Credit card thieves are using mobile games such as Clash of Clans to launder money by buying and selling the in-game currency.
In June, researchers at Kromtech Security found an unsecured MongoDB database online which they soon realised was being operated by money launderers. The database was found to contain thousands of credit card details.
"As we examined the database we rapidly became aware that this was not your ordinary corporate database, this database appeared to belong to credit card thieves (commonly known as carders) and that it was relatively new, only a few months old," they wrote.
There is a high demand for in-game currency in most popular online games. Although the games are mostly free, players can spend thousands to try and boost their progress or status. Because the in-game currency must be bought with cash, this provides an opportunity for carders to hide their activities.
The Kromtech researchers found the credit card thieves were targeting three games: Clash of Clans and Clash Royale by Supercell and Marvel Contest of Champions by Kabam. The card thieves created fake Apple ID accounts with stolen credit cards and then used these accounts to buy the virtual goodies before selling them to to other gamers or online marketplaces.
In a market with over 250 million players it was easy for them to find a buyer for discounted currency.
"These three games, there are over 250 million aggregate users, generating approximately $330 million USD a year in revenue. These three games also have a very active third party market, utilising sites like g2g.com to buy and sell resources and games. All of which makes these a good choice to blend in for a little money laundering," the researchers wrote.
Supercell, the developer of Clash of Clans and Clash Royale, says that players who buy the currency cheaply from thieves risk not only getting their Supercell accounts banned but their Google Play or Apple accounts are at risk from the criminals. Ultimately people could start losing trust in the fairness of the games if players can buy advantage on the cheap.
If it weren't for the money launderers carelessly leaving their database open to the public, the scamming strategy may not have been discovered.
The money laundering fiddle was also enabled by the weak credentials required to open an Apple ID or Google account.
Microsoft seizes control of phishing sites linked with Russian state hackers
Fitness trackers over-estimate the number of steps their users take, analysis of 67 research reports suggests
Everything we think we know about the imminent Apple iPhone 9, iPhone 11 and iPhone 11 Plus launches
All the latest rumours about Apple iPhone Displays, CPUs, launch dates and even prices
Nvidia brings Turing microarchitecture into the high-end gaming segment