November 30, 2009

Runescape Player Arrested Over Phishing Hacks

Authorities have arrested a British man and cautioned him for stealing accounts for online game Runescape, BBC News reported.

It is likely to be the first of several arrests, according to Jagex, creator of Runescape.

Runescape, a popular online game, has more than 100 million active players and play revolves around collecting and spending virtual cash and loot.

In an on-going effort to tackle in-game fraud, Jagex said it was working with UK police and the FBI to track down and catch those targeting Runescape.

"A 23-year-old man was arrested in Avon and Somerset on the morning of Tuesday November 24 by officers from the Police Central e-crime Unit, on suspicion of a number of computer misuse offences," said a statement from the Police National e-crime unit.

Sources say the man was likely using phishing e-mails to trick people into handing over login details for Runescape accounts, where hi-tech thieves can then plunder the accounts, strip characters of their items and sell off the rare virtual goods for Runescape gold.

This virtual money can be traded to others in-game or sold for real world cash -- current underground exchange rates suggest that 2m Runescape gold costs about $10.

Mark Gerhard, chief executive of Jagex, told BBC News they have pinned down and identified the handful of ringleaders and they are going after them with both barrels.

"Any online games company will tell you that as soon as the game has value, there's a very small foreign element that tries to exploit that value," he said.

However, the arrest on November 24 was not the result of something that happened the day before, but the result of a long term investigation that had sought out those behind the phishing attack that caught out a "few thousand" Runescape players, Gerhard said.

The U.S. and UK have the biggest audience for Runescape and Gerhard said it was working with forces in both nations to track down the virtual thieves.

Since Jagex already knew the handful of people behind the crimes and where they were based, Gerhard predicted that there would be more arrests to come.

The company said trade in Runescape game gold is against the terms and conditions of the game and Jagex has made many changes to its underlying code to stamp out gold farming in which players repeat activities that generate lots of virtual cash or valuable items.

Efforts to tackle gold-farming may have forced the thieves to try a different approach, according to Gerhard.

"Once you close one vulnerability you move the attack surface to another part," he said.

However, he noted that Jagex's efforts to tackle farming had removed 90 percent of the problem.

"They were going directly after the user credentials and trying to get at the wealth that way," he said.

Gerhard said that since players invest years of time and effort into developing their Runescape character, the theft of a Runescape account shouldn't be treated differently to the theft of any other valuable possessions such as a games console, television or car.

More hi-tech thieves are turning to stealing virtual rather than real goods, said Alisdair Faulkner, a computer security expert at ThreatMetrix.

He said virtual goods were much easier to launder and dispose of than tangible items such as flat screens and computers.

"It was a particular problem in Asia where the sales of virtual game goods were well established."

Some hackers stole credentials from networks of hijacked home computers - known as botnets - or used them as proxies to make the theft look like it was coming from a legitimate source.

Faulkner said some of these botnets' sole purpose is to act as a gateway to help fraudsters.


On the Net: