We have talked a lot about theft in the real world so I guess it is about time we also discuss theft in virtual world. The BBC reported that some Trojan software are now targeting Online Games and stealing login information from their victims. Microsoft have stated that Taterf (one such Trojan) was reported to have infected nearly 5 million computers in the last 6 months of 2008.

So why do malicious people bother stealing online games credentials? The answer as always is Money.

Since the dawn of online gaming people have figured out that there is money to be made by selling virtual and actual goods ‘in game’ currency. As opposed to offline games, online games are generally slower to generate ‘‘in game’’ money for the players. ‘in game’s, money will also help players buy better equipment which will give them an edge over other players. This creates two needs that malicious people can exploit.

The first need is obviously for ‘in game’ money and then there is the need for premium virtual objects. Where there are needs one can be sure that there will be people selling items to satisfy those needs and here it’s no different. While selling / buying game items including ‘in game’ currency is generally prohibited by the EULAs of most, if not all, online games the practice is still widely used. A quick search on Google returns numerous sites that sell gold and/or items for World of Warcraft and other games. Prices are quite similar with the cheapest I found being $31.49 for 5000 World of Warcraft Gold coins whilst the most expensive site wanted $47.99 for that same amount of gold. Now the question is ‘what’s the worth of 5000 gold coins really?’Well for a new player who plays casually 5000 gold coins will mean a couple of months of gaming but this is just a very rough estimate. For veteran players these sites sell bundles of 100,000 gold coins at the cost of ~$600. And that’s not all.  It’s also possible to buy ‘in game’ items with prices for rare items going for +$1000 each. This all illustrates that even though we’re talking about games and items that do not really exist; they still have real world value which makes them worth stealing.

The people who are selling these items do not have magical ways to acquire them. In some cases bots are used to acquire these resources. Bots are a software program that take control of the game and perform tasks automatically without a player’s intervention. While they are great to generate gold while someone is busy either at work or doing something else, they are forbidden by the game EULAs as well. A court has also ruled against one such bot and this is the only court case I know off against such programs. Furthermore accounts using bots are sure to be banned if caught, so using bots to generate gold is not very efficient. This leaves one other option to obtain gold and items in mass quantities and efficiently – steal them off other players and the only way to do that is if someone gets access to that player’s account.

Another motivator for people to resort to stealing virtual items is that it is generally safer for them to steal virtual items than it is to steal money/items in the real world. Prosecution of people stealing virtual items is quite low if at all, while if one were to steal money from a bank one can be sure they will have the police looking for them almost immediately. This is not to say that stealing virtual items automatically makes a person safe, as this story illustrates – a guy killed another player for stealing his virtual sword after the police said they couldn’t do anything about it.

In conclusion, people who play online games invest both time and money in them and they too are assets that require protection. Security is not something that applies only to big companies, even a home user who uses his computer exclusively for gaming needs to secure his environment or risk losing everything virtual that they own. In short, the threats you need to defend against in your online game are not just enemies within the game but also malicious people in the real world who would love to get hold of your items the easy way.

Something to consider is that if someone has access to your account it means they have access to your credentials. If those same credentials are used elsewhere then that too is at risk. This is more so if those same credentials give access to systems inside your company IT infrastructure. Even though the risk might be low since the person who stole the credentials needs to link you to your workplace it still can be done. For this reason and more it is good practice to change all the passwords in the event that a password which gives access to multiple systems is compromised.

The usual tips apply here as well.

  • Always ensure you are running an antivirus programme that is up to date.
  • Do not visit dubious sites that might carry viruses or at least ensure that your web access is also scanned for possible viruses.
  • Do not click on email attachments without knowing what they are, especially if they are executables – no matter who is sending them.
  • Always ensure that your computer has the latest patches and is fully up to date.

It is also good to remember that your game credentials are likely to be a target for malicious people almost as much as bank credentials are. For this reason I would recommend that you try to use unique credentials for online games. Do not use the same login and password you use for your systems, emails and anything else.