Using In-Game Purchases to Launder Money

Evidence that stolen credit cards are being used to purchase items in games like Clash of Clans, which are then resold for cash.

Posted on August 2, 2018 at 6:14 AM • 12 Comments

Comments

HermannAugust 2, 2018 6:46 AM

Good read but the study provides not data nor estimation about the ROI of this scheme

JohnAugust 2, 2018 9:07 AM

Recently the youtube community related to Clash of Clans have been very vocal about this - mainly by showing game accounts with a negative amount of gems (the in-game currency) and explaining again and again that these were users who got their gems "revoked" after buying them from a shady third party ("only buy directly from the app store people!"). I guess this is part of SuperCell trying to get a handle on the thing and using end-user awareness to decrease the amount of money flowing through the system.. which means that it's big enough on their radar...

wumpusAugust 2, 2018 9:30 AM

Presumably by "cash" they mean "bitcoins". Wiring money would be fairly traceable (presumably much more than bitcoins, which presumably require a relatively significant effort to trace) and I somehow doubt they are working with envelopes full of cash.

Granted, "Clash of Clans" might well be large enough to include shady characters hanging outside of an internet cafe, but I suspect that those targeted for buying the loot don't bother with internet cafes. Not to mention using a "shady character" in person really makes things easy to trace.

One thing this might show is just how difficult/easy it is to track bitcoins [pedantic note: tracking bitcoins is trivial, determining which wallet belongs to a physical person/corporation/gang is the real point].

kaneAugust 2, 2018 4:21 PM

Presumably by "cash" they mean "bitcoins".

And by "stolen credit cards" they mean the use of illicitly-obtained credit card numbers without authorization. If you're stealing cards it's hard to scale to 20,000 of them.

CholtaireAugust 2, 2018 9:41 PM

"If you're stealing cards it's hard to scale to 20,000 of them."

There are a lot of marks..

meAugust 3, 2018 4:21 AM

i have heard that the same is done using spotify:
-they make bad music
-they listen automatically many times or buy it
-they get clean money from royalties

don't rember if brian kerbs talked about this or was other website...

Clive RobinsonAugust 3, 2018 5:54 AM

@ me,

i have heard that the same is done using spotify:

It was also being done with "self written books" oh and the old one is buying and selling trash through the likes of E-Bay for vastly inflated prices as "collectables".

As with moving most crime on to the Internet that is the easy bit, the hard bit is "cashing out" without leaving an audit trail that will bring both the buyer and seller to the attention of the authorities or more correctly "The numerati of big data".

A lesson for all would be criminals, if you first and formost know how to safely launder the money then don't do the crime, otherwise the chances are you will do the time if you clear some "financial bar" or "number of crimes bar" in any one jurisdiction.

The simple fact is LEO's have two things that constrain them,

1, Resources.
2, Priorities.

The resources are what alows people to get away with multiple small crimes. That is the supposed monetary loss is to small to justify the high cost of investigation[1]. Further the LEOs just like any other organisation has priorities that are related to keeping their jobs, getting pay rises, and bonuses. In their case their priorities are set by,

1, Civil Authorities.
2, Public Opinion.

Which in turn tend to be set by,

3, The Media.
4, Politicians.

Currently "Driving Down Crime" or "Being Tough on Crime" is what most politicians are feeding the public. Internet crime is seen by most politicians as "non-crime" or "victimless-crime" because it does not tend to turn up on the front pages of the Red Top and similar popular media. Where as currently various types of street crime are, which is why street crime is getting the political attention in the wrong way with over reaching (and illegal in the UK) bans on "the tools of the trade" such as knives and now acid[2] none of which actually stops street crime, the criminals carry on but with different "tools".

But don't tell a politician that as it's in their job spec to demonize common sense. The only thing they want to see is "A drop in recorded crime figures" and they have all sorts of ways to do that, including not recording such things as Internet Crime in the first place. Their "No record no crime" is a very shoddy way to treat the voting public, but then that's politicians through and through "lip service on one face", "burying truth" with the other face, whilst both hands grub around for more power and money. But then lack of honesty, abusing people and criminality have always been the easy ways to climb the greasy pole of political ambition, it's why "proffessional politicians" loath and detest "independent candidates" with a passion like no other, because there is nothing worse than an honest man with honest intentions turning up in a den of thieves, pimps and cut purses...

