Category Archives: Antivirus Vendors

Antivirus Vendors

Gamescom: How gaming grew up into a target for crime

With over double the attendance of San Diego’s Comic-Con (340,000 attendees last year, compared to Comic-Con’s 130,000), gamescom highlights not just how pervasive video games have become in our lives, but also how video games have gone since the late 1970s and early 1980s from being a small offshoot of the “traditional” computing industry to becoming a full-fledged multi-billion dollar industry in themselves. Today, companies like Microsoft, Nintendo and SONY generate billions of dollars from sales of games and gaming consoles; and there is a burgeoning market for dedicated gaming hardware for PCs ranging from specialized graphics processors from companies like AMD (formerly ATI) and Nvidia to exotic cooling solutions using liquid nitrogen and metalized thermal interface materials; to the creation of AAA games such as Electronic Arts‘ fifteen year old (and still going strong) The Sims franchise, and Blizzard‘s World of Warcraft, which redefined MMORPG gaming.

Gaming by the numbers

To get an idea of just how pervasive computer gaming is, let’s look at these successful games and consoles, and match them up with some other real-world numbers:

ITEM
NUMBER
EQUIVALENT TO
The Sims 175 000 000
(copies sold over 15 years)
Combined population of Austria, Belgium, Denmark, Germany, Liechtenstein, Luxembourg, Netherlands, Poland, Slovakia and Switzerland
World of Warcraft 7 600 000
(avg. # players over
last 4 quarters)
Cost of 2014 upgrades (in
USD) to Kensington Palace,
United Kingdom
8th generation console units 18 680 000
(PS4+Wii+XBONE units shipped/sold)
Average number of viewers per
episode of Big Bang Theory
during its 2012-2013 season

Computer gaming is a huge and a wildly successful market, and as in any system that works at scale, there are going to be so-called businessmen or entrepreneurs who “seek to optimize their return on investment through whatever means possible” or, to put it more succinctly, criminals who abuse the ecosystem.  But in virtual worlds, can real crimes occur?

Game Crime

gamescom

As gaming has moved online, as with next-gen consoles such as Xbox One, crime has moved in

As it actually turns out, there’s actually quite a bit of undesirable activity that can occur online, such as trolling or griefing, which have occurred for as long as people have been playing games online.  The exact nature of these activities varies between games, as do their consequences, but while some online behavior is horrifying, it is not always clear whether an actual crime, prosecutable outside of cyberspace, has occurred and, if so, in what jurisdictions.  Likewise, cheating, while unsportsmanlike, may be a violation of a game’s acceptable-use policy, but not a criminal offense.

Doing time, online

Computer game companies police their virtual worlds to various degrees, as unwanted or objectionable in-game behavior could cause paying customers to leave en masse, with a corresponding drop in revenue.  If warnings are not sufficient, the usual sentence for abusive users is to ban them from playing the game for a fixed amount of time.  Repeat offenders, or those who may have done something especially offensive, may find themselves permanently banned from the game and their accounts closed.

Real thieves in a virtual world

The sale of virtual goods (including virtual currencies) is an important part of in-game economies, but also presents criminals with some unique opportunities as well:

Theft of Goods

The longer you play a MMORPG, the more likely you are to get items which are rare, limited edition, unique or otherwise contain powerful buffs for your character.  Game companies create these kinds of items and adjust their scarcity because it helps encourage gamers to pay real money, either for the items themselves, or for in-game currency.  Or the developer may charge a subscription fee to play the game.  And that use of real money is what makes some games lucrative targets for thieves.

In some games’ player-versus-player (PvP) combat, the losers of fights may drop items that they were using in their inventory or currency, upon their in-game death.  In some games, this has led to the creation of gangs or “mafias” who often target new players, either to “loot their corpses” or merely to threaten them with looting in order to obtain their items or currency.

In the real world, gamers are regularly targeted by criminal gangs with phishing emails, as well as password stealing software, in order to gain access to their account credentials.  From there, it is a simple matter for the criminals to empty out the gamer’s account, akin to taking the jewels out of some kind of high-tech safe deposit box.

