When World of Warcraft spreads to your world

How enterprise networks can take collateral damage

The Windows animated cursor vulnerability hit GuildPortal hard and fast. By March 30, at least 10 attacks coming from Chinese Internet service providers broke in through a Web server misconfiguration, loading keystroke loggers hidden in iFrame tags that looked like welcome messages. The attack infected dozens of the World of Warcraft hosting provider's 50,000 gaming guild portals. It took two days to clean it out of the system.

What were the attackers after? Gaming passwords. These passwords have become increasingly valuable to organized crime rings that have found ways to turn virtual goods acquired in massively multiplayer online games (MMOG) into real-world money.

You might not think of attacks on a game environment as an enterprise problem, until you consider that the majority of the GuildPortal's 1.5 million gamers are logged on during normal business hours, according to Aaron Lewis, who administers the GuildPortal.

That makes online gaming -- and its virtual booty -- a factor that security managers should consider in their risk analysis and policy enforcement programs, says Marcus Sachs, who leads the Washington research team at SRI International's Computer Science Laboratory, which supports the U.S. Department of Homeland Security's research and threat analytics centers.

When virtual goods become money

Sachs and other senior security experts have been sending out alerts about the dangers of online gaming for the past two years. But Lewis says he saw the writing on the wall eight years ago when the IGE -- the Internet Gaming Environment -- emerged. Founded by Brock Pierson, who was previously involved in the boom-era Digital Entertainment Network scandal, IGE purports to provide a "trading environment" in which players can buy and sell virtual assets outside the confines of the games themselves.

Such transactions (known sometimes as RMT, or real-money transactions) contravene many games' terms of services. Many players say they violate the spirit of the games themselves; a comparable situation in the offline world would be buying a high military rank or an Oscar. It also introduces real, out-of-world money into the equation, with perhaps predictable results. "Once it became possible to transform virtual goods into money, it paved the way for laundering, fraud and theft," Lewis says. "It wasn’t a huge leap to keylogging software."

Sachs has even stronger words for the security risks that arise when gamers lose perspective. "These games are taking over the lives of an ever-increasing number of nontechnical adults who prefer to feed their virtual embodiments before feeding their real human bodies," Sachs says. "If they're willing to pay real money for virtual goods, then they are subject to all kinds of crimes."

Gaming password keylogger attacks are already spreading like wildfire. In late January, a number of government and health care sites as well as the site for Dolphins Stadium were breached and seeded with keylogger installers. Those installers were also after World of Warcraft passwords.

Direct, targeted attacks such as the raid that hit GuildPortal in March are also on the rise. For example, late last year, 660,000 denizens of Second Life were exposed to hackers who accessed that virtual world's database directly. (Second Life's Linden dollars, unlike currencies in many online environments, can be exchanged for offline currencies with Linden Labs' blessing.)

'Gold phishing' the lazy

"Gold phishing," or phishing for gaming passwords, is also rampant. GuildPortal's spam filters currently block about 400 unique phishing e-mails each week, Lewis says. When similar phishing lures get through, they tempt users -- some of whom are using enterprise resources to access the guild -- to click things that can infect the network.

Worse, users continue to be lazy about using different passwords for different sites. Graham Cluley, senior technology consultant at Sophos PLC, cites a 2006 study in which 45% of 533 respondents use one or very few passwords to access all their Web-based based accounts. In other words, a password initially captured in order to undermine a game has a very nearly even chance of proving "useful" far beyond the original target.

Lewis notes that as online games gain in popularity, the technical inexperience of the new demographic rises. World of Warcraft alone has 8.5 million players, many of whom are unaware of or not concerned about risks inherent to their gaming behavior, including whether or not they're downloading safe objects or patches, adds Cluley. Even if such users have been exposed to the usual lectures about computing safety in the workplace, they may not be savvy enough to connect the dots where their gaming habits are concerned.

Bots next?

The next crime wave to watch for will be gaming bots, predicts Gary McGraw, co-author with Greg Hoglund of Exploiting Online Games (Addison Wesley Professional, 2007).

Already, IGE, under legal pressure from game vendors, has moved offshore and organized sweatshops of gamers continuously playing to accumulate saleable booty, a phenomenon known as "gold pharming." IGE operates out of China and Mexico, says McGraw, who adds that IGE is just one of many syndicates to build sweat shops in low-wage-earning countries where government are likely to look the other way.

"You can make money, maybe $4 an hour, developing characters, playing the game, and finding virtual loot and selling it," McGraw explains. "To a low-wage worker in a Third World country, just half of that is a lot of money."

McGraw points out that it's only a matter of time before these repetitive functions become automated.

"Slaying dragons, killing monsters, collecting swords, climbing mountains, opening doors and going into dungeons -- all repetitive actions that can be done while you're sleeping," he says. "Then, you wake up in the morning, and you've got a pile of bodies that you can trade for virtual gold."

Once these actions are automated, he continues, what's to stop them from being fully automated and used in botnets?

Beware the Warden

People who buy pharmed gold are looking to trade it for more valuable items like swords, armor, weapons -- anything that helps them advance in a game. Once again, the notorious IGE and others like them facilitate this illicit buying and selling.

And for the amount of security risk that games introduce to the enterprise, many Sophos accounts are choosing to ban games altogether, says Cluley. And it's not just World of Warcraft that they're blocking. They’re also blocking Lineage, EverQuest and Second Life, among other realms. Even mostly harmless offline games such as Solitaire have been caught in the dragnet.

If nothing else, says McGraw, concerned managers should ban World of Warcraft. That's because of the Warden, a monitoring tool designed to combat cheating in that game.

"The Warden gets outside of its own processes and looks around at other events such as titles of other windows that are open, including your IM and e-mail windows," says McGraw. "If IT really examined what World of Warcraft does to every PC it installs on, they'd ban it. Even if they use it internally as a team-building exercise, it still has all these same risks."

Deb Radcliff is a veteran security writer and publishing director at the Security Consortium.

Enterprise mobility 2018: UEM is the next step
Shop Tech Products at Amazon