Overview

Online games are a lucrative business – for game developers, players, and cybercrooks.  Revenues for virtual worlds topped $1.1 billion in 2006 and are expected to triple by 2009, and as such, online games have become a prime target for cybercriminals looking to exploit vulnerabilities for money-making gains.

McAfee’s Avert Labs researcher Dr. Igor Muttik delved into the virtual worlds and detail the security challenges in a new whitepaper titled “Securing Virtual Worlds Against Real Attacks – The Challenges of Online Game Development.”

Cybercrooks use virtual worlds to exchange funds achieved through their other criminal activities, they still passwords, data and virtual goods from online users – often without getting caught.

McAfee reveals specific threats within virtual worlds, costs of vulnerabilities on the black market, and details how game developers can keep games safe for their users:

• Money laundering: The in-game economies of virtual worlds have been hijacked in many cases by cybercriminals attempting to hide their profits through the exchange of virtual currencies
• Economic value: As virtual items become rarer or more difficult to achieve, their inherent time value creates a fiscal worth in the game’s currency and real life
• User created content: A user-created code in Second Life caused a virtual terrorist attack
• Unforeseen consequences of in-game events: A virtual illness created for World of Warcraft wiped out entire servers of users when a flaw in its design allowed the disease to spread throughout low-level players
• Scripting holes: Sloppy scripting allows viruses to achieve persistency, auto-execution, and propagation
• Messaging spam: The internal messaging services of most online games have often been leveraged for spam by malicious users
• Phishing: One example is a spam campaign related to W32/Nuwar (also known as Stormworm) The bad guys created a web page offering “free” games. Links to it were widely spammed, but clicking anywhere on this web page led visitors to malware. Perhaps worst spamming runs were related to W32/Nuwar (also known as Stormworm), used a gaming theme.
• Data-Stealing Trojans:  In a typical attack, data-stealing programs record user IDs and passwords along with the IP addresses or the names of the servers they use. This is done with a keylogger, which records all keystrokes. In more sophisticated attacks, the web forms are captured, as are mouse movements and even screenshots. The attacker can log into the compromised account and retrieve anything of value. Typically, when a gaming account is compromised, attackers will convert the objects they steal from online gamers into virtual currency—and then convert the virtual currency into real money.

The exponentially growing economy and population of virtual worlds can open the door into a new, flexible age of interaction online, both socially and visually.

Select Quotes from the Whitepaper

“Without security, these virtual communities will fail to realize their full potential.”
 – Dr. Igor Muttik

“We urge game developers to build the basic security foundation from the very beginning. As we know, bolting security onto an existing product is a far-from-perfect approach.”
– Dr. Igor Muttik

“Most of the attacks that we have witnessed in real life will surface in virtual worlds unless the environment is built with security in mind.”
– Dr. Igor Muttik

“It is possible to make most attacks in virtual life impossible or uneconomical. There are no good reasons why virtual characters should suffer from the same troubles—spam, phishing, adware, spyware, Trojans, viruses, worms, and other malware—that currently plague our real day-to-day lives.”
– Dr. Igor Muttik