Schneier on Security

65535 • August 3, 2018 8:39 AM

@ Bruce S.

Good going. This is a spohiosticate scheme that even Krebs has not laid out. It appears to be a variaon of cellphone porting, Game jacking, card-out or cash-out and a bit of wiziardy that is still not clear to me because the Bob Diachenko, of Kromtech Security so called tool from Vietnam. The rest of the diagrams, graphs, charts, IP list is super well done. This is one information packed report.

This is an example and probably should not be described in fine grain detail as the DOJ has yet to act:

“…we found links to a Facebook page in Vietnamese advertising a special “tool” , which was also only a few months old…The tool we found and its users currently work with countries such as Saudi Arabia, India, Indonesia, Kuwait, and Mauritania.” –kromtech

See about10% down post and at conclusion:

https://kromtech.com/blog/security-center/digital-laundry

[Warning long post so read what you wish]

Other than that and how exactly “MaxTooliOS” and “Racoonbot” works without detection the report very well document. I did find a YT video:

“Clash of clans Raccoon Bot”

https://www.youtube.com/watch?v=yEfvKThpmFM

But, that video is old and probably not that good at adding “automating the game and selling the gems” to scam the now somewhat hardeded game. That is if I found the correct Racoonbot but I am not sure.

@ John notes,

“Recently the youtube community related to Clash of Clans have been very vocal about this – mainly by showing game accounts with a negative amount of gems (the in-game currency) and explaining again and again that these were users who got their gems “revoked” after buying them from a shady third party (“only buy directly from the app store people!”). I guess this is part of SuperCell trying to get a handle on the thing and using end-user awareness to decrease the amount of money flowing through the system..”- John

https://www.schneier.com/blog/archives/2018/08/using_in-game_p.html#c6779330

I agree with the statement:

“Apple appears to employ a lax credit card verification process. Apple does attempt to validate the credit card by charging and then refunding $1, interestingly, they must not perform much in the way of credit card verification because we saw that many were processed with an incorrect name and address.” – Kromtech

That is not very good credit card verification. I liked the fine grain instructions on how to scam Apple ID at the Apple app store [First Red box]:

“Accoriding to scammers instructions users must: Turn off MFA, Don’t play During operation, Remove all payment menthods, Temporary change your password” -Kromtech

Next red box
“Automated tool binds the provided Apple ID to Supercell ID with purchases from stolen Credit Cards, Users can’t play during operation”- Kromtech

Next red box
“User gets his account with in-app currencies”

I will say Android is no better.

There are a lot of holes in the VIOP sector and greater in t he general SS7 or “phone” system. It is no wonder why SWATTing takes place and mass email accounts created. I am sure more experts on this board can explain the VIOP burner numbers better than I. The problem with SS7 is all of the big players are in it for bandwidth and money. I don’t see that changing anytime soon. The same goes for email and VOIP accounts.

Next to mongodb problem which still seems not so secure.

“…We placed the [Honey pot -ed] server live on March 1, 2018… mmediately upon placing it on the Internet we noticed the regular flurry of automated port scans from many different parts of the globe. However, the first real connection to the database was made on March 2, 2018 and from a security research search engine from the Shadowserver Foundation [Dormant or unupdated sight? -ed]… there were plenty of port scans, but there were no other direct connections to the database for ten days… next direct connection came from the security research search engine Shodan. Shodan indexed it on March 11th, 2018, 13:52:31.782349 UTC and retrieved data about the database and it’s collections. Three hours and twenty-four minutes following Shodan indexing, the database was first compromised by an IP address we traced to China. The entire compromise only took 13 seconds to complete. The Chinese machine repeatedly connected from 5:16:35.924 – 5:16:48.894 PM UTC while carrying out it’s attack.”-Kromtech

https://kromtech.com/blog/security-center/how-long-does-it-take-for-a-mongodb-to-be-compromised

So much MongoDB security. Kromtech notes Victor Gever with Project 366 apparently showed there was a ransom demad make for .2 bitcoins. You go to the above link and see the nasty details. I would agree 13 seconds is short and probably an scripted or otherwise automated attack.

I glanced quickly at the Kromtech’s IP list and they are transit or paid type which mybe traceable –who knows.

162.213.250. 237 was found in our database! This IP was reported 2 times. Confidence of Abuse is 0%: ISP Namecheap Inc Usage Type, Data Center/Web Hosting/Transit, Domain Name namecheap .com, Country United States

https://www.abuseipdb. com/check/162.213.250. 237

196.52.43. 116 was found in our database! This IP was reported 485 times. Confidence of Abuse is 95%, ISP Net Systems Research LLC, Usage Type, Data Center/Web Hosting/Transit, Domain Name logicweb.com, Country Australia, City Melbourne, Victoria

https://www.abuseipdb. com/check/196.52.43. 116

216.218.206. 68 was found in our database! This IP was reported 737 times. Confidence of Abuse is 75%, ISP Hurricane Electric LLC Usage Type, Data Center/Web Hosting/Transit, Hostname(s) 68.64-26.206.218. 216.in-addr.arpa, scan-07.shadowserver.org, Domain Name he.net, Country United States, City Fremont, California

https://www.abuseipdb. com/check/216.218.206.68

IP 46.182.28.173 maybe a torGuard.