While some game companies employ sophisticated geolocation tracking and even two-factor authentication systems identical to those employed by banks, others do not, and this makes those game accounts not only vulnerable to being emptied out, but to being stolen themselves.  It can take years of grinding away at some games to reach the upper levels.  For some unsporting game players, that represents an almost irresistible target.

Counterfeiting items

The amount of virtual items (including virtual currencies) is usually carefully calculated by gaming companies, even to the point of employing economists, to help ensure the stability of their virtual economy.  Unfortunately, as in the real world, some virtual worlds are subject to counterfeiting, where in-game items or currency is duped (“duplicated”) over and over again by criminal gangs by exploiting vulnerabilities or bugs in the game, network connection or timing issues, and so forth.

If an in-game item can be duped ad nauseam, it can generate a lot of money, especially if it is the in-game currency that is being copied, and not some scarce or unique item.  While item duping may not be enough to disrupt the in-game economy if the item is not being sold, it does disrupt game play and fairness when characters become seriously overbalanced.

Regardless of why it is being done, counterfeiting can be difficult to deal with, especially if the recipient of a duped item is not aware of its provenance.  This may not stop game admins from removing counterfeit items or currency from a gamer’s account, or even banning the gamer, though.

Gold farming

Although in-game currency is not always golden coins, gold farming is the generic term used to describe players who do nothing but play a game in order to generate in-game currency, which they sell online for real-world currency.  This is particularly problematic in China, where there have been reports that prisoners are used as slave labor to generate revenue for prison authorities.

As with item duping, gold farming is disruptive to gaming economies because it leads to inflation.  Aside from that, it also leads to other problems, both in-game and in the real world, with being spammed with advertisements for gold.  And, as with selling counterfeit or stolen goods, one runs the risk of having the items removed by the game admins or even being banned for having received counterfeit or stolen virtual property.

Companies under assault

Of course, computer criminals don’t just target gamers:  Gaming companies themselves can be targeted as well.  Probably the most well-known example of this is the April 2011 breach of the SONY PlayStation Network gaming and Qriocity music streaming service, which resulted in the compromise of the names, addresses and credit card details of 77 million user accounts.

ESET provided extensive coverage of the SONY data breach in our blog, starting from the initial report of the breach in April 2011 all the way up to the proposed settlement of a week ago.  As a result, I am not going to discuss the details of the SONY breach in this article.  Readers should be aware that this sort of problem is not unique to SONY, either.  Almost exactly, two years ago, Blizzard Entertainment suffered a data breach themselves, although they responded in a different and—this author thinks—more responsible fashion.

The point here is that that computer game companies and their associated services face real threats from criminals:  If they charge customers for online play, the purchase of in-game items, or otherwise contain customer billing data in their computers, then those computers systems are targets for financial crime.  But even if they don’t charge customers, their systems might still be targeted by criminals seeking access to accounts for the reasons mentioned in the preceding section.  Game companies recognize this, of course, and as a result their security practices have improved greatly over the past couple of years.

Final thoughts

For the most part, computer gaming poses no additional risks beyond any other activities you might perform on the Internet.  You may, however, wish to take a few extra precautions, as outlined in the previous two articles from We Live Security:

I would also suggest reading our Comic-Con 2014: Eight super-powered digital safety tips article.  While Comic-Con is not exactly the same type of conference as gamescom, going to any type of conference with your computer, tablet, smartphone and various digital devices poses similar risks these days, and you may find some helpful information in that article.

Thanks to my colleagues Bruce P. Burrell, David Harley and Righard Zwienenberg for their assistance with this article.

Aryeh Goretsky, MVP, ZCSE
Distinguished Researcher, ESET

 

Selected Bibliography

For further reading, here is a fairly complete compendium of gaming-related articles from We Live Security:

The post Gamescom: How gaming grew up into a target for crime appeared first on We Live Security.

Week in security: Blackphone unmasked, RATs vs Androids, and browsers kill cars

It’s still high season for security news, with the last days of DEF CON 22 luring out the best in the business – and causing controversy (as, of course, it should).

The biggest draw was a hack which knocked out the “ultra-private” encrypted Blackphone in just five minutes – although there was much discussion of the techniques used. Silent Circle, creators of the PGP encryption standard, took a secure, dignified response.

