Automated money-laundering scheme found in free-to-play games

An unsecured MongoDB database has exposed what security researchers say is an automated money-laundering operation. The scam involves credit card thieves automatically creating fake Apple accounts and gaming profiles to profit from transactions on gaming sites.

On Monday, Kromtech’s Security Center explained that crooks are reaping profits from games that are free to play by reselling resources – for example, gems, gold, other virtual objects that give players extra abilities (known as power-ups), or games themselves.

It’s a rich vein to mine: according to one report, the gaming industry saw revenues of $108.4bn in 2017, with most of it – $82bn – coming from free-to-play titles.

Kromtech communications director Alexander Kernishniuk said in a post that money laundering in app stores is far from a new idea: in 2011, for example, Apple’s App Store was flooded with expensive, oddball apps that nobody was actually buying, the bulk of them from China.

Money laundering is one thing, but Kromtech wound up finding something Kernishniuk called “much more sophisticated.”

While conducting security audits of unsecured MongoDB databases, security researchers saw a newly created, “strange” database – open to the public, with no passwords or credentials required – that held a large number of credit card numbers and personal information. Given that the groups of records were in round numbers – 10K, 20K, 30K – the records were likely bought on the market for carders: i.e., those who buy stolen credit card numbers in large lots.

Kromtech researcher Bob Diachenko told Bleeping Computer that the group had it down to a science: they were using a special tool to create iOS accounts using valid emails accounts, then they were adding a stolen payment card’s details to one of the new iOS accounts.

Then, they used another automated tool on jailbroken iOS devices to spread the workload, which consisted of installing games, creating in-game accounts, and buying game features or premiums that they later re-sold online for real money.

The database was only a few months old. The credit card thieves were using the records to target just three games: Clash of Clans and Clash Royale, both from game maker Supercell, and Marvel Contest of Champions, from Kabam. The three games – all together, the trio has 250 million users – have a very active third-party market for selling resources.

Kromtech said that the automated tool its researchers found, and its users, currently work with countries such as Saudi Arabia, India, Indonesia, Kuwait, and Mauritania. The database contained 150,833 unique card entries, each with full card number, expiration date, and CCVs. The cards belonged to 19 different banks.

Kromtech says that it’s easy to automatically create new accounts on a large scale because Apple only requires a valid email address, a password, a date of birth, and three security questions to create an Apple ID. Email accounts from various providers are also very easy to create en masse, with little verification required. Put the two together, and accounts could be churned out lickety-split, in great numbers.

But wait, there’s still more automation yet in this scheme: not only did the crooks automatically create accounts, they also automatically filled in credit card details until they hit on a valid one, then they automatically purchased games and resources, automatically posted games and resources for sale, used a digital wallet for order processing, and used multiple Apple devices to distribute the load.

Kromtech:

The end result, an automated money laundering tool for credit card thieves.

There are a few hurdles that should slow down this type of automated thievery. For one, email services could require phone verification, which some are, in fact, doing. VoIP burner numbers are still easy to get, but at least phone verification would make it tougher to get email accounts in bulk.

For another thing, Apple does try to validate the credit cards by charging and then refunding, $1. But Kromtech isn’t impressed by the company’s verification processes, given that researchers spotted many transactions that went through using cards that had an incorrect name and address.

Perhaps verification is minimal due to the low dollar amount of the charge, but a stricter credit card verification would make it a bit more difficult for the carders.

Kromtech has notified the US Department of Justice about the operation. Ditto for Supercell and Apple. I’ve reached out to Apple for a comment and will update the story if I hear back.

While the focus here is on Apple, Google Play isn’t immune to this type of abuse too. Kromtech’s researchers said they saw instructions on how to rebind Google accounts, with payments, to user IDs in Supercell. Rebinding means that a player can log-in on other devices, as long as they remember their binding details.

Don’t play into the scammers’ hands

Kromtech advised players not to fall for offers of cheaper gems/diamonds. They’re scams. Such third-party services request private login data such as Apple ID or your Google Play credentials to access your account, but they often hijack the account and sell it to other players. Also, once they have access to your credentials, scammers can jeopardize not only your gaming security but your financial security, as well.

If that’s not harsh enough, buying gems or diamonds from third-party vendors can lead to having your in-app currency revoked, or even get your account permanently banned.

Finally, here’s a rare thumb’s-up for unsecured databases: Like we’ve said in the past, they’re still the low-hanging fruit of the internet.

MongoDB, a NoSQL database, turns up all too frequently in security-breach headlines, which is why we always urge people to make sure they read the security manual of whatever NoSQL database service they’re using, and that they implement all the available security controls.

However, fortunately for all of us law-abiding citizens, carders and other crooks are also mere humans, prone to the same poor database security that others grapple with. This money-laundering scheme came to light because of it – a rare instance of a silver lining on a security failure!