According to researchers at cybersecurity firm Kromtech Security the hugely popular game Clash of Clans is being used to launder hundreds of thousands of dollars on behalf of credit card thieves.
The researchers discovered the scam after analysing an unsecured database called MongoDB. This database was freely accessible to the public without the need for a password and contained thousands of credit card details.
Further analysis found that this was a database where the owners had been careless with its customers’ data as opposed to a database set up by the criminals, which are known in the industry as Carders.
As we all know when playing smartphone games, the demand for in-game currency is huge. And we equally know that some players are not content to advance their games naturally. Rather they will seek to circumvent the process trying to find unofficial shortcuts. This leads to them open to exploitation by hackers.
These particular hackers created a sophisticated automated mechanism for creating fake Apple ID accounts with the stolen credit card details it obtained from MongoDB and then buying virtual ‘gold’ and ‘gems’ as well as other in-game power-ups.
These were then sold to unsuspecting gamers on third-party markets such as G2G. This way the criminals were bringing in money in exchange for the virtual game currency and power-ups, without any obvious direct link to the stolen data. In effect laundering stolen money through mobile games.
The hackers targeted smartphone games such as Clash of Clans, Clash Royale and Marvel Contest of Champions. Between them these three games had over 250 million aggregate users, generating $330 million every year.
Supercell, the developer of Clash of Clans and Clash Royale has warned players not to be conned into buying cheap virtual items through third-party sites. They warned that not only could your account be banned but you are handing over your Apple ID and Google Play account details over to criminals.
Kromtech pointed an accusing finger at the likes of Apple and Google. They argued that more steps should be taken to better verify credit card details, names and addresses particularly, they said when Apple ID accounts are created. Service providers should also offer better security with their account creation processes.