They patched – fast – and admitted their errors, saying, “No hard feelings — things get fixed by being found.”

Android versus RAT: Rodent wins

Android users in Russia were offered a bundle of free apps – with one catch. Each had been tweaked to hide malware – a RAT built to steal information. Remote Access Trojans (found on both PCs and Adroid devices) allows an attacker access to data – in the case of Android/Spy.Krysanec, GPS location, contacts lists, web history, contacts lists and more.

This backdoor trojan, which ESET detects as Android/Spy.Krysanec, was found as a malicious modification of MobileBank (a mobile banking app for Russian Sberbank), 3G Traffic Guard (an app for monitoring data usage) and a few others, including our own ESET Mobile Security. Naturally, it was shared through third-party app stores and social sites – not Google Play.

The malware was found to be distributed through several channels, including a typical filesharing (think Warez) site or a Russian social network.

ESET’s Robert Lipovsky says: “users should download not only our ESET Mobile Security but any application only from trustworthy sources, such as the official Google Play store. And even there, exercise caution by carefully examining the permissions requested by the app.”

Wi-Fi: The skies are safe once more

The good news – your aeroplane will not plunge from the skies thanks to hackers armed with iPads – and the idea of hacking planes via Wi-Fi is silly. The bad news: things ARE getting worse.

Black Hat is no stranger to world-changing hacks – but Ruben Santamarta’s talk was described by CNET as “the hacking presentation that will get the most attention”, claiming that plane security could be hacked wirelessly, by Wi-Fi or even SMS.

The debunking didn’t take long. Dr Phil Polstra of Bloomsburg University has the credentials – he holds 12 aviation ratings, all current, including aircraft mechanic and avionics technician, thousands of hours of flight time, and has worked on on the development of avionics found in modern airliners. He also recruited an even more qualified but anonymous pilot to help.

Short answer: planes cannot be hacked wirelessly – any model ever built. Strict rules prevent avionics systems from being accessible via wireless – except in Boeing aircrafts, which use a system “harder to hack” he says.

Several companies have already said wireless hacks were “impossible”, and that access to wired systems restricted: “In the aviation and maritime markets we serve, there are strict requirements restricting such access to authorized personnel only,” said one.

Polstra warned, however, that “increasing automation” may lead to problems in the future.

Security news: Your router is a time bomb

No wonder cybercrime gangs target routers – yet another “live fire” test against the devices proved they were packed with vulnerabilities. More than a dozen were found in the challenge at DEF CON – and one router-hunter found 11 on his own.

PC World described the devices – the portal into most home networks – as “insecure as ever” as hackers romped through challenges against big-brand devices from Linksys, Netgear, D-Link, Belkin and others.

Once again, the routers proved weak foes – and a second challenge, to extract information from the devices, proved equally easy for the contestants.

Cyberjacking: It’s a word, and it’s happening (soon)

Two researchers who have previously demonstrated hacks against cars declared a new threat this week – in-car web browsers.

In an exhaustive analysis of top car brands, the researchers found that while it WAS possible to compromise systems, the results were limited. A BlueTooth hack, for instance, would not compromise the vehicle – but allow attackers to ‘pair’ devices.

Charlie Miller and Chris Valasek in their paper A Survey of Remote Automotive Attack Surfaces conclude that the danger of “hackable” cars is expanding – but is about to grow rapidly, as web browsers are added to cars.

“Once you add a web browser to a car, it’s open. I may not be able to write a Bluetooth exploit, but I know I can exploit web browsers.” The recent reported hack against the Tesla Model S relied on its connected control panel.

A SlashDot user claims to have found a hidden port on the Tesla Model S, and used it to prove the car ran a modified version of Firefox.

 

Two-factor security: We want it now!

Millions of Americans were directly affected by the breach at Target – and as cybercriminals increasingly take aim at POS terminals, similar tragedies look likely in future.

But American banks and card companies have been slow to reassure customers with measures such as two-factor security systems.

A report found that two-factor security was STILL not on offer at major banks such as Citibank, Capital One and for AmEx cards, when it came to online banking. Many other banks require customers to opt in.

