Online gaming—it seems like everyone is into it these days. Some people spend as much as 30 hours a week doing it. And everyone—from large companies to profit-hungry cybercriminals are eager to jump in.

It’s a new, rapidly growing market that has seen phenomenal growth. From 2002 to 2005, the online gaming market grew 288 percent (Source: Research and Markets). Worldwide revenues from online gaming exceeded $1.1 billion in 2006, and by 2009, the revenues are expected to triple, according to market research firm Parks Associates. Both Microsoft and Google have acquired companies involved in in-game advertising. Intel bought the gaming video engine Havok. (Source: EUROGAMER). And Sony has started its own virtual world called Home (Source: BBC). There are also rumors that Google is developing a virtual world of its own (Source: MarketingVOX).

While the growth in recent years of multi-player, online, role-playing games (MMOGs) is exciting to gamers and companies looking to expand their market, cybercriminals view these expanding virtual worlds as fertile ground for exploitation. Here’s why: MMOGs are supported by virtual online communities, which are sometimes referred to as metaverses, or digital worlds, where people compete, fight, buy, sell, trade, study, travel, and do things that people do in real life. Metaverses grow their own economies, and virtual currencies are converted into real money and then back again. In most games, players collect and produce some sort of virtual commodities. These can be virtual objects, such as weapons, gear, clothes, property, furniture, music, money, and relationships (you can even be a lord of a castle with many subordinates and get married virtually). Names of characters are also valuable and can be resold at a profit—which is a virtual equivalent of cybersquatting (registering domain names to resell in the future), so it’s only natural that virtual profits, too, get targeted by cybercriminals. After all, stolen virtual commodities can be converted into real money. So it’s not surprising that online gaming is beginning to be plagued by almost all the problems of the real world—theft of identities and virtual assets, as well as extortion, are becoming more and more common. Even a virtual terrorist attack was registered once.

Because players spend so much time and effort accumulating their virtual treasures, they value the database records representing their virtual assets as much as they value real objects. It’s no surprise that people are ready to take shortcuts and pay real money to get advanced virtual objects to avoid boring routine work, commonly called “grinding.” So, naturally, we see secondary markets for virtual commodities—for example, virtual currencies like the “adena” (the currency used in the game Lineage2) are sold on eBay! Virtual objects are traded in two connected markets—fully virtual and real. As a result, malware writers are quite keen to relieve users of both real and virtual assets. The latter can be easily converted into real money anyway.

The intertwining of real and virtual markets is spreading. Now you can find real shops in virtual worlds (where you can buy real goods for virtual money). Naturally, both of these markets attract criminal elements. And strange as it may seem, many banks have already announced their plans to open virtual branches—a move that would eventually combine all the known risks of Internet banking with the risks of virtual identity and data theft!

Who Are the Perpetrators?
Gaming is extremely popular in the Asian-Pacific countries. According to a study in Taiwan, 37 percent of criminal offenses are related to online gaming. We can see that the level of penetration of virtual offenses into real life is alarmingly high. Many of the players are fairly young, which is reflected in the statistics showing that most offenders belong to the 15-to-20-year-old bracket. Even though trading virtual money for real money (known as “real money trading” or RMT) in most virtual environments is considered a violation of the terms of service (TOS), you can be sure that malware writers will always find a way to convert virtual commodities into hard cash, and vice versa. Even if it were illegal (by law or according to the TOS), there would always be a black market for virtual commodities. And automated ways of extracting money from online games (password-stealing malware, bots, and similar tactics) would have an advantage over manual methods. So, unless we find ways to control this, we should probably expect as much growth in online threats as we have seen with other targets of malware.

Overview of Attack Methods
What are some of the common security threats and malware found in the gaming environment?

• Data-stealing Trojans: In a typical attack, the data-stealing programs see and record user IDs and passwords along with the IP addresses or the names of the servers they use. This is done with a keylogger, which records all keystrokes. In more sophisticated attacks, the web forms are captured, as are mouse movements and even screenshots. This information is then transferred to the attackers. Sometimes, additional information is transmitted, such as the amount of money in a bank account, or—for a gamer—the level of a player and the contents of his inventory. Later, the attacker can log into the compromised account and retrieve anything of value. Typically, when a gaming account is compromised, attackers will convert the objects they steal from online gamers into virtual currency—and then convert the virtual currency into real money. So, online gamers need to understand how valuable their accounts and assets are to hackers.

• Phishing: It comes as no surprise that phishing has been used to relieve gullible players of their virtual assets. Indeed, there are some examples of this. Perhaps the worst spamming runs related to W32/Nuwar (also known as Stormworm) used a gaming theme. The bad guys created a web page offering “free” games. Links to it were widely spammed, but clicking anywhere on this web page led visitors to malware in the form of ArcadeWorld.exe that turned thousands of machines into bots that sent out spam campaigns or launched distributed denial of service attacks.

• Parasitic and polymorphic viruses: Trojan programs require a social-engineering trick, or lure, to work. Otherwise, they would never get installed. To overcome this serious limitation, evildoers attempt to use replicating code (a virus) to deliver the data-stealing payload. Of course, when a virus spreads, it can propagate to the systems that are used for gaming. The virus can detect this and activate its data-stealing payload. Another reason why parasitic viruses are an attractive alternative for cybercriminals is the fact that removal of this type of malware is more complicated. There might be a slight delay (from only a few minutes to several hours, depending on the complexity of the virus) in the release of an anti-virus update that cleans the malware, so the extra time is a bonus for virus writers.

• The best way to minimize security problems is to build a secure game application from the outset. One way to improve security is to apply certain improvements in the login process (for example, using physical authentication devices, such as RSA tokens or similar methods, such as biometrics with fingerprints, voice recognition, or face recognition). It is also necessary to minimize the risk of connecting to a spoofed server as well.
  
  Certain software design decisions can make it difficult for hackers to write effective malware. Malware infections would only be able to take advantage of vulnerabilities in software that allow malware to penetrate the application. Fortunately, finding a vulnerability requires a lot of knowledge and luck, so it’s not that easy for malware writers to find the weak spots in a game. Plus, once a vulnerability is found, it’s not always possible to successfully exploit it. Frequently, the best cybercriminals can hope for is to cause a crash. This is, of course, still a security problem, but not as serious as an exploitation of a vulnerability and a subsequent malware infection.
  
  For those who want to know the exact details about how to make games less vulnerable to abuse, see my complete white paper at: http://www.mcafee.com/us/local_content/white_papers/threat_center/wp_online_gaming.pdf



• Because economic factors motivate cybercriminals, game developers can remove the financial incentives. Like any legitimate business, cybercriminals are interested in a high return on investment (ROI). Take real-world spam, for example. Emails are free, so spammers can afford to send millions of emails and still benefit from the business, even though very few people actually buy advertised goods or services. If emails cost even a penny each, the return on investment (ROI) would likely become too low for spamming to survive. One way game developers can discourage hackers is to charge for services, such as in-game messages. This could easily be made part of a game—and even be presented as part of the game, for example, as a “royal mail stamp duty” or something along those lines. This way, the laws of the virtual economy would make most anti-social and dangerous behaviors unprofitable.



• Find and catch the perpetrators. It’s been known for thousands of years that the inevitability of punishment is the greatest deterrent to any crime. In the world of MMOGs, it is technically possible to constantly monitor the movements, actions, and transactions of the entire population of gamers. Telemetry (a scripted set of rules) makes it possible to examine the logs and raise alarms when questionable events occur. This would potentially allow game developers to review any event that takes place in virtual world, so that they can pinpoint any violations or track stolen assets.