Data thieves continue to target MMORPG gamer accounts
Posted on | June 14, 2010 | add a comment
This past weekend a middle-aged professional academic who plays Everquest II as a serious hobby reported losing a mother lode of gaming loot – worth US $1,000 in the cyber underground – to data thieves. LastWatchdog wrote this letter to the player’s guild explaining the backdrop. Names of the guild and player are kept anonymous to preserve privacy.
Dear (guild name):
Sorry to hear about (gamer’s name) loss. Sadly, I’m not surprised. The cyber underground has advanced to the point where keystroke loggers are routinely included in automated cyber attacks that revolve around fooling even tech-savvy individuals into clicking on tainted URLs.
Stolen logons flow to different criminal specialists such as corporate spies, online banking hijackers and gamer looters. Gamer logon thieves have been active since at least 2005; the corrupting of the Miami Dolphins stadium website just before the 2007 Superbowl was carried out by a gang of data thieves primarily seeking Lineage logons.
Smart hacks
Gamer thieves often ferret out gamer logons via “drive-by downloads.” They crawl the web in search of popular websites that will permit them to invisibly corrupt an “iFrame” so that it runs malicious code. If you visit that website, a malicious program runs invisibly in your browser looking for any unpatched browser vulnerabilities — or any Adobe Acrobat Reader vulnerabilities, since that app runs on 95% of browsers.
The attack code is smart enough to check what browser you’re using and run through a complete list of known, patchable vulnerabilities, looking for the ones you haven’t yet patched. The cutting-edge attack codes look for zero-day vulnerabilities – freshly-discovered flaws for which there are no patches yet.
As soon as the attack code finds a vulnerability, it exploits the security hole. It swiftly implants a tiny wormhole, called a Trojan downloader, and you’re owned. Through this wormhole the attacker will implant a keystroke logger. These are no longer crude programs that capture all your keystrokes. Instead, they stay dormant most of the time, waking up only when you navigate to any account logon page; they quickly grab and transmit your logons to the bad guys, then go back to sleep.
In the past year or so, these type of malicious attacks, that essentially turn over full control of your machine to the attacker, have expanded exponentially via Black SEO. This is the black art of causing malicious URLs to turn up high in the rankings of search queries for celebrity news and other hot topics. Click on a bad URL and you will arrive at a webpage pre-loaded with a driveby download. What’s worse, these attack techniques in recent months have been extensively adapted to Facebook messages and wall postings and Twitter microblog postings.
The botnet quotient
None of this seems likely to slow down anytime soon because these attacks run off botnets. In addition to stealing your logons, the badguys will send a botnet management program through the wormhole and deeply root it onto your harddrive. You are now a bot, and part of a bot network under the control of the attacker.
From time to time, your machine will receive a command to join 5,000 or 10,000 other PCs dispatched to spread spam, participate in denial of service attacks and perform other criminal tasks. The big time botnet operators control hundreds of thousands of botted PCs.
Law enforcement and/or regulators would have to cut off tens of millions of infected consumer PCs and workplace PCs to materially slow botnet activities. Here is a chart showing the pervasive daily activity level of the major spam-spreading bots. Each color represents spam generating activity levels of a major botnet:
Source: Symantec
Reducing your exposure
One way gamers can minimize exposure to malicious attacks is to dedicate a PC exclusively to gaming. Never use the browser on that machine to do search queries, social networking, online banking, or anything else. If you’re not quite ready to go as far as that, then you ought to:
- Install all Microsoft and Adobe software updates as soon as they become available.
- Keep your firewall up and your antivirus suite updated.
- Use webpage health scanning plug-ins, such as McAfee SiteAdvisor or AVG LinkScanner or, better yet, both simultaneously. These free scanners will block you from navigating to known or suspected bad URLs.
In general, be über-circumspect about the links you click on, especially those in search results, instant messages, e-mails, Facebook messages and wall postings and Twitter Tweets. These best security and privacy practices actually hold true for anything and everything you do online. Hope that’s helpful.
Regards,
Byron Acohido