[1] In part this is what the "Going Dark" argument is about. If the LEOs scare the legislators and purse string holders with "9/11" type atrocities are going to come raining down on their heads, they will get an increase in not just resources but legislation that considerably lowers the cost of investigation. Which is why we are seeing 4th Amendment rules being bypassed in the US and Warrant rules being replaced with police "inspectors letters" and the like. Whilst the likes of the Association of Chief Police Officers (ACPO) pretend that the Internet is "new crime" they actually know it's "old crime" just being done slightly differently. What they don't want either the public or the polititions knowing / realising is that with small modifications to the way they work the Police are just as capable of solving Internet crime as they are Street crime and burglary. In fact one politician nearly "let the cat out of the bag" by saying that whilst conventional crime figures in certain areas were dropping, Internet crime was rising. When examined the total crime figures have gone up, it's just that criminals are moving across to the Internet where currently they are less likely to get caught currently...

[2] Knives are tools that everybody uses in their homes not least to prepare and eat food. Tradesmen of all varieties have knives that they use to carry out their trade, and could not do their job without them. The UK signed up to an international treaty to join the European Union, one of the most important parts is the "free movment of trade", which is not just the manufactured goods or people who carry out their trade/proffession but most importantly "The tools of their trade" as well. Corrosive fluids such as alkalies and acids are likewise tools we use in our homes for amongst other things cleaning. Currently you can go into a plumbing related shop and buy concentrated acids and alkalies in bottles for cleaning blocked sinks toilets and drains and removing lime scale. You can likewise get acid for your car battery which in most cases is still "lead acid". Acids are likewise used in many other trades and hobbies to do with the etching of glass and metals. Restricting access to such "tools" does not stop street crime, they will just migrate from one tool to the next, it's why acid is being used, because knife carrying is now much harder. Ban acid and the criminals will only move on to something else.

65535August 3, 2018 8:39 AM

@ Bruce S.

Good going. This is a spohiosticate scheme that even Krebs has not laid out. It appears to be a variaon of cellphone porting, Game jacking, card-out or cash-out and a bit of wiziardy that is still not clear to me because the Bob Diachenko, of Kromtech Security so called tool from Vietnam. The rest of the diagrams, graphs, charts, IP list is super well done. This is one information packed report.

This is an example and probably should not be described in fine grain detail as the DOJ has yet to act:

“…we found links to a Facebook page in Vietnamese advertising a special “tool” , which was also only a few months old…The tool we found and its users currently work with countries such as Saudi Arabia, India, Indonesia, Kuwait, and Mauritania.” –kromtech

See about10% down post and at conclusion:

https://kromtech.com/blog/security-center/digital-laundry

[Warning long post so read what you wish]

Other than that and how exactly “MaxTooliOS” and “Racoonbot” works without detection the report very well document. I did find a YT video:

"Clash of clans Raccoon Bot"

https://www.youtube.com/watch?v=yEfvKThpmFM

But, that video is old and probably not that good at adding “automating the game and selling the gems” to scam the now somewhat hardeded game. That is if I found the correct Racoonbot but I am not sure.

@ John notes,

“Recently the youtube community related to Clash of Clans have been very vocal about this - mainly by showing game accounts with a negative amount of gems (the in-game currency) and explaining again and again that these were users who got their gems "revoked" after buying them from a shady third party ("only buy directly from the app store people!"). I guess this is part of SuperCell trying to get a handle on the thing and using end-user awareness to decrease the amount of money flowing through the system..”- John

https://www.schneier.com/blog/archives/2018/08/using_in-game_p.html#c6779330

I agree with the statement:

“Apple appears to employ a lax credit card verification process. Apple does attempt to validate the credit card by charging and then refunding $1, interestingly, they must not perform much in the way of credit card verification because we saw that many were processed with an incorrect name and address.” - Kromtech

That is not very good credit card verification. I liked the fine grain instructions on how to scam Apple ID at the Apple app store [First Red box]:

“Accoriding to scammers instructions users must: Turn off MFA, Don’t play During operation, Remove all payment menthods, Temporary change your password” -Kromtech

Next red box
“Automated tool binds the provided Apple ID to Supercell ID with purchases from stolen Credit Cards, Users can’t play during operation”- Kromtech

Next red box
“User gets his account with in-app currencies”

I will say Android is no better.