The reason, the NYT claims, is economy – for the banks, “Companies have gone back and forth about whether to even allow their customers to sign up for that second factor and require the company to generate a one-time code to be entered in addition to a username and password.”

“While such precautions add to the consumer’s security, they can also increase the company’s tech support needs.”

An ESET video explains what two-factor is, and why it works, here.

One of the more disquieting aspects of the NYT report was that 2FA protection was offered only to some customers – and banks were not clear as to why.

 

The post Week in security: Blackphone unmasked, RATs vs Androids, and browsers kill cars appeared first on We Live Security.

Robin Williams’ last phone call? Sick Facebook video scam exploits celebrity suicide

Be on your guard against yet another Facebook scam, this time exploiting the tragic death of comic actor Robin Williams.

The scam, which you may see shared by your Facebook friends oblivious to the fact that they are helping fraudsters earn money, claims to be a ghoulish video of Robin Williams making his last phone call before committing suicide earlier this week.

Of course, you might be fooled into believing it is genuine. After all, you have seen one of your Facebook friends share it on their wall.

But the truth is that they have been duped into sharing it by a simple social engineering trick, and you would be wise not to fall into the same trap.

The first thing you see is a post made by one of your Facebook friends:

Robin Williams Facebook scam

<blockquote style=”margin: 15px;padding: 15px 15px 5px;border-left: 5px solid #ccc;font-size: 13px;
font-style: normal;font-family: ‘Helvetica Neue’, Helvetica, sans-serif;line-height: 19px;”>

ROBIN WILLIAMS SAYS GOODBYE WITH HIS PHONE VIDEO BEFORE SUICIDE

If you click on the link you are taken to a third-party website, which claims to have a phone video made by the award-winning comedian in the minutes before his death:

Robin Williams Facebook scam

<blockquote style=”margin: 15px;padding: 15px 15px 5px;border-left: 5px solid #ccc;font-size: 13px;
font-style: normal;font-family: ‘Helvetica Neue’, Helvetica, sans-serif;line-height: 19px;”>

EXCLUSIVE VIDEO: ROBIN WILLIAMS SAYS GOODBYE WITH HIS CELL PHONE BEFORE HANGING HIMSELF WITH A BELT AND CUTTING HIMSELF WITH A POCKET KNIFE. HE CAN STILL MAKE EVERYONE LAUGH WITH THIS VIDEO BUT IT WILL MAKE EVERYONE CRY A RIVER AT THE END.

You would have to be pretty ghoulish to proceed any further, but the truth is that the internet has deadened our sensitivities and made many of us all too willing to watch unpleasant things on our computer screens.

However, the truth is also that no such video is known to exist, and if you click to watch it you will be told that you have to share the link on your Facebook wall – encouraging your friends and family to go through the same process that you have – and ordered to complete an online survey before you may watch the footage.

Robin Williams Facebook scam

And that’s the point of the scam.

By tricking thousands of people into taking a survey, in the misbelief that they will watch the final moments of a comedy legend whose life ended tragically, the scammers aim to make affiliate cash.

Because every survey that is taken earns them some cents – and the more people they can drive towards the survey (even if they use the bait of a celebrity death video), the more money will end up in their pockets. In other cases, scammers have used such tricks to install malware or sign users up for expensive premium rate mobile phone services.

The scammers have no qualms about exploiting the death of a famous actor and comedian to earn their cash, and give no thought whatsoever to the distressed family he must have left behind.

Always be extremely wary about what links you click on on social networks, and never Share or Like something before you have seen it for yourself, and decided whether it warrants sharing with your online friends.

Because you might not just be putting yourself at risk, you could also be endangering your friends and family.

The post Robin Williams’ last phone call? Sick Facebook video scam exploits celebrity suicide appeared first on We Live Security.

Russian PM has his Twitter account hacked, announces “I resign”

There may be red faces in Red Square, after Russian prime minister Dmitry Medvedev had his Twitter account hacked.

The Russian-language account @MedvedevRussia, which has more than 2.5 million followers, was compromised on Thursday by hackers who posted messages suggesting Medvedev was immediately resigning, and making criticisms of Russia’s president Vladimir Putin.

