German-based security company Kromtech recently published a report detailing a scheme that involves scammers using stolen credit card information to purchase in-app currency from mobile games like Clash of Clans, Marvel Contest of Champions, and Clan Royale and selling it on the grey market for cash.
The scheme was discovered during the evaluation of an audit from MongoDB, which is an open source SQL database platform. The findings raised eyebrows due to the fact that the database was only a few months old, contained information from 37,606 credit cards and was left unprotected.
The Kromtech team found links to a Facebook group that suggested scammers organized an automated system that processes the stolen credit card information, attaches it to new Apple accounts and proceeds to make in-game purchases from the free-to-play mobile games before transferring the currencies to the grey market.
Bob Diachenko, who stands as Kromtech’s head of communications, disclosed in an exchange with Motherboard that leaving a database unsecured and connected to a public Facebook group is a rather unsophisticated mistake by the criminals, who were discovered through their own negligence.
The system was automated, which produced thousands of Apple accounts. According to Diachenko, the scammers utilized jailbroken iPhones to generate Apple accounts with predefined user data.
The scammers appear to have attempted to exploit Android phones as well but weren’t able to automate the sign-up process easily given Google’s restrictions on account credential transfers. Such an attack could be avoided by Apple if the company were to better verify credit card information.
By automating the process, credit cards could be changed at rapid rates until a valid one was discovered. The purchasing of games and in-game resources could also be put on sale automatically, as a digital wallet was used for order processing. The automated money laundering tool was widely used in conjunction with grey market website g2g.com.
While the transactions made are usually fairly small, Kromtech has been able to identify that nearly 20,000 stolen credit cards were used in the scheme, with thousands being posted each day.
This isn’t the first time in-game currencies have been exploited, as those who have avidly played EVE Online or World of Warcraft may attest. While a full investigation is still ongoing, it seems unlikely that flagrant attempts at scamming will cease given the current extent of digital integration.