• The Cybercriminal Roots of Selling Online Gaming Currency
    15 replies, posted
[quote]Buying online game currency from third parties may sound relatively harmless—after all, it’s not illegal, the practice only involves virtual money used in an online game, and when all is said and done, it's hard to imagine it having any impact on the real world outside the game. Unfortunately, we found that the trade of online game currency could lead to serious real-world implications. Not only did we discover that cybercriminals are actually profiting off this legally-gray practice, but also using it as a way to launder their stolen money and fund further cybercrime efforts. First, the cybercriminals acquire the game currency, usually by exploiting bugs and loopholes in the game or by stealing it from player accounts. Then, after advertising the sale of stolen currency through websites and social media (and then the selling itself), the payments are converted into cryptocurrency to make it untraceable. This laundered currency can therefore be used in multiple ways, from buying even more online game currency to sell, to cash out for real-world expenses, or funding cybercriminal operations.[/quote] [url]http://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/cybercriminal-roots-selling-online-gaming-currency[/url] A link to the full paper, which has all the interesting info: [url]http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-cybercrime-online-gaming-currency.pdf[/url] [quote]After all, the skills used in harvesting gaming currencies–glitching/hacking larger servers, running phishing campaigns, spreading infostealing malware–are all applicable to other traditional forms of cybercrime. Based on our observation, some of the cybercriminal pursuits that are fueled from the profit of the sale of online gaming currencies are as follows, but not limited to: DDoS services, infrastructure rental (for cybercrime purposes), spam campaigns (which can result in ransomware infection), identity theft/fraud, and many others.It is also important to note that selling various online gaming currencies is an effective method to launder real world money that is stolen or gained from other forms of cybercrime.[/quote] I never realized there was malware targeting specific games. Makes Steam's push for 2-Factor a bit more reasonable, if poorly implemented. I really recommend reading the full article to see the impact this has, for example how/why DDOSers of game servers get their money and influence.
2 way is water under the bridge, theres very little that can be done by users other then having a decent pw but even then websites induce bad password behavior... Like demanding you reset your password every month, not looking at anyone.
ironically the best way to defeat this is just to offer in game currency yourself. blizzard fought gold sellers for so long only to introduce WoW-tokens which pretty quickly killed gold resellers
[QUOTE=Blizzerd;51221616] Like demanding you reset your password every month, not looking at anyone.[/QUOTE] If you're talking about Facepunch you only need to change your password when you get banned IIRC. My solution would be to stop getting banned every month.
[QUOTE=Sableye;51221623]ironically the best way to defeat this is just to offer in game currency yourself. blizzard fought gold sellers for so long only to introduce WoW-tokens which pretty quickly killed gold resellers[/QUOTE] Grand Theft Auto 5's online mode is a great example of how to not do this. You can buy a hundred million in-game dollars for $10 from hackers, while official Rockstar pricing puts that to about $1250.
[QUOTE=Blizzerd;51221616]2 way is water under the bridge, theres very little that can be done by users other then having a decent pw but even then websites induce bad password behavior... Like demanding you reset your password every month, not looking at anyone.[/QUOTE] GOSH I wonder why this could beeeeee [editline]18th October 2016[/editline] [QUOTE=XeroG;51221657]Grand Theft Auto 5's online mode is a great example of how to not do this. You can buy a hundred million in-game dollars for $10 from hackers, while official Rockstar pricing puts that to about $1250.[/QUOTE] funny thing too is, rockstar doesn't really actually punish anyone. Unban waves hit and the servers go to shit.
[QUOTE=Radio Flyer;51221643]If you're talking about Facepunch you only need to change your password when you get banned IIRC. My solution would be to stop getting banned every month.[/QUOTE] I try but mods dont cooperate for some reason... I get banned left and right for stuff like not capitalising the f in Facepunch or 'predicting moderation actions' [highlight](User was banned for this post ("Offtopic" - Craptasket))[/highlight]
[QUOTE=Sableye;51221623]ironically the best way to defeat this is just to offer in game currency yourself. blizzard fought gold sellers for so long only to introduce WoW-tokens which pretty quickly killed gold resellers[/QUOTE] Guild wars 2 sells gems for real world money which can be turned into in game money. There is still a unofficial gold selling stuff going on.
It still does not take away from my point though... Its dumb to ask any user to reset their pw any more then needed.
[QUOTE=mdeceiver79;51221710]Guild wars 2 sells gems for real world money which can be turned into in game money. There is still a unofficial gold selling stuff going on.[/QUOTE] Hardly as big as it is for many other games though thanks to the gem system.
[QUOTE=Blizzerd;51221616]2 way is water under the bridge, theres very little that can be done by users other then having a decent pw but even then websites induce bad password behavior... Like demanding you reset your password every month, not looking at anyone.[/QUOTE] 2FA implemented correctly is really the only way to go if you actually want any worthwhile form of authentication. Passwords that are actually practical and memorable for the average user is practically useless against a determined attacker. Single factor password authentication is on the way out, and even at this point its really just a facade of security for users.
[QUOTE=amos106;51231423]2FA implemented correctly is really the only way to go if you actually want any worthwhile form of authentication. Passwords that are actually practical and memorable for the average user is practically useless against a determined attacker. Single factor password authentication is on the way out, and even at this point its really just a facade of security for users.[/QUOTE] 2FA is annoying and I don't see it replacing just passwords ever.
[QUOTE=Map in a box;51231896]2FA is annoying and I don't see it replacing just passwords ever.[/QUOTE] How is having to read a code off your phone annoying. I can reliably unlock my phone and start the app before the site even loads the form to enter the 2FA. Knowing someone can't just guess my password and reinstall my dedicated server is worth the extra 5 seconds of my life every time I log in, takes longer for KeePass to auto type the 64 character password any way.
[QUOTE=helifreak;51231938]How is having to read a code off your phone annoying. I can reliably unlock my phone and start the app before the site even loads the form to enter the 2FA. Knowing someone can't just guess my password and reinstall my dedicated server is worth the extra 5 seconds of my life every time I log in, takes longer for KeePass to auto type the 64 character password any way.[/QUOTE] Keepass is fast enough for me
The currency problem could be fixed now, Just remove the currency as for laundering stolen money that's always been hard to do as criminals are very good at investing their efforts into the economy and various ventures.
[QUOTE=Map in a box;51231896]2FA is annoying and I don't see it replacing just passwords ever.[/QUOTE] Its going to happen, as long as computing technology becomes more powerful over time, bruteforcing will become viable for longer and more complex passwords. Single factor password authentication is simply not scalable. Unless you plan on writing a small essay of a password every time you go to log in, you're going to need to use 2FA. 2FA doesn't even need to be a time sensitive code like most people are used to seeing, all you need is some sort of physically unclonable object that you can prove you have possession of.
Sorry, you need to Log In to post a reply to this thread.