Locked and loaded, online gamers draw phishing attackers
Online gamers have become rich targets for cybercriminals, according a report released this week by the Anti Phishing Work Group.
Over the last two quarters of 2012, phishing attacks aimed at online gamers jumped from 2.7 percent in the September frame to 14.7 percent in the December quarter, the APWG said in its Phishing Activity Trends Report for the fourth quarter of 2012.
In-game items held in those accounts can also be sold by phishersfor real-world cash, it continued. Depending upon how much information is revealed, the victims can even have their real-life identities stolen.
“Online games are very popular—lots of people are attracted to them—and phishers like to go where the people go,” Carl Leonard, senior manager of Websense Security Labs, said in an interview.
Within online games, especially PC massively multiplayer online games, are value systems used to make in-game purchases that can be turned into money by cybercriminals, explained APWG chairman and founder Dave Jevans.
“Virtual currencies are on the rise and gaming credits are worth money,” Jevans told CSO. “Anything that’s worth money is going to get attacked.”
Less concern for privacy by gamers
Gamers are a rich source of another prize for phishers: personal identifying information. “Any personal identifying information is extremely valuable in the underground markets,” Websense’s Leonard said.
To cybercriminals, gamers can be easy pickings because game culture plays into a scammer’s hands. “The generation that’s grown up with this stuff has a different level of concern about privacy and interaction with people on the Web,” the author of the APWG report and President and CTO of Internet Identity (IID), Rod Rasmussen, said in an interview.
In addition, many gamers engage in dubious activities themselves. “There’s a lot of people trying to get a leg up on others playing a game,” Rasmussen said. “A lot of the stuff is done in a gray market fashion.”
“Because a gamer may already be in a gray area already, it can be easier to slip something passed somebody because they’ve already lowered their guard to get what they want,” he added.
Gaming sites serious about security
While gamers may take security precautions lightly, the operators of the games don’t. “Gaming sites are interested in using good security,” Websense’s Leonard said.
Security measures implemented by the sites include PCI compliance to protect credit card information, SSL, two-factor-authentication and encryption.
That doesn’t mean that hackers haven’t found ways to compromise gaming sites, he added.
“Many websites are using vulnerable web servers that they haven’t kept up to date,” he said. “That’s what malware authors seek out.”
Those authors use kits that can analyze many websites for vulnerabilities that can be used to inject malicious code into the sites. Once infected, the malcontents use phishing messages to lure victims to the sites to infect them.
For some time now, phishers have been drifting away from their traditional practices and gravitating toward malware propagation, IID’s Rasmussen said.
In a classic phishing scam, you receive an email from a trusted source—a bank, for example—that contains a link to a phony website emulating the source’s. There, personal identifying information is cajoled out of you.
“That continues,” Rasmussen said, “but what we’re also seeing those same techniques being used to drive people to exploit sites.”
“When you arrive there your browser gets hit with a series of exploits,” he continued. “If it hasn’t been patched, then your computer can get infected.”
“That’s upping the game a bit from the phisher’s perspective,” he added