Free-to-Play iOS Games Hit by Automated Money-Laundering Scam

  • Special Content faviconSpecial Content

    By StaffAug 1, 2018, 1:04 am1.2k pts


    Just a few months after the gaming community was rocked by revelations of the full extent of the Fortnite hacking scandal, which saw thousands of players' accounts breached, a series of games in the App Store has become the target for cybercrime.

    Security researchers at Kromtech recently unearthed a sophisticated money-laundering operation involving fake Apple accounts and three popular, free-to-play games. Kromtech discovered a "strange" and unsecured MongoDB database that contained credit card and personal information - "As we examined the database we became aware this was not your ordinary corporate database . . . (it) appeared to belong to credit card thieves," said Bob Diachenko, Kromtech researcher.

    The scammers were targeting two Supercell games (Clash Royaleand Clash of Clans), and one Kabam game (Marvel Contest of Champions). Like most games in the free-to-play bracket, these titles require certain resources to advance through the games, such as gems, power-ups, gold and add-on games, etc. It can take gamers months to manually accrue free resources, so publishers sell them as in-app purchases with the allure of speeding up their gameplay. Consequently, the free-to-play sector of the industry is valued at hundreds of billions of dollars.

    By creating a number of iOS accounts, which were filled with stolen but valid credit card details, the scammers purchased these games and resources. Using an automated tool installed on various different jailbroken Apple devices, the gang installed the three games, created in-game accounts and then purchased the premium features that they would later resell for a profit online.

    In-app purchases never lose value and are typically traded on third-party marketplaces. These three games, in particular, have an active trading market, with players making use of third-party websites like g2g.com to buy and sell their resources. Unfortunately, it also means that the window is open to scammers to carry out illegal trading as much as it is legit gamers.

    It isn't the first time that Apple has been hit by controversy. In 2011, the Danish App Store was inundated with expensive apps that raised alarm bells. Included among the applications, which ranged in price from $50 to $100, was the $78-priced LettersTeach- an English-language learning tool. Said overpriced additional app, together with data that revealed over 80 percent of the apps (in the Dutch store, remember?) were downloaded in China, pointed toward a money-laundering scheme. By comparison, however, this current attack is much more serious and sophisticated.

    So, what can be done to increase security for mobile users? Well, there are some lessons to learn from publishers in the mobile iGaming sector. Leading platforms that have released apps, such as Full Tilt Poker, typically use an encrypted software as a starting point and increase additional layers of security, including RSA-security tokens and unsavable account passwords wherever possible.

    Then there's the digital purchasing habits of App Store users, and online consumers in general. The rise of decentralized cryptocurrencies has led many to ditch traditional purchasing methods like credits cards and even PayPal, in favor of Bitcoin, Ethereum and the like. These virtual currencies, especially those running on peer-to-peer blockchains and distributed ledger technologies (DLT), do have the potential to offer enhanced security for customers and merchants alike. However, they aren't without their unique security risks - Crypto-cleansingis the latest method to be used by fraudsters to launder illicit funds using digital currencies.

    It does seem that for each new technological innovation there's a whole new wave of crime that goes with it, and the battle to protect online consumers from nefarious hackers and fraudsters is never-ending. Ultimately, however, individual consumers can protect their details online with that old triptych of never using the same password more than once, switching off auto-complete settings on all browsers in use and keeping one card solely for online purchases.



Trending Today on MacHash