The hackers tweeted out a resignation message from the Russian PM

<blockquote style=”margin: 15px;padding: 15px 15px 5px;border-left: 5px solid #ccc;font-size: 13px;
font-style: normal;font-family: ‘Helvetica Neue’, Helvetica, sans-serif;line-height: 19px;”>

I resign. I am ashamed for the actions of the government. I’m sorry

If such an announcement were genuine, of course, it would make headlines and raise eyebrows around the world.

But when the hackers followed up by posting messages on the account proposing the banning of electricity, and that the Russian PM would now pursue a career as a professional freelance photographer, it should have become obvious to everyone that Medvedev was no longer in control of his social media account.

According to media reports, the Twitter account was under the control of hackers for approximately 40 minutes yesterday before control was wrestled back by the PM’s office.

The only silver lining is that whoever hacked the account did not take advantage of the situation to direct some of the Medvedev’s 2.5 million followers to websites which might have contained malware designed to infect their computers.

A hacker calling themselves Shaltay Boltay (“Humpty Dumpty”) has claimed responsibility for the hack. Besides the attack on Medvedev’s Twitter account, Shaltay Boltay has also in the past published internal Kremlin documents and leaked private emails from government officials.

Shaltay Boltay's Twitter account

Shaltay Boltay, who describes him or herself as a member of Anonymous on their Twitter profile, posted a message claiming that they they had also managed to compromise the Gmail account and three iPhones belonging to the Russian prime minister. However, whether that is true or not is open to question.

In all likelihood, a busy chap like Dmitry Medvedev isn’t running his Twitter account on his own. Chances are that he has staff in his office who assist him with his social media presence.

And there lies the problem.

Although Twitter has introduced extra levels of protection like two factor authentication to better protect accounts from being hijacked, it doesn’t have good systems in place that work well when more than one person is accessing and posting from a Twitter account.

It would only have taken Medvedev, or one of his staff, to have been careless with their passwords once, or to have used an easy-to-guess password, or to have used the same password elsewhere on the web, for the hackers to have found the weak point necessary to break in and seize control.

Remember – you should always be careful with your passwords. Choose passwords wisely, make sure that they are hard to crack, hard to guess and that you are not using them anywhere else online.

If you find it hard to remember your passwords (which would be understandable if you are following the advice above) use a password management program which can remember them for you, and store them securely behind one master password that you *will* remember.

And once you’re following a strong password policy, ensure that you are always careful where you are entering your passwords, that you never enter them on a third-party site that could be phishing for your credentials, and be sure not to share passwords with friends or colleagues unsafely.

The post Russian PM has his Twitter account hacked, announces “I resign” appeared first on We Live Security.

‘Biometric’ earbuds invisibly prove it’s you, with no need for passwords

Biometrics such as fingerprints or eye-scans are touted as a replacement for the passwords and PINs we all know and hate – and Intel’s new smartphone earbuds could be the most discreet way of authenticating a user ever.

The earbuds, designed with SMS Audio, harvest heart-rate information using optics inside the ear – monitoring blood pulses and eliminating “noise” according to Business Insider.

The SMS Audio Fitness buds are built for fitness fans, but Intel plans further applications – and is vocal in its opposition to passwords. Other gadgets, such as the Bionym bracelet, already use heart-rate as an identifier: it’s more unique than fingerprints, and the SMS Audio buds could be a step towards a wearable “password” you can almost forget.

“A built-in optical sensor that continuously measures heart rate during intense exercise, states of relaxation and every moment in between – while dynamically removing noise signals caused by body motion and ambient light,” says Intel in a statement.

In the past month, We Live Security reported five major database leaks, usually of passwords.

Passwords: Let there be light?

Gizmodo reports that biometric devices have so far failed to gain widespread acceptance in part because of their bulk – whereas the SMS Audio devices charge themselves using motion, removing the need for extra batteries or chargers.

“In the wearable space, we see a lot of hype. I don’t think the market is ever going to be that big if all we have are just square cellphones taped to your wrist,” says Mike Bell, General Manager of Intel’s New Devices Group.

