The database, which was freely accessible to the public without a password, contained thousands of credit card details. However, the researchers quickly surmised that they had not stumbled across an all-too-familiar story of a corporation being sloppy with its customer data but rather a database belonging to credit card thieves (commonly known as carders).
And this particular gang was hoping to launder money stolen from these credit card accounts through mobile games.
As anyone who has played many of the most popular smartphone games will know, the demand for in-game currency is substantial. Many players are addicted to the notion of advancing in the game or frustrated by a free game’s mechanics that force them to wait a long period of time for features to be unlocked. Inevitably, this has resulted in some players trying to find unofficial shortcuts to make progress.
The security researchers realized that they were dealing with a carder gang who had created a sophisticated automated mechanism for creating fake Apple ID accounts with stolen card information and buying virtual “gold”, “gems”, and other in-game power-ups within games.
These virtual goodies would then be sold to other game players on third-party markets such as G2G. In short, the gang was receiving money in exchange for the game currency or power-ups, without any making any obvious link to the stolen credit card data.
In this particular instance, the fraudsters are said to have targeted popular games such as “Clash of Clans” and “Clash Royale” as well as Kabam’s “Marvel Contest of Champions”. Kromtech says that these three games alone have over 250 million aggregate users, generating approximately US $330 million USD in revenue each year.
The sheer popularity of such games, and the money they generate, was clearly too tempting for the criminals to resist.
Supercell, developer of “Clash of Clans” and “Clash Royale”, warns players not to be duped into buying cheap gems or diamonds from unauthorised third-party sites. Not only could your account be permanently banned, but you could be handing control of your Apple ID and Google Play account over to criminals:
UNAUTHORIZED GEM BUYING/SELLING
Certain websites and individuals might offer cheaper gems/diamonds. Don’t be fooled – it’s a scam.
Such services request private login data (such as Apple ID, Google Play credentials, etc) in order to access your game account. These vendors will gain access to your account and oftentimes, hijack the account and try selling it to other players.
IMPORTANT: If you release your private information/credentials to 3rd parties, you’re permanently placing your game and financial/online security in a high-risk situation.
Consequences of misconduct: Purchasing gems or diamonds from 3rd party vendors can lead to revoked in-app currency and can even get your account permanently banned.
In the opinion of the researchers, more can be done to prevent organized criminals from laundering money via mobile games. They are argue that more steps should be taken to better verify credit card details, names, and addresses when Apple ID accounts are created. Furthermore, service providers are called upon to better secure their account creation processes from being abused by automated tools. And both Apple and the game developers themselves are urged to improve policy enforcement and better track abusers.
Of course, we probably would have never known this criminal scheme was taking place in the first place if the money launderers hadn’t carelessly left their database of credit card details carelessly exposed on the public internet.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.