There are a lot of holes in the VIOP sector and greater in t he general SS7 or “phone” system. It is no wonder why SWATTing takes place and mass email accounts created. I am sure more experts on this board can explain the VIOP burner numbers better than I. The problem with SS7 is all of the big players are in it for bandwidth and money. I don’t see that changing anytime soon. The same goes for email and VOIP accounts.

Next to mongodb problem which still seems not so secure.

“…We placed the [Honey pot -ed] server live on March 1, 2018… mmediately upon placing it on the Internet we noticed the regular flurry of automated port scans from many different parts of the globe. However, the first real connection to the database was made on March 2, 2018 and from a security research search engine from the Shadowserver Foundation [Dormant or unupdated sight? -ed]… there were plenty of port scans, but there were no other direct connections to the database for ten days… next direct connection came from the security research search engine Shodan. Shodan indexed it on March 11th, 2018, 13:52:31.782349 UTC and retrieved data about the database and it's collections. Three hours and twenty-four minutes following Shodan indexing, the database was first compromised by an IP address we traced to China. The entire compromise only took 13 seconds to complete. The Chinese machine repeatedly connected from 5:16:35.924 - 5:16:48.894 PM UTC while carrying out it's attack.”-Kromtech

https://kromtech.com/blog/security-center/how-long-does-it-take-for-a-mongodb-to-be-compromised

So much MongoDB security. Kromtech notes Victor Gever with Project 366 apparently showed there was a ransom demad make for .2 bitcoins. You go to the above link and see the nasty details. I would agree 13 seconds is short and probably an scripted or otherwise automated attack.

I glanced quickly at the Kromtech’s IP list and they are transit or paid type which mybe traceable –who knows.

162.213.250. 237 was found in our database! This IP was reported 2 times. Confidence of Abuse is 0%: ISP Namecheap Inc Usage Type, Data Center/Web Hosting/Transit, Domain Name namecheap .com, Country United States

https://www.abuseipdb. com/check/162.213.250. 237

196.52.43. 116 was found in our database! This IP was reported 485 times. Confidence of Abuse is 95%, ISP Net Systems Research LLC, Usage Type, Data Center/Web Hosting/Transit, Domain Name logicweb.com, Country Australia, City Melbourne, Victoria

https://www.abuseipdb. com/check/196.52.43. 116

216.218.206. 68 was found in our database! This IP was reported 737 times. Confidence of Abuse is 75%, ISP Hurricane Electric LLC Usage Type, Data Center/Web Hosting/Transit, Hostname(s) 68.64-26.206.218. 216.in-addr.arpa, scan-07.shadowserver.org, Domain Name he.net, Country United States, City Fremont, California

https://www.abuseipdb. com/check/216.218.206.68

IP 46.182.28.173 maybe a torGuard.

"I’m nearing the end of the 6 month subscription now, and I won’t be renewing the service. I primarily use the Australian servers (TorGuard provides two – one in Sydney and one in Melbourne) for low ping and minimal speed penalty with using a VPN. The service has been fine and speeds are pretty good, but there’s one annoying problem: TorGuard forces OpenDNS on the Australian servers. By ‘force’, I mean they redirect all UDP port 53 traffic to OpenDNS, which makes it impossible for one to use their own DNS server. Support does not provide any workaround (I suggested forcing to Google’s DNS instead but they wouldn’t do it) and claims that this is due to Australia implementing internet filtering (which, at the time of writing, is not true). Ironically OpenDNS does perform its own filtering (e.g. kat.cr is intercepted). In my opinion, this forced redirect shouldn’t be necessary – DHCP can suggest DNS servers, and/or these servers could be configured by their VPN software, enabling more advanced users to override the choice of DNS server if necessary."- zingaburga

