying online gaming currency allows players to hoard in-game currency without having to put in the time and effort usually required to earn it legitimately within the game. Such an activity is frowned upon by many online game developers and their companies. The practice is considered a form of cheating and usually deemed a “bannable” offense.
Cheating in online games is not against the law, and neither is the selling and buying of online game currency. Cybercriminals are well aware of this and have created for themselves a way to exploit it. Many websites selling online gaming currencies for games such as FIFA, World of Warcraft, and Path of Exile have popped up, with some offering services like catching Pokémons in the popular game Pokémon Go. These sites have their own ads, promos, and even encrypted payment systems. In fact, most of them function just like online shopping websites, promising fast and safe transactions as well as 24/7 live chat support.
Enterprises Become Collateral Damage
As cybercriminals farm and sell the online gaming currency—which nets them real-world cash—they funnel these funds into their cybercriminal activities, some of which include targeted attacks against enterprises, corporations, and even game servers. We saw such instances with attacks coming from hacking groups such as Lizard Squad, Team Poison, and Armada Collective.
Based on these reports, we can say that the act of buying online gaming currency is, in essence, a cyclical, self-defeating effort: by paying for illegitimate methods to get ahead of the game, players also unintentionally fund the downfall of the online game they’re spending money on.
What does this mean for those affected by this particular operation? This ultimately means that players need to recognize the harm that they’re doing to their favorite games by buying online game currency and be able to stop themselves and others from contributing to such efforts. Enterprises—whether they’re involved in these online games or not—also need to realize that cybercriminals have what is essentially a legally-gray money-making operation, and step up their defenses to protect against the attacks fueled by online game currency selling.
Perhaps some legislation outlawing cheating in online games may be excessive in terms of a deterrent in this case, but if something can be passed regarding the sale of such services, it may be able to deprive cybercriminals of this particular revenue stream. But as long as there is a lack of any law regulating online game currency, we may be seeing more and more cybercriminal groups take advantage of this particular modus operandi.
For more details about this particular cybercriminal MO as well as the cybercriminal groups we’ve seen to be embroiled in such, read our full report “The Cybercriminal Roots of Selling Online Gaming Currency”.