Virtual worlds, real money

Online gaming fraud is an increasingly serious threat according to a new report from the European Network and Information Security Agency (ENISA).

The failure to recognise the importance of protecting real money value locked up in this ‘grey zone’ of the economy has led to a ‘year of online-world fraud’.

A survey in the report shows that 30 per cent of users have recently lost some form of virtual property through fraud.

In less than a year, more than 30,000 new malicious programs have been detected specifically targeting accounts and property in online games and virtual worlds – “this is a jump of 145 per cent”, said Kaspersky Labs, specialists in antivirus software.

Such malware is invariably aimed at the theft of virtual property accumulated in a user’s account and its sale for real money. “While annual real-money sales of virtual goods is estimated at nearly 1.5 billion euro worldwide, users can do very little if their virtual property is stolen.

“They are a very soft target for cybercriminals,” says Giles Hogben, editor of the report put together by a group of industry, academic and government experts. ”There are one billion registered players of online games worldwide and the malware targeting them affects everyone with a computer connected to the Internet.”

The failure to recognise the importance of protecting the real-money value locked up in this ‘grey’ zone of the economy is leading to an exponential increase in attacks targeting online MMO/VWs.

Privacy and personal data.

Another important area highlighted in the report is the misuse of personal data. The survey of 1,500 respondents in the UK, Sweden and Germany shows that most people think their avatar (a graphical representation of a character used in MMO/VWs) cannot reveal anything about their real identity. But an avatar is no different from using any online persona, particularly in so-called ‘social worlds’, ie, hybrids between online games and social networks.

“People should take just as much care of their personal data in these environments as in any other online context,” said Andrea Pirotti, executive director of ENISA. “Bots can be sprinkled within virtual worlds to spread spam or advertise products, for example, and these sites are vulnerable to novel variants of denial of service attacks.”

According to the report, multi-player online games are especially vulnerable to denial of service attacks because of their centralised architecture and poorly authenticated clients.

The inclusion of Internet relay chat (IRC) and voice over Internet protocol (VoIP) channels, along with the false sense of security created by MMO/VWs, leads to significantly increased disclosures of private data such as location and personal characteristics.

Username and password authentication is particularly vulnerable to ‘keystroke logging’ (a method of capturing and recording user keystrokes) with trojans being specifically crafted to capture account login details.

In February this year, Blizzard Entertainment, creators of World of Warcraft, released an article describing the effects and consequences of buying gold in its virtual world and said that an “alarmingly high” proportion of all gold bought originates from hacked accounts. The article also stated that customers who have paid for character-levelling services find their accounts hacked into months later, with all items stripped and sold off for virtual gold.

As characters progress in World of Warcraft, many of the rewards received are bound to that character and cannot be traded, generating a market for the trading of accounts with well-equipped characters. The highest noted World of Warcraft account trade was for £5,000 in early September 2007.

In February last year, the Halifax Bank claimed that stolen credit card details were regularly being used to fraudulently pay for World of Warcraft accounts.

The report, Virtual Worlds, Real Money: Security and Privacy in Massively-Multiplayer Online