Thieves use free-to-play games to turn stolen credit-card numbers into cash

Markets for video-game assets, sanctioned and unsanctioned, are a major target for credit-card scammers, who use bots to open fake Apple accounts using stolen cards, which are then used to buy up in-game assets that are flipped for clean, untraceable cash to players.

The whole market was documented by the security firm Kromtech, who say that an insecure database used by scammers and left visible on the internet gave them insight into the process.

The beauty of the system is its automation: everything from the creation of the Apple accounts to the game logins to the item purchases and resales is automated, meaning that the scammers just have to press Go and start cashing out.

According to the report, Google's anti-fraud systems were more robust than Apple's, and the scammers gave up on using Android accounts.

As with the SIM Swapping scam, there's an element of security economics here: the games companies design anti-cheating mechanisms that assume that the major advantage of cheating is superior gameplay, not extracting real cash from credit-card companies. So they build a system that assumes that players will only go so far and no farther to cheat — but then along comes a way to turn cheats into significant cash, and all the assumptions about how much security needs to be in place turn out to be invalid.

"With the account creation process automated, the malicious actors then took the process further, automatically changing cards until a valid one is found, automatically buying games and resources, automatically posting the games and resources for sale, working with a digital wallet for order processing, and managing multiple Apple devices to distribute the load," Kromtech's report said. "The end result: an automated money laundering tool for credit card thieves."

It used the grey market site—a website that allows users to buy and sell digital currencies for games such as World of Warcraft and Clash of Clans—to move its ill-gotten in-game currency. Sock puppet accounts posting on g2g selling Clash of Clan accounts (which developer Supercell allows to be transferred between users) bundled with in-game currency cost between $30 to $90, the report said. Those transactions are small, but can add up quickly when run on an automated system posting thousands of them every day. Of the more than 30,000 credit cards, Kromtech was able to verify that just under 20,000 of them were used in the scheme.

Scammers Are Using 'Clash of Clans' to Launder Money From Stolen Credit Cards [Matthew Gault/Motherboard]

Digital Laundry: how credit card thieves use free-to-play apps to launder their ill-gotten gains [Kromtech]