http://zingaburga.com/2015/06/torguard-experience/

46.182.28. x73 was found in our database! This IP was reported 7 times. Confidence of Abuse is 0%: ISP OOO Network of Data-Centers Selectel, Usage Type Data Center/Web Hosting/Transit, Domain Name ,selectel.ru, Country Russian Federation, City Saint Petersburg, Sankt-Peterburg

https://www.abuseipdb. com/check/46.182.28.173

I need better sites to do IP location finding and I don’t have a lot of time for chasing IPs around.

If any IP expert can take a look at Kromtecks IP list and get a better description it would be good.

@ Hermann

Good read but the study provides not data nor estimation about the ROI of this scheme”

https://www.schneier.com/blog/archives/2018/08/using_in-game_p.html#c6779326

That is an interesting question. I would guess it depends on the scale of the operation or derivations. As Kromteck notes:

“It is interesting to note that these three games are not even in the top five games. Scaling this scheme across other popular apps and games with in-app purchases places the potential market well into the billions of dollars USD per year.”-Kromtech

Kromtech graph of the Games seems to show the top three dollar winners were, Denmark, Poland, and the UK. The fifth from the bottom in terms of dollars was the USA at 100K. That is not all that much in grand scheme of thing – but scaled up could be much higher.

See:
https://static-cdn.kromtech.net/kt-blog-upload/Official_prices.png

To the take a phrase from Thoth or other posters follow the money. I saw a stinky lot of Chinese, Japanese, HK or Chinese PRC co, game makers and sellers [including Apple store] and major investments banks taking in large amounts of money at various points including IPOs. I cannot make a diagram or map of the players. Here are a few the standout –Very Speculative Financial Ties which may or maynot help:

[Company name taken out the Kromtech post and Wikipedia]

“Supercell

“Supercell Oy is a Finnish mobile game development company based in Helsinki. Founded in May 2010, the company's debut game was the browser game Gunshine.net, and after its release in 2011, Supercell started developing games for mobile devices. Since then, the company has fully released four mobile games: Hay Day, Clash of Clans, Boom Beach, and Clash Royale, which are freemium games and have been very successful… Accel Partners and Index Ventures invested $12 million in the Series A of Supercell in 2011,[4] Atomico led the Series B investment[5], and in October 2013 it was announced that the Japanese company GungHo Online Entertainment and its parent SoftBank had acquired 51% of the company for a reported $1.51 billion… Before founding Supercell, two of the founders Mikko Kodisoja and Ilkka Paananen worked at the mobile game company Sumea… Together, Paananen, Kodisoja, Petri Styrman, Lassi Leppinen, Visa Forstén, and Niko Derome who had known each other through work connections, founded Supercell in 2010. The company started its business in a cramped office in the Niittykumpu district of Espoo … After Gunshine's completion, Accel Partners also invested 8 million euros in the company in May 2011, and shareholder Kevin Comolli became a member of Supercell's board of directors. Accel has also invested in Rovio, among others… November 2011, Supercell abandoned Gunshine for three reasons: it did not interest players for long enough, it was too difficult to play, and the mobile version did not work as well as the browser version. At best, the game had approximately half a million players. Supercell noticed the company could not catch up to the current leader of Facebook games, the Zynga company, and decided to focus on iPad games. Another Facebook game on development was left unfinished as well. The change of direction did not drive away the investors, but the pressure to succeed became worse, and Paananen had to make more detailed reports of progress for the investors… In May 2012, Hay Day was published and eventually became Supercell's first internationally released game… Hay Day was Supercell's version of Zynga's successful Facebook game FarmVille, an easy-to-play farm simulator. Supercell added to their farming simulator the ability to refine products, a production chain, and touch screen properties. The social aspect of the game was emphasised… In four months, the game became one of the most profitable games in Apple's App Store in the US, and was one of the most profitable in the world for two and a half years…”-Wikipedia

https://en.wikipedia.org/wiki/Supercell_(video_game_company)

