Password-stealing Trojans, malicious code contained inside
apparently harmless programming, are infamous for targeting
financial institutions. But there's another area that they covet --
games -- and you might be shocked to learn just how vulnerable you
are.
About 62% of all password-stealing Trojans target financial
institutions. But a new report from researchers at Santa Clara,
Calif.-based security vendor McAfee Inc.'s Avert Labs revealed that 18% of
known Trojan password stealers target massive multiplayer online
role-playing games, such as World of Warcraft and Second Life.
Why games? There's real money to be had. Players will actually pay
real money for virtual resources other players accrue while playing
such games -- resources such as gold, weapons, cars or real estate.
These goods may be fake, but to gamers who spend hundreds of hours
playing in these virtual worlds, it's worth the money to get a leg
up on the competition.
The problem for businesses is this: A lot of employees are
playing these games on company-issued computers. If criminals can
hack into the game, eventually they could hack your business,
too.
With a lot of these games, players' computers act as servers.
The user will invite other players onto their computer to play the
games.
"Businesses could be at risk," said David Marcus, security and
research communications manager at Avert Labs. "Let's say employee
X sets up their own World of Warcraft server and lets people come
in and play. That allows people on other machines to come into the
business. It allows people outside the business to log on behind
the firewall. It allows people to potentially get access behind the
firewall."
Marcus said such employees are definitely exposing corporate
networks to threats. Malicious users seeking game passwords could
just as easily probe and scan a corporate network. It just requires
some imagination. And cybercriminals have plenty of that.
Ron O'Brien, senior security analyst at Burlington, Mass.-based
security vendor Sophos PLC, said CIOs know this is becoming a
problem.
"We did a poll on our Web site and got about 500 responses,"
O'Brien said. "When it came to computer games, 90% of respondents
wanted to be able to block games and 62% said it was
essential."
O'Brien said IT managers know games pose a bandwidth problem,
but the security issue is also a growing concern.
"If I were a participant in some of these games and I post my
availability, I'm saying 'I'm online playing this game and I can
have up to 15 other people play with me,' which means I'm hosting
this game on my server. So anyone looking to steal credentials
could tie up my server because I made a public announcement that I
am available to host games."
Those foreign users are stealing computer power -- and they're
seeing things they shouldn't see.
"What it does in some instances is lower your resistance to
external threats because you may be, in effect, opening up your
firewall," O'Brien said.
Richard Stiennon, chief marketing officer at Sunnyvale,
Calif.-based Fortinet Inc., added, "You're taking a local machine
that is hidden behind a firewall and making a bunch of people aware
that it's even there."
Stiennon added that these games have virtual chat rooms where
critical business information could be leaked, and those chat rooms
are also a venue where game players can be tricked into clicking on
malicious Web links.
Natalie Lambert, an analyst at Cambridge, Mass.-based Forrester
Research Inc., said the chat functions alone in these games are an
auditor's nightmare.
"There is always that fear that some kind of confidential data
will get leaked out on these machines that are meant for corporate
use," Lambert said. "One of an organization's biggest challenges
now is making sure everything is logged for audits, and this can
make things much more difficult -- when you are having chats with
outsiders and trying to have some sort of audit trail going."
Sophos recently added about 30 games to its application control
software, a product bundled with its security software that blocks
unwanted programs. O'Brien said Sophos is blocking some games
simply as a productivity issue, such as the games that come
standard on Microsoft Windows. But the online games carry the added
security threat. He said Sophos will continue to add games to it
blacklist over time.
Stiennon said CIOs should look at other ways of closing off
online games, such as preventing employees from reaching other
players.
"Trying to do it through a blacklist is not necessarily the best
way," Steinnon said. "You can do it at the network level."
Let us know what you think about the story; email:
Shamus McGillicuddy,
News Writer