Virtual worlds, real attacks

Computer games have been around for as long as many of us can remember and during this time, they have evolved significantly. While one of the most obvious changes has been in the graphics, there has also been a considerable evolution in terms of the role gaming plays in our lives and the opportunities it offers.

When gaming first became popular, it was primarily a solo activity and the only way to compete against other gamers was to huddle around one computer.

The Internet has changed this: there is no longer a need to be physically in the same place in order to compete and the growth of virtual worlds has taken gaming to another level, with the integration of the worlds of social networking and gaming.

Nowadays, gaming provides the opportunity to live another life parallel to the one you live in the real world and, as in reality, money often plays a pivotal role. As a result of this drastic change, online games are now a lucrative business - for game developers, players and cyber-crooks - and have become a prime target for cyber-criminals looking to exploit vulnerabilities for moneymaking gains.

The number of online games, especially multiplayer online role-playing games (MMOGs), has grown rapidly in recent years and security and data issues have increased in line with this. Online gaming is now starting to suffer from real-world problems - theft of identity and virtual assets, extortion and even terrorist attacks.

MMOGs are supported by virtual online communities, where people compete, fight, buy, sell, trade, study, travel and do many other things that people do in real life. It is, therefore, not surprising that online gaming is beginning to be plagued by almost all of the problems of the real world.

Online communities can grow their own economies, virtual currencies are converted into real money and then back to virtual funds, so it is only natural that virtual profits have become increasingly targeted by cyber-criminals. If Willie Sutton, the accomplished twentieth century American bank robber, were alive today, he probably would have an avatar and would be writing password-stealing Trojans.

Online computer games are large, intricate programs that require permanent Internet connections, so exploitation of vulnerabilities in an online game could be used to steal user data from both real and virtual environments.

Since the beginning of this century, we have seen significant growth in advertising and shopping within games and this leads to spam, phishing, adware and spyware.

The number of online games and their subscribers is growing at an extraordinarily rapid rate. According to one study, the online gaming market grew 288% from 2002 to 2005. According to market research firm Parks Associates, worldwide revenue from online gaming exceeded $1.1 billion in 2006 and the company predicts that the revenue will triple by 2009. The biggest share of this market is currently MMOGs and predictions are that this position will not change until as far ahead as 2009.

Moreover, the amount of time people spend playing online games is considerable, with more than 25% of gamers playing for more than 30 hours every week.

So, what does this really mean in terms of the potential for threats to become prevalent and for cyber-crime to infiltrate the world of gaming? In most games, players collect and produce some sort of virtual commodities.

These can be virtual objects, such as weapons, clothes, property, furniture and music as well as money and relationships - you can be a lord of a castle with many subordinates and even get married virtually. Even names of characters are valuable and can be resold at a profit, which is a virtual equivalent of cyber-squatting (registering domain names to resell in the future). Virtual objects are traded in two connected markets - fully virtual and real. The intertwining of real and virtual markets is growing and there are now real shops in virtual worlds (where you can buy real goods with virtual money). Both of these markets attract criminal elements.

Gaming is extremely popular in the Asia-Pacific countries and a worrying trend is emerging: according to a study in Taiwan, 37% of criminal offences are related to online gaming. The level of penetration of virtual offences into real life is alarmingly high. Many of the players are fairly young, and this is reflected in the statistics that show that most offenders belong to the 15-to-20-year-old bracket.

Many banks have already announced their plans to open virtual branches - a move that would eventually combine all the known risks of Internet banking with the risks of virtual identity and data theft.

In short, the threats are diverse and each needs to be considered by anyone joining the online gaming world. The main risks, including some examples that have been seen, are outlined below:

* Money laundering: The in-game economies of virtual worlds have been hijacked, in many cases by cyber-criminals attempting to hide their profits through the exchange of virtual currencies.
* Economic value: As virtual items become more rare or more difficult to achieve, their inherent time value creates a fiscal worth in the game's currency and real life.
* User-created content: A user-created code in Second Life caused a visual simulation of a terrorist attack.
* Unforeseen consequences of in-game events: A virtual illness created for World of Warcraft killed hundreds of players in several populated areas on multiple servers when a flaw in its design allowed the disease to spread throughout low-level players.
* Scripting holes: Sloppy scripting allows viruses to achieve persistency, auto-execution, and propagation.
* Messaging spam: The internal messaging services of most online games have often been leveraged for spam by malicious users.
* Phishing: perhaps the worst spamming runs were related to W32/Nuwar (also known as Stormworm) - the perpetrators created a Web page offering "free" games. Links to it were widely spammed, but clicking anywhere on this Web page led visitors to malware.
* Data-stealing Trojans: In a typical attack, data-stealing programs record user IDs and passwords along with the IP addresses or the names of the servers they use. This is done with a key-logger, which records all keystrokes. In more sophisticated attacks, the Web forms are captured, as are mouse movements and even screenshots. The attacker can log into the compromised account and retrieve anything of value. Typically, when a gaming account is compromised, attackers will convert the objects they steal from online gamers into virtual currency - and then convert the virtual currency into real money.

Having seen such explosive growth of online gaming, in which gaming vendors overlooked security in their mission to be the first to market the next big gaming phenomenon, it is always possible that the one area that would be overlooked is security. Developers need to build basic security foundations from the very beginning, as bolting security onto an existing product is a far-from-perfect approach. Most of the attacks that we have witnessed in real life will surface in virtual worlds unless the environment is built with security in mind. Security vendors and gaming vendors need to work together to avoid falling into the same trap again. It is possible to make most attacks in virtual life impossible or uneconomical and there are no good reasons why virtual characters should suffer from the same troubles - spam, phishing, adware, spyware, Trojans, viruses, worms, and other malware - that currently plague our real day-to-day lives.

* Jayson O'Reilly is strategic account executive of McAfee South Africa.