And Supercell time line according to their site:

“…We have some very ambitious ideas about how games can be marketed to the global populations of more than a billion gamers on mobile today. We want to find exciting new ways to tell everyone on the planet about our games… A company that not only has hit games in western markets but also in the big eastern markets like Japan, Korea and China. To this end, we’ve opened offices in Tokyo and Seoul, and we’ve been pleasantly surprised at how warmly our games have been received there.”-Supercell

http://supercell.com/en/our-story/


“Softbank

“In 2000, SoftBank made its most successful investment ever – $20 million to a then fledgling Chinese Internet venture Alibaba…In October 2005, Alibaba Group took over the operation of China Yahoo! as part of its strategic partnership with Yahoo! Inc. This investment turned into $60 billion when Alibaba [inprotant and fast growing Chinese tech company-ed]went public in September 2014… On 15 October 2012, SoftBank announced plans to take control of American Sprint Nextel by purchasing a 70% stake for $20 billion.[19] On 6 July 2013, the United States Federal Communications Commission approved SoftBank’s acquisition of the Sprint Corporation for $22.2 billion for a 78% ownership interest in Sprint. The acquisition involved payment of $17.2 billion in cash to Sprint shareholders, with the balance $5 billion as capital contribution. The transaction was financed by way of cash and a bridge loan from a consortium of banks.[20] On 6 August 2013, SoftBank bought 2% more shares of Sprint Corporation, increasing its ownership stake in the company to 80%. SoftBank store in Sendai, with decorations for the Tanabata …October 2013, SoftBank acquired 51% stake in Supercell for a reported $2.1 billion. Later on 25 October 2014, they invested $210 million in OlaCabs,[21] $627 million in Snapdeal with 30% stake in the company on 28 October 2014, and a $100 million investment in Housing.com with 30% stake in the company in November 2014…On 16 February 2016, SoftBank announced they would repurchase a record 14.2% of shares, valued at $4.4bn, in order to boost investor confidence.[27] On 31 March 2016, they announced they would sell shares worth $7.9 billion of their stake in Alibaba Group. On 21 June 2016, SoftBank sold its 84% stake in Supercell for reported US$7.3 billion to Tencent.[28] On 3 June 2016, Softbank agreed to sell most of its stake in GungHo Online Entertainment (approximately 23.47%) for about $685 million, which would thus end Softbank's majority ownership of the company, resulting in Gungho no longer being an associate of Softbank… On 6 December 2016, after meeting with US President-elect Donald Trump, chief executive Masayoshi Son announced SoftBank will be investing US$50 billion in the United States toward businesses creating 50,000 new US jobs… SoftBank Group Corp.. Sofutobanku Gurūpu Kabushiki-gaisha)[4] is a Japanese multinational holding conglomerate headquartered in Tokyo, Japan. The company wholly owns Softbank Corp., Softbank Vision Fund ..Arm Holdings, Fortress Investment Group, Boston Dynamics, and also owns stakes in Sprint (ca.85%), Alibaba (28.2%), Yahoo Japan (42%), Bright Star (87.1%), Uber (15%), Didi Chuxing (ca.20%), Ola (ca.30%), Grab, Renren (42.9%), InMobi (45%), Hike (25.8%), Snapdeal (ca.30%), Brain, Fanatics (ca.22%), Flipkart (ca.20%), Guardant Health, Improbable Worlds (ca.50%), Mapbox, Nauto, Nvidia (ca.5%), One97 Communications (ca.20%), Oravel Stays (42%), OSIsoft, PingAn Heath Cloud (7.41%), Plenty United, Roviant Sciences, Slack Technologies (ca.5%), Vir Biotechnology, WeWork (ca.22%), Zhongan Online P&C Insurance (5%), Compass (ca.22%), Auto1 (ca.20%), Wag (45%), Katerra (ca.28%), Packet. It runs the world's largest technology fund, Vision Fund…”-Wikipedia

https://en.wikipedia.org/wiki/SoftBank

Google Softbank connection

“Nikesh Arora (born 9 February 1968) is an Indian businessman who served as a former Google executive.[1] He later served as the president for SoftBank Group, joining the company in October 2014… As President & Chief Operating Officer of SoftBank Corp.[5][6] Arora received over $200 million in compensation over the last two years" while at the head of Softbank's operations.[7] This pay package made him world's highest paid executive… Arora has served on the board of directors at Aviva, Airtel, Colgate-Palmolive, Richemont (Current) Sprint, Softbank, The Harlem Children Zone, Tipping Point (Current) and Yahoo Japan (Chairman). While at Softbank - due to their investing in Ola, Grabtaxi, Didi, Snapdeal, Oyo, Coupang, Guardant, Supercell etc - he and his team had board positions and observer rights…”-Wikipedia

https://en.wikipedia.org/wiki/Nikesh_Arora

Odd Chinese connection to Softbank via Alibaba, Yahoo Japan possibly ex-Google chief Aroa who may have rubbed elbows with g2g com and maybe to Snapchat. These private eastern companies are hard sort out. Any of you financial types care to guess?

“Snapdeal was started on 4 February 2010 as a daily deals platform, but expanded in September 2011 to become an online marketplace… In August 2015, Alibaba Group, Foxconn and SoftBank invested USD $500 million as fresh capital [Arora was boss in Google, which was in Softbank which tangentially in Alibaba – but not for sure -ed]… August 2016, rumors surfaced through a VCCircle exclusive article that Snapdeal was considering possibilities[39] of mergers with its bigger rivals Flipkart and Amazon. The speculations about a possible merger became more concrete in April 2017 when a number of media houses reported that Softbank, one of the major investors in Snapdeal, wanted the company to merge with Flipkar [which never Materialize –ed]”-Wikpedia

Odd lot g2g com which seems to be in the Kromteck report on cashing out gamming currecy:
Quora poster ask the trustworthyness of g2g com:

"Is g2g.com trustworthy enough to give it my game center account?"

"1 Answer

"Yes. Gaming Virtual Goods Marketplace & Trading Platform is a very well known and trustable platform for buying / selling gaming related virtual goods. Anyway, you do not need to give G2G your Game Centre account when you are creating your sales listing, or before your listing is sold. What you need to do is, wait for a buyer, when there is a buyer places order on your sales listing, you will receive email notification from G2G email notification system, then only you pass the game account info to the buyer via the G2G system (inside the order page). Be noted that, when you receive email notification, that means the buyer has already paid to G2G, and G2G is holding the payment until you send the game account info to the buyer. Once you have sent the game account info to the buyer and once the buyer confirms receive it, then G2G will release the payment to you."

https://www.quora.com/Is-g2g-com-trustworthy-enough-to-give-it-my-game-center-account

This answer just leads to g2g com site and trading in gamming currency

https://www.g2g.com/
or
https://www.g2a.com/en/category/gift-cards-gaming

Hong Kong companies information. Note Hong Kong is part of the People Republic of China.

G2G (HK) Limited was incorporated on 2018-02-01 as a Private company limited by shares registered in Hong Kong. It's company registration number is: 2651048. The company is Live now.
Company Name:
G2G (HK) Limited
Company Name (Traditional Chinese): 智易致有限公司
CR No.
2651048
Date of Incorporation:
2018-02-01
Company Type:
Private company limited by shares
Company Status:
Live
Remarks:
-
Register of Charges:
Unavailable
Name History:
2018-02-01
G2G (HK) Limited

https://www.hkcompanydirectory.com/en/g2g-hk-limited-

If anybody has a bit more information on this g2g com site and who financed it please speak up.

Excuse all of the mistakes. I had to bang this out.


65535August 3, 2018 8:42 AM

@ moderator

My comment seems to be blocked. It could be a dup or other specific probem. Please give me a hit of why it was blocked. Thank you.

ModeratorAugust 3, 2018 9:18 AM

@65535, comment published; it was probably blocked by filters intended for purveyors of stolen credit cards.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.