Though the majority of gaming companies prohibit the real-money trading of online gaming currencies, the practice is still widespread, and according to Trend Micro researchers, the money that cybercriminals earn through it is used to mount DoS attacks, spam campaigns, perpetrate identity theft and financial fraud against a variety of business and organizations, and so on.
Until players stop trying to buy in-game currencies, cybercriminals will try to get it and sell it.
And while some of the ways the latter get their hands on the currency uses illegal means (such as malware), real-money trading of it is not effectively illegal, as is not gold farming, botting, or the use of exploits to take advantage of glitches and bugs in the gaming platforms to gain gaming currency or pricy virtual items.
The worst thing that criminals selling/trading in-game currencies can be hit with is the suspension or termination of their gaming accounts – and they can easily open new ones and continue with the scheme.
How do they do it?
This image succinctly explains the whole process:
The steps cybercriminals take in using online gaming currency to fund cybercriminal activities
“Some of the popular games listed on websites selling online gaming currencies are World of Warcraft, Guild Wars/Guild Wars 2, League of Legends, and Final Fantasy XIV– all of which are MMORPGs that have a stiff competition on resources and experience,” Trend Micro researchers note.
Other popularly sold currencies include those used in Minecraft, FIFA, Grand Theft Auto V, Star Wars Online, Guild Wars 2, Path of Exile, and so on.
Most of these games are played on PCs, and this is not unexpected, as the criminals rely on malware and phishing to steal gaming currency and items from users’ compromised accounts.
“The profits a cybercriminal gains from selling a particular gaming currency does not end after the buyer claims his/her purchase. Depending on how the cybercriminal obtained the gaming currency, there is a chance that incidental profits can be made,” the researchers point out.
“For example, if the cybercriminal used an infostealer or RAT to hack into a player’s account, then the cybercriminal can loot that account for other credentials or personal information, which can be sold to other cybercriminals. Cybercriminals can also retain control of the hacked system and use it for malicious purposes, such as DDoS attacks, identity theft or fraud, and even for social engineering (like pretending to be the user/player and scamming the player’s contacts in the game).”
In addition to all this, the trade and sale of online gaming currencies is also a way for cyber criminals to launder real world money that is stolen or gained from other forms of cybercrime.
Everybody loses (except the crooks)
Gaming currency selling/trading schemes are bad for game companies, gamers who get swindled out of their fairly gotten currency and items, organizations and businesses that are targeted with attacks funded through the proceeds of such sales, and human workers that are engaged in grueling, sweatshop-style gold farming operations, the researchers note.
“In the basic sense, buying and selling online gaming currencies is not illegal. Players should, however, practice caution in participating in such an exchange since they may, after all, be financing cybercriminal acts that will have devastating real-world implications,” they concluded.