There are competitors which use the reading – but the Bionym bracelet relies on being charged, unlike Intel’s, which communicates directly with smartphones via the audio jack.

It was actually observed over 40 years ago that ECGs had unique characteristics,” Bionym chief executive Martin said. “The modern research into practical systems goes back about 10 years or so. What we do is ultimately look for the unique features in the shape of the wave that will also be permanent over time. The big breakthrough was a set of signal-processing and machine-learning algorithms that find those features reliably and to turn them into a biometric template.”

For you, no charge

ESET Senior Research Fellow David Harley discusses the advantages of biometric systems in a We Live Security blog post, “The sad fact is, static passwords are a superficially cheap but conceptually unsatisfactory solution to a very difficult problem, especially if they aren’t protected by supplementary techniques. Biometrics and one-time passwords and tokens are much more secure, especially when implemented in hardware as a two-factor authentication measure.”

Intel said, “The complexity of keeping digital identities safe grows as mobile applications and devices become a more important part of our daily lives. Intel’s intent is to intensify our efforts dedicated to making the digital world more secure, and staying ahead of threats to private information on mobile and wearable devices.”

TechCrunch reports that, “additional application support” will be added. Intel is reaching out to developers to make apps:  “Intel has created an SDK called the Intel IQ Software Kits for any companies that want to use the features that Intel developed while building the circuitry inside the BioSport.”

 

The post ‘Biometric’ earbuds invisibly prove it’s you, with no need for passwords appeared first on We Live Security.

Gamescom 2014: World of Malware?

The gaming industry keeps growing in terms of popularity, and the large population of gamers, and the crowds at Cologne’s Gamescom 2014, represents an opportunity for miscreants to make money. In this blog post, we will explore various attacks specifically tailored to gamers, by starting with trojanized legitimate games, then by exploring some malicious software and targeted attacks against the video games industry. Finally, we will describe some recent exploits found in video games.

Gamescom 2014: Bitcoin Miners

Recent years have seen the introduction of Bitcoin, Dogecoin and other trendy and trending cryptographic currencies. These currencies are created by solving computationally-intensive cryptographic challenges, which require a lot of processing power. As gaming rigs are built with powerful processors and cutting-edge video cards, they can be considered one of the most efficient environments in which to “mine” these digital currencies, with the advantage of being widely spread among the Internet-using population.

In 2013, an employee of the ESEA Counter-Strike league silently introduced a Bitcoin miner into their anti-cheating software, which every member of the league had to install in order to participate. Fortunately the stratagem was uncovered rather quickly, and less than $4,000 worth of bitcoins were ‘earned’ by the malicious employee. More recently, a pirate version of the game ‘WatchDogs’ included a bitcoin mining Trojan which made a profit for the torrent’s author.

Keyloggers and Information Stealers

As the size of the gamer population has increased, some in-game goods have acquired some real monetary value. High-level/high-value characters, in-game currency, legendary items or even hats can be purchased with real money. But when something is worth money, it also means that for some people, it is worth stealing. Consequently, some malicious software focuses on stealing video games credentials. These information stealers are usually distributed under false pretenses, hiding behind so-called “game experience enhancers” or disguised as legitimate tools.

Keyloggers are the most prevalent type of malware in the gaming world, identified as Win32/PSW.OnLineGames by ESET. These programs can be pretty simple but have proven to be very effective at stealing players’ credentials, in order to resell items and characters. So many accounts are compromised that games editors are used to it and have implemented an FAQ and process to handle this situation.

To counter this type of malware, some MMORPG creators, such as Blizzard (who publish World Of Warcraft), have introduced two-factor authentication – and new titles introduced at Gamescom 2014 will do the same. This two-factor authentication takes the form of an electronic device (or a smartphone application) delivering unique six-digit codes that are active and valid only for a limited time before a new code has to be generated.

At the beginning of this year, malicious software named Disker was able to bypass this double-authentication mechanism. Disker appears to be as complex as malicious software that focuses on stealing banking information and it has the ability to steal both the victim’s account credentials and his or her authenticating six-digit passcode.

