According to a new report from Kromtech, free-to-play games with in-app-purchases are being used to launder money en masse. To explain, this means that criminals are stealing money, such as by swiping credit cards, then making purchases in the games with the stolen funds on mule accounts made quickly, and in some cases autonomously. These accounts, loaded down with cash purchases, are then sold quickly, cheaply and anonymously online. This allows the criminals to destroy the link between the cash in their pocket and the crime that put it there, making it that much harder for authorities to properly investigate the crimes.
Not long ago, a large database was discovered, hiding behind no sort of encryption or credentials whatsoever. This database contained information on thousands of credit cards, and was thought to belong to credit card thieves. They could have gotten the information by taking the physical card, social engineering, skimmers or other means. In any case, this data was apparently used in conjunction with special tools that could automate the creation of Facebook and game accounts en masse. The process of making the in-app purchases was seemingly automated by the hackers in some cases as well, and even listing and selling game resources and accounts was automated on third-party markets. In-game resources can also be transferred between accounts.
There’s no real way to tell how much laundering individual games were seeing, but it was easy to tell that Supercell’s mega-hit Clash of Clans was one of the most popular to use. This is likely in part because of how easy Supercell makes it to rebind a Supercell account to a new Apple or Google account, a useful feature for people moving between accounts or devices that can be used to illegitimately assign accounts with stolen in-app purchases to users who buy the resources on third-party reseller markets. Cards found in the database came from 19 different banks, and some of them were listed with improper names or addresses. The scammers’ systems seemed to be charging cards at random to find good ones. In essence, these findings mean that it’s vital to keep your credit card information secure, because it can be turned into cash for scammers and potentially leave you on the hook, and it can happen very quickly.
