Trojans target online gamers and put businesses at risk

Chances are you've got employees playing online games at work. But they're not just wasting time -- they're also putting your systems at risk.

Password-stealing Trojans, malicious code contained inside apparently harmless programming, are infamous for targeting financial institutions. But there's another area that they covet -- games -- and you might be shocked to learn just how vulnerable you are.

About 62% of all password-stealing Trojans target financial institutions. But a new report from researchers at Santa Clara, Calif.-based security vendor McAfee Inc.'s Avert Labs revealed that 18% of known Trojan password stealers target massive multiplayer online role-playing games, such as World of Warcraft and Second Life.

More on business apps
CIOs fighting uphill battle against renegade apps

IM too critical a business app to ban

Why games? There's real money to be had. Players will actually pay real money for virtual resources other players accrue while playing such games -- resources such as gold, weapons, cars or real estate. These goods may be fake, but to gamers who spend hundreds of hours playing in these virtual worlds, it's worth the money to get a leg up on the competition.

The problem for businesses is this: A lot of employees are playing these games on company-issued computers. If criminals can hack into the game, eventually they could hack your business, too.

With a lot of these games, players' computers act as servers. The user will invite other players onto their computer to play the games.

"Businesses could be at risk," said David Marcus, security and research communications manager at Avert Labs. "Let's say employee X sets up their own World of Warcraft server and lets people come in and play. That allows people on other machines to come into the business. It allows people outside the business to log on behind the firewall. It allows people to potentially get access behind the firewall."

Marcus said such employees are definitely exposing corporate networks to threats. Malicious users seeking game passwords could just as easily probe and scan a corporate network. It just requires some imagination. And cybercriminals have plenty of that.

Ron O'Brien, senior security analyst at Burlington, Mass.-based security vendor Sophos PLC, said CIOs know this is becoming a problem.

"We did a poll on our Web site and got about 500 responses," O'Brien said. "When it came to computer games, 90% of respondents wanted to be able to block games and 62% said it was essential."

O'Brien said IT managers know games pose a bandwidth problem, but the security issue is also a growing concern.

"If I were a participant in some of these games and I post my availability, I'm saying 'I'm online playing this game and I can have up to 15 other people play with me,' which means I'm hosting this game on my server. So anyone looking to steal credentials could tie up my server because I made a public announcement that I am available to host games."

Those foreign users are stealing computer power -- and they're seeing things they shouldn't see.

"What it does in some instances is lower your resistance to external threats because you may be, in effect, opening up your firewall," O'Brien said.

Richard Stiennon, chief marketing officer at Sunnyvale, Calif.-based Fortinet Inc., added, "You're taking a local machine that is hidden behind a firewall and making a bunch of people aware that it's even there."

Stiennon added that these games have virtual chat rooms where critical business information could be leaked, and those chat rooms are also a venue where game players can be tricked into clicking on malicious Web links.

Natalie Lambert, an analyst at Cambridge, Mass.-based Forrester Research Inc., said the chat functions alone in these games are an auditor's nightmare.

"There is always that fear that some kind of confidential data will get leaked out on these machines that are meant for corporate use," Lambert said. "One of an organization's biggest challenges now is making sure everything is logged for audits, and this can make things much more difficult -- when you are having chats with outsiders and trying to have some sort of audit trail going."

Sophos recently added about 30 games to its application control software, a product bundled with its security software that blocks unwanted programs. O'Brien said Sophos is blocking some games simply as a productivity issue, such as the games that come standard on Microsoft Windows. But the online games carry the added security threat. He said Sophos will continue to add games to it blacklist over time.

Stiennon said CIOs should look at other ways of closing off online games, such as preventing employees from reaching other players.

"Trying to do it through a blacklist is not necessarily the best way," Steinnon said. "You can do it at the network level."

Let us know what you think about the story; email: Shamus McGillicuddy, News Writer

Read more on IT risk management