But as the passcode remains valid only for a short period of time, the attacker has to be behind his keyboard when the information is exfiltrated so as to be able to use it. So Disker implements a way to circumvent this problem: as it leaks the 6-digit passcode to the attacker, it will actually send a wrong passcode to the World Of Warcraft server, preventing the user from logging in. At this point, the victim will almost certainly disable the two-factor authentication in order to enjoy his game. Once this is done, the attacker is no longer restricted to operating within a short period of time.

Targeted Attacks

Players are not the only target in the gaming ecosystem, games companies can also be specifically attacked. For example Kaspersky discovered last year a malware targeting no less than 30 MMORPG game companies. In this case the attack was intended to:

  1. Deploy malware on gamers’ computers by using the MMORPG update server
  2. Manipulate in-game currencies
  3. Steal digital-certificate to create signed-malware, making the malware easier to propagate
  4. Steal the MMORPG source code to deploy it on rogue servers

Exploits

MMORPGs are not the only targeted type of games, other kinds of multiplayer games are also potential targets. Recently, security researchers Luigi Auriemma and Donato Ferrante have been looking for vulnerabilities in games and game engines.

The results are impressive: they found vulnerabilities in the Source Engine, making any game based on this engine vulnerable, such as the famous Counter-Strike Source, Team Fortress 2 and Left 4 Dead. Those vulnerabilities could be used to execute code on a player’s computer without their knowledge and consent, potentially leading to installation of malware without requiring any action from the user other than his usual gaming activity.

Today, no known malware spreads using vulnerabilities in games but the rising value of in-game goods could motivate malicious people enough to use this kind of attack to spread game-targeted malware.

Conclusion

The emergence of such malware shows that the high value of in-game goods is appealing to bad guys – and the titles shown at Gamescom 2014 will be high-value targets.

The complexity of these types of malware, and the implementation by Blizzard of protective measures similar to those used by banks, indicate that we are at the beginning of an arms race between criminals and the gaming world. In this race, everyone has a role to play, editors by securing players’ accounts adequately, and players by educating themselves about the dangers, the existing solutions, and how to behave in order to enjoy safer gaming.

The post Gamescom 2014: World of Malware? appeared first on We Live Security.

Phone scams: card fraud with that steak, Sir?

A new telephone scam has been targeting upscale restaurants in London, with “convincing” scammers calling restaurant staff and tricking them into believing there’s a problem with their payment system – according to a report issued by Financial Fraud Action. The scammers have targeted restaurants in affluent areas such as the West End and Twickenham.

The fraudsters give staff a phone line to call for customers to make payments, the Telegraph reports. Transactions are then funneled through the fraudulent phone line – restaurant owners have been warned to phone banks on a number known to be legitimate to check before changing payment methods. Katy Worobec, Director of Financial Fraud Action UK, said “It’s important that restaurant owners are alert.  Fraudsters can sound very professional – don’t be fooled.”

Phone scam: ‘Classic social engineering’

To customers, Financial Fraud Action said, “If you receive any calls from your bank claiming there’s a problem with payments, make sure you phone them on an established number to confirm the request is genuine. In addition, always wait five minutes to ensure the line is clear, as fraudsters will sometimes try to stay on the phone line and pretend to be your bank.” The tactics used are variations of those in many current phone scams. In the common ‘courier scam’ used to obtain cards and PINs, the caller waits on the phone and pretends to be a new connection after the caller dials.

Phone scams: Old tricks

ESET senior researcher David Harley says, “The ‘staying on the phone line’ gambit is worth mentioning: it’s certainly been used a lot in the context of other scams.” The tactic works simply because few users take measures to ensure the caller is not waiting – and when they dial, they are still connected. All that happens is the fraudster hears a series of beeps. Harley suggests ‘interrupting’ the call by hanging up and dialing another number – or calling on a different phone.

Action Fraud said,”When the restaurant calls the phone number, the fraudster asks to speak with the paying customer and then goes through their security questions. Once sufficient security details have been obtained from the customer, the fraudster will instruct the restaurant to put the transaction through.” The fraudster then subsequently calls the customer’s bank – usually within five minutes – and attempts to transfer funds, the Daily Mail said.

