Thursday, 4 March 2010

Defrauding the fantasy economy

There is an interesting story developing, about World of Warcraft account fraud. The original articles I found are over at Sunbelt Software and El Reg. Apparently, the latest round of WoW account hacks is using malware that intercepts the multi-factor authentication credentials, transmits them to a MitM server, and replays a failed login to the user. Meanwhile the MitM box replays the login data to the WoW authentication servers, and promptly empties their characters of their hard farmed gold. I would imagine that by the time the user successfully logged in, their characters would all be broke.

I feel that there are a couple of important take-aways from this story. The first, is one that plenty of other people have been saying for a long time now. The fraudsters are getting better. They are smart, they are dedicated, and they are engaged in an arms race with the Security Industry.  It raises serious concerns over our ability to stay on top of this arms race. Along those lines is the second point. This is nothing new either, but the end users are the weakest link. Yes, from a technical perspective the vector is a Trojan. Realistically though, it's a social engineering attack. The initial con where you get the user to download and install the new "add-on". Both sides of this attack vector are hard to stay on top of. Firstly, malware authors are very good at creating variants to escape AV definitions, so AV alone cannot be relied upon.  Secondly, how do you make sure users don't fall for these traps. Many would-be pundits will say it is the fault of "stupid users". In some cases this may be accurate, but let's be honest here, fraudsters have gotten VERY good at social engineering.

This is probably the biggest lesson of the over-hyped Aurora incident. Social Engineering can hit anyone. Users at google may not have had any reason to doubt the authenticity of the emails they received. They had no way to sense the  malignant payload carried in those innocent looking PDFs. Sure, intellectually we all know PDFs can have bad things in them. We also knew as kids that some people put razor blades in candy apples. I don't think most people tear apart their fruit before they eat it. Especially if it's someone they trust handing it to them. So how were these WoW users to know that this add-on was no good. There are known 'safe' repositories of add-on, you will undoubtedly say. We have seen how much of a fallacy even that can be. There is no reliable system of trust on the internet. It's a best guess effort. You might check around the forums to see if other people say anything about the add-on. You might do a google-search for the add-on and see what comes up, or even ask people in the game about it. If you're particularly in the know, you might even check the sites hosting it against something along the lines of Mcafee's Site Adviser . What do you do if all of these come up dry? Chances are, you're going to take a chance and install it. Conventional wisdom says, if you notice anything strange during the install, then you panic, remove it, and run an anti-virus. Malware authors are not so sloppy as to make it obvious anymore, though. So now you have installed software that, as far as you can tell, is exactly what it says it is. By the time you might realize you were wrong, it's already too late

So the question becomes, how do we fight this attack vector? There is no silver bullet answer. It is still just a best effort game. So we rely on the things that we know help protect us. We use only known trusted sources. We do some research on software before we install it. We might check Site Adviser, or upload the binary to Virus Total . We make sure our anti-virus is up to date, and our boxes are patched. Every once and a while, we may still get nailed.

There is a third take-away point in all of this, that I'd like to discuss briefly. This is perhaps the most bizarre piece of this. We have seen these sort of things all before. Spend a month reading the security blogs and new sites out there, and you'll be flooded with plenty of stories about targeted malware, and banking trojans. You'll see reports of botnets that stole millions of logins. What is truly strange about this particular case, at least to me, is the target. Remember that we are talking about World of Warcraft here, a video game. We are seeing the same amount of effort put into stealing video game logins as the people who break into bank accounts. People are breaking into a virtual world, committing fantasy identity theft, and using it to empty imaginary bank accounts of money that doesn't exist and cannot be sued outside of the confines of this imaginary world. And yet, they take this imaginary money, and they turn it into real money. It is all well rooted in the theory of supply and demand, I suppose. I, however, cannot shake the sensation that this is truly a strange situation we find ourselves in. It's rather like if we were playing a game of monopoly, and when you weren't looking I stole some of your play money. I then turn around and sell that play money to another player for $100. Is it just me, or does anyone else find this to be insane?

No comments:

Post a Comment