Innovative ways to fool people

It's gotten to the point where Sony set up its own auction site for players of EverQuest II to buy and sell game property (thus allowing the company to make a cut on all transactions, of course). And as further weird amalgamations of virtual and real economies occur, we now have computer sweatshops appearing in China and Mexico, in which young men are paid a few dollars per day (or less) to sit and play games like World of Warcraft and EverQuest for about 12 hours a day, performing often mind-numbing tasks in order to create virtual wealth. The bosses that pay these young men then turn around and sell that virtual property to gamers in the real world, at fantastically higher rates. They earn real money that exists outside the virtual world.

It was therefore inevitable that bad guys would see an opportunity to steal money in settings like this. Now someone has. The most popular of these MMORPGs (Massively Multiplayer Online Role-Playing Games) is undoubtedly World of Warcraft, with over six million players worldwide. A few days ago, it was reported that a new Trojan has appeared on the scene: PWS.Win32.WOW.x. Spread via email, IM, and Peer2Peer file sharing - and gamers tend to do a lot of each of these - as well as through our old friend the malicious pop-up ad that exploits Internet Explorer vulnerabilities (and you know you shouldn't be using IE, but perhaps you are a masochist), this Trojan is brilliant in its limited, precise scope. Once installed, Win32.WOW tries to steal a World of Warcraft user's name and password. Armed with that information, the criminal logs in to the user's online Warcraft account, transfers all the player's virtual property to an avatar controlled by the attacker, and then sells the property on a gray-market auction site for real money. By the time the player figures out what has happened, their character is denuded of all his goodies and the villain in this story is long gone.

This misdeed isn't necessarily going to net the attackers a lot of money, though it may in certain cases. It's a low risk crime that is easy to run and probably works in many cases. Not to mention - and I hate saying this, but I'm sure it's true - it's probably a lot of fun as well. As we see more collisions between virtual and earth-bound economies, in which money moves between these two worlds, I guarantee we're going to see more attacks of this sort.

In one sense, all three of the criminal attacks I've discussed aren't original. In the case of Sumitomo Mitsui, the attackers used inside access, disguise, and keyloggers, while the perpetrators of ransomware use the same threat victims have heard for millenia: "Your money or your life!" Just substitute "data" for "life," and you're now in the 21st century.

Finally, the World of Warcraft Trojan is... well, a Trojan horse, and we know how old that is. Couple that with simple theft, and what seems shockingly new is revealed as a trick about the same quality as Magruder sending his men marching around and around to be seen through a gap in the pine trees: an "old wheeze". It took four years of blood and suffering to finally beat the Confederates; unfortunately, But IT security is just getting started. I have the feeling we're going to be dealing with the ramifications of these dirty tricks for a long, long time.

This article originally appeared in Security Focus.

Copyright © 2006, SecurityFocus

Scott Granneman teaches at Washington University in St Louis, consults for WebSanity, and writes for SecurityFocus and Linux Magazine. His latest book, Hacking Knoppix, is in stores now.