The scam is not new – and several elements are “classic social engineering” says ESET Senior Research Fellow David Harley – but it has spiked in the past six weeks, “Certainly there’s a problem with the concept of answering security questions over the phone unless the bank or other caller has already authenticated themselves to you,” Harley says.

Harley says the key to avoiding such scams is not to place trust in unknown callers. If unsure, hang up, and call back on a known number. “In this case, a restaurant that falls for this has clearly failed to verify the credentials of the ‘bank’ and a customer who goes along with it has put too much trust in the restaurant. The ‘security questions’ must persuade the customer to give quite a lot of information away if they have any hope of persuading the bank to make the fraudulent transaction over the phone. One would hope…”

The post Phone scams: card fraud with that steak, Sir? appeared first on We Live Security.

Will web browsers turn cars lethal?

Two researchers have launched a petition to change how car companies and technology companies work together – with a new villain: in-car web browsers.

“We request that you unite with us in a joint commitment to safety between the automotive and cyber security industries,” the researchers say via Change.org.

A paper presented at Black Hat, shows a danger crossing the line from “proof of concept” to reality. The researchers point out that while hacking a car to give total control is extremely hard, it’s easier to, for instance, attack individual systems, such as commuications or navigation, both of which could be lethal.

Car code is complex, and often bespoke – which means attacks tend towards the level of disabling locks, or affecting electric windows, rather than outright destruction. Even Bluetooth – often hyped as the Achilles’ Heel.

Internet of Things: Car crash ahead?

“Bluetooth has become ubiquitous within the automotive spectrum, giving attackers a reliable entry point to test,” they write. But hacks would be of the level of adding an unauthorized device – not outright control.

When CNN Money devotes a section to the year’s “most hackable cars”, automotive security is clearly a real issue – a prize won by the Cadillac Escalade and 2014 Toyota Prius incidentally.

Charlie Miller and Chris Valasek in their paper A Survey of Remote Automotive Attack Surfaces conclude that the danger of “hackable” cars is expanding – but is about to grow rapidly, as web browsers are added to cars.

“Once you add a web browser to a car, it’s open. I may not be able to write a Bluetooth exploit, but I know I can exploit web browsers.” The recent reported hack against the Tesla Model S relied on its connected control panel.

A SlashDot user claims to have found a hidden port on the Tesla Model S, and used it to prove the car ran a modified version of Firefox.

Nick Bagot, Motoring Editor of the Mail on Sunday says, “Web browser obviously considerable safety issues – and it’s questionable why they’re needed. The inclusion of browsers in cars may well be to do with the convenience of advertising, and lucrative tie-ups with car brands and particular browsers, than it is for delivering value to the consumer.”

“Google is, primarily, an advertising company. Google products are built to feed into Adwords. Self-driving cars are an incredible technology – but what is it for?”

Safety first?

Car technology ignites passions from many sides. Last year a U.S senator urged auto manufacturers to change – and his open letter ignited a spate of commentary, with Market Oracle describing the crime as “cyberjacking”, and pointing out that the average family car contains 100 million lines of computer code, and that software can account for up to 40% of the cost of the vehicle, according to researchers at the University of Wisconsin-Madison.

Most in-car innovations have a clear point – car cameras are part of the technology revolution, but increase safety. Which Magazine writes “The importance of having these in-car cameras is becoming more obvious each day, with the devices not only providing UK drivers with an independent witness – but also as we see awareness of the product increase, we hope to see the road safety standards improve and fraudulent crashes and claims decline.

The importance of having these in-car cameras is becoming more obvious each day, with the devices not only providing UK drivers with an independent witness- but also as we see awareness of the product increase, we hope to see the road safety standards improve and fraudulent crashes and claims decline.”

Other innovations bring less clear benefits, reports The Register. “The problem is that cars are becoming more heavily computerized and that leads to more networking so the driver and passengers can get access to up-to-date information while on the move: most newish cars have a Bluetooth system hidden inside, a connection to the cellular data network, and so on,” the site said.

On the researchers’ page, I am the Cavalry, they say, Modern cars are computers on wheels and are increasingly connected and controlled by software. Dependence on technology in vehicles has grown faster than effective means to secure it.

The post Will web browsers turn cars lethal? appeared first on We Live Security.