“I’m nearing the end of the 6 month subscription now, and I won’t be renewing the service. I primarily use the Australian servers (TorGuard provides two – one in Sydney and one in Melbourne) for low ping and minimal speed penalty with using a VPN. The service has been fine and speeds are pretty good, but there’s one annoying problem: TorGuard forces OpenDNS on the Australian servers. By ‘force’, I mean they redirect all UDP port 53 traffic to OpenDNS, which makes it impossible for one to use their own DNS server. Support does not provide any workaround (I suggested forcing to Google’s DNS instead but they wouldn’t do it) and claims that this is due to Australia implementing internet filtering (which, at the time of writing, is not true). Ironically OpenDNS does perform its own filtering (e.g. kat.cr is intercepted). In my opinion, this forced redirect shouldn’t be necessary – DHCP can suggest DNS servers, and/or these servers could be configured by their VPN software, enabling more advanced users to override the choice of DNS server if necessary.”- zingaburga

http://zingaburga.com/2015/06/torguard-experience/

46.182.28. x73 was found in our database! This IP was reported 7 times. Confidence of Abuse is 0%: ISP OOO Network of Data-Centers Selectel, Usage Type Data Center/Web Hosting/Transit, Domain Name ,selectel.ru, Country Russian Federation, City Saint Petersburg, Sankt-Peterburg

https://www.abuseipdb. com/check/46.182.28.173

I need better sites to do IP location finding and I don’t have a lot of time for chasing IPs around.

If any IP expert can take a look at Kromtecks IP list and get a better description it would be good.

@ Hermann

Good read but the study provides not data nor estimation about the ROI of this scheme”

https://www.schneier.com/blog/archives/2018/08/using_in-game_p.html#c6779326

That is an interesting question. I would guess it depends on the scale of the operation or derivations. As Kromteck notes:

“It is interesting to note that these three games are not even in the top five games. Scaling this scheme across other popular apps and games with in-app purchases places the potential market well into the billions of dollars USD per year.”-Kromtech

Kromtech graph of the Games seems to show the top three dollar winners were, Denmark, Poland, and the UK. The fifth from the bottom in terms of dollars was the USA at 100K. That is not all that much in grand scheme of thing – but scaled up could be much higher.

See:
https://static-cdn.kromtech.net/kt-blog-upload/Official_prices.png

To the take a phrase from Thoth or other posters follow the money. I saw a stinky lot of Chinese, Japanese, HK or Chinese PRC co, game makers and sellers [including Apple store] and major investments banks taking in large amounts of money at various points including IPOs. I cannot make a diagram or map of the players. Here are a few the standout –Very Speculative Financial Ties which may or maynot help:

[Company name taken out the Kromtech post and Wikipedia]

“Supercell

“Supercell Oy is a Finnish mobile game development company based in Helsinki. Founded in May 2010, the company’s debut game was the browser game Gunshine.net, and after its release in 2011, Supercell started developing games for mobile devices. Since then, the company has fully released four mobile games: Hay Day, Clash of Clans, Boom Beach, and Clash Royale, which are freemium games and have been very successful… Accel Partners and Index Ventures invested $12 million in the Series A of Supercell in 2011,[4] Atomico led the Series B investment[5], and in October 2013 it was announced that the Japanese company GungHo Online Entertainment and its parent SoftBank had acquired 51% of the company for a reported $1.51 billion… Before founding Supercell, two of the founders Mikko Kodisoja and Ilkka Paananen worked at the mobile game company Sumea… Together, Paananen, Kodisoja, Petri Styrman, Lassi Leppinen, Visa Forstén, and Niko Derome who had known each other through work connections, founded Supercell in 2010. The company started its business in a cramped office in the Niittykumpu district of Espoo … After Gunshine’s completion, Accel Partners also invested 8 million euros in the company in May 2011, and shareholder Kevin Comolli became a member of Supercell’s board of directors. Accel has also invested in Rovio, among others… November 2011, Supercell abandoned Gunshine for three reasons: it did not interest players for long enough, it was too difficult to play, and the mobile version did not work as well as the browser version. At best, the game had approximately half a million players. Supercell noticed the company could not catch up to the current leader of Facebook games, the Zynga company, and decided to focus on iPad games. Another Facebook game on development was left unfinished as well. The change of direction did not drive away the investors, but the pressure to succeed became worse, and Paananen had to make more detailed reports of progress for the investors… In May 2012, Hay Day was published and eventually became Supercell’s first internationally released game… Hay Day was Supercell’s version of Zynga’s successful Facebook game FarmVille, an easy-to-play farm simulator. Supercell added to their farming simulator the ability to refine products, a production chain, and touch screen properties. The social aspect of the game was emphasised… In four months, the game became one of the most profitable games in Apple’s App Store in the US, and was one of the most profitable in the world for two and a half years…”-Wikipedia

https://en.wikipedia.org/wiki/Supercell_(video_game_company)

And Supercell time line according to their site:

“…We have some very ambitious ideas about how games can be marketed to the global populations of more than a billion gamers on mobile today. We want to find exciting new ways to tell everyone on the planet about our games… A company that not only has hit games in western markets but also in the big eastern markets like Japan, Korea and China. To this end, we’ve opened offices in Tokyo and Seoul, and we’ve been pleasantly surprised at how warmly our games have been received there.”-Supercell

http://supercell.com/en/our-story/

“Softbank

“In 2000, SoftBank made its most successful investment ever – $20 million to a then fledgling Chinese Internet venture Alibaba…In October 2005, Alibaba Group took over the operation of China Yahoo! as part of its strategic partnership with Yahoo! Inc. This investment turned into $60 billion when Alibaba [inprotant and fast growing Chinese tech company-ed]went public in September 2014… On 15 October 2012, SoftBank announced plans to take control of American Sprint Nextel by purchasing a 70% stake for $20 billion.[19] On 6 July 2013, the United States Federal Communications Commission approved SoftBank’s acquisition of the Sprint Corporation for $22.2 billion for a 78% ownership interest in Sprint. The acquisition involved payment of $17.2 billion in cash to Sprint shareholders, with the balance $5 billion as capital contribution. The transaction was financed by way of cash and a bridge loan from a consortium of banks.[20] On 6 August 2013, SoftBank bought 2% more shares of Sprint Corporation, increasing its ownership stake in the company to 80%. SoftBank store in Sendai, with decorations for the Tanabata …October 2013, SoftBank acquired 51% stake in Supercell for a reported $2.1 billion. Later on 25 October 2014, they invested $210 million in OlaCabs,[21] $627 million in Snapdeal with 30% stake in the company on 28 October 2014, and a $100 million investment in Housing.com with 30% stake in the company in November 2014…On 16 February 2016, SoftBank announced they would repurchase a record 14.2% of shares, valued at $4.4bn, in order to boost investor confidence.[27] On 31 March 2016, they announced they would sell shares worth $7.9 billion of their stake in Alibaba Group. On 21 June 2016, SoftBank sold its 84% stake in Supercell for reported US$7.3 billion to Tencent.[28] On 3 June 2016, Softbank agreed to sell most of its stake in GungHo Online Entertainment (approximately 23.47%) for about $685 million, which would thus end Softbank’s majority ownership of the company, resulting in Gungho no longer being an associate of Softbank… On 6 December 2016, after meeting with US President-elect Donald Trump, chief executive Masayoshi Son announced SoftBank will be investing US$50 billion in the United States toward businesses creating 50,000 new US jobs… SoftBank Group Corp.. Sofutobanku Gurūpu Kabushiki-gaisha)[4] is a Japanese multinational holding conglomerate headquartered in Tokyo, Japan. The company wholly owns Softbank Corp., Softbank Vision Fund ..Arm Holdings, Fortress Investment Group, Boston Dynamics, and also owns stakes in Sprint (ca.85%), Alibaba (28.2%), Yahoo Japan (42%), Bright Star (87.1%), Uber (15%), Didi Chuxing (ca.20%), Ola (ca.30%), Grab, Renren (42.9%), InMobi (45%), Hike (25.8%), Snapdeal (ca.30%), Brain, Fanatics (ca.22%), Flipkart (ca.20%), Guardant Health, Improbable Worlds (ca.50%), Mapbox, Nauto, Nvidia (ca.5%), One97 Communications (ca.20%), Oravel Stays (42%), OSIsoft, PingAn Heath Cloud (7.41%), Plenty United, Roviant Sciences, Slack Technologies (ca.5%), Vir Biotechnology, WeWork (ca.22%), Zhongan Online P&C Insurance (5%), Compass (ca.22%), Auto1 (ca.20%), Wag (45%), Katerra (ca.28%), Packet. It runs the world’s largest technology fund, Vision Fund…”-Wikipedia

https://en.wikipedia.org/wiki/SoftBank

Google Softbank connection

“Nikesh Arora (born 9 February 