+更多
专家名录
唐朱昌
唐朱昌
教授,博士生导师。复旦大学中国反洗钱研究中心首任主任,复旦大学俄...
严立新
严立新
复旦大学国际金融学院教授,中国反洗钱研究中心执行主任,陆家嘴金...
陈浩然
陈浩然
复旦大学法学院教授、博士生导师;复旦大学国际刑法研究中心主任。...
何 萍
何 萍
华东政法大学刑法学教授,复旦大学中国反洗钱研究中心特聘研究员,荷...
李小杰
李小杰
安永金融服务风险管理、咨询总监,曾任蚂蚁金服反洗钱总监,复旦大学...
周锦贤
周锦贤
周锦贤先生,香港人,广州暨南大学法律学士,复旦大学中国反洗钱研究中...
童文俊
童文俊
高级经济师,复旦大学金融学博士,复旦大学经济学博士后。现供职于中...
汤 俊
汤 俊
武汉中南财经政法大学信息安全学院教授。长期专注于反洗钱/反恐...
李 刚
李 刚
生辰:1977.7.26 籍贯:辽宁抚顺 民族:汉 党派:九三学社 职称:教授 研究...
祝亚雄
祝亚雄
祝亚雄,1974年生,浙江衢州人。浙江师范大学经济与管理学院副教授,博...
顾卿华
顾卿华
复旦大学中国反洗钱研究中心特聘研究员;现任安永管理咨询服务合伙...
转发
上传时间: 2018-07-19      浏览次数:792次
Automated money-laundering scheme found in free-to-play games

https://nakedsecurity.sophos.com/2018/07/19/automated-money-laundering-scheme-found-in-free-to-play-games/

 

An unsecured MongoDB database has exposed what security researchers say is an automated money-laundering operation. The scam involves credit card thieves automatically creating fake Apple accounts and gaming profiles to profit from transactions on gaming sites.

 

On Monday, Kromtech’s Security Center explained that crooks are reaping profits from games that are free to play by reselling resources – for example, gems, gold, other virtual objects that give players extra abilities (known as power-ups), or games themselves.

 

It’s a rich vein to mine: according to one report, the gaming industry saw revenues of $108.4bn in 2017, with most of it – $82bn – coming from free-to-play titles.

 

Kromtech communications director Alexander Kernishniuk said in a post that money laundering in app stores is far from a new idea: in 2011, for example, Apple’s App Store was flooded with expensive, oddball apps that nobody was actually buying, the bulk of them from China.

 

Money laundering is one thing, but Kromtech wound up finding something Kernishniuk called “much more sophisticated.”

 

While conducting security audits of unsecured MongoDB databases, security researchers saw a newly created, “strange” database – open to the public, with no passwords or credentials required – that held a large number of credit card numbers and personal information. Given that the groups of records were in round numbers – 10K, 20K, 30K – the records were likely bought on the market for carders: i.e., those who buy stolen credit card numbers in large lots.

 

Kromtech researcher Bob Diachenko told Bleeping Computer that the group had it down to a science: they were using a special tool to create iOS accounts using valid emails accounts, then they were adding a stolen payment card’s details to one of the new iOS accounts.

 

Then, they used another automated tool on jailbroken iOS devices to spread the workload, which consisted of installing games, creating in-game accounts, and buying game features or premiums that they later re-sold online for real money.

 

The database was only a few months old. The credit card thieves were using the records to target just three games: Clash of Clans and Clash Royale, both from game maker Supercell, and Marvel Contest of Champions, from Kabam. The three games – all together, the trio has 250 million users – have a very active third-party market for selling resources.

 

Kromtech said that the automated tool its researchers found, and its users, currently work with countries such as Saudi Arabia, India, Indonesia, Kuwait, and Mauritania. The database contained 150,833 unique card entries, each with full card number, expiration date, and CCVs. The cards belonged to 19 different banks.

 

Kromtech says that it’s easy to automatically create new accounts on a large scale because Apple only requires a valid email address, a password, a date of birth, and three security questions to create an Apple ID. Email accounts from various providers are also very easy to create en masse, with little verification required. Put the two together, and accounts could be churned out lickety-split, in great numbers.

 

But wait, there’s still more automation yet in this scheme: not only did the crooks automatically create accounts, they also automatically filled in credit card details until they hit on a valid one, then they automatically purchased games and resources, automatically posted games and resources for sale, used a digital wallet for order processing, and used multiple Apple devices to distribute the load.

 

Kromtech:

 

The end result, an automated money laundering tool for credit card thieves.

 

There are a few hurdles that should slow down this type of automated thievery. For one, email services could require phone verification, which some are, in fact, doing. VoIP burner numbers are still easy to get, but at least phone verification would make it tougher to get email accounts in bulk.

 

For another thing, Apple does try to validate the credit cards by charging and then refunding, $1. But Kromtech isn’t impressed by the company’s verification processes, given that researchers spotted many transactions that went through using cards that had an incorrect name and address.

 

Perhaps verification is minimal due to the low dollar amount of the charge, but a stricter credit card verification would make it a bit more difficult for the carders.

 

Kromtech has notified the US Department of Justice about the operation. Ditto for Supercell and Apple. I’ve reached out to Apple for a comment and will update the story if I hear back.

 

While the focus here is on Apple, Google Play isn’t immune to this type of abuse too. Kromtech’s researchers said they saw instructions on how to rebind Google accounts, with payments, to user IDs in Supercell. Rebinding means that a player can log-in on other devices, as long as they remember their binding details.

 

Don’t play into the scammers’ hands

Kromtech advised players not to fall for offers of cheaper gems/diamonds. They’re scams. Such third-party services request private login data such as Apple ID or your Google Play credentials to access your account, but they often hijack the account and sell it to other players. Also, once they have access to your credentials, scammers can jeopardize not only your gaming security but your financial security, as well.

 

If that’s not harsh enough, buying gems or diamonds from third-party vendors can lead to having your in-app currency revoked, or even get your account permanently banned.

 

Finally, here’s a rare thumb’s-up for unsecured databases: Like we’ve said in the past, they’re still the low-hanging fruit of the internet.

 

MongoDB, a NoSQL database, turns up all too frequently in security-breach headlines, which is why we always urge people to make sure they read the security manual of whatever NoSQL database service they’re using, and that they implement all the available security controls.

 

However, fortunately for all of us law-abiding citizens, carders and other crooks are also mere humans, prone to the same poor database security that others grapple with. This money-laundering scheme came to light because of it – a rare instance of a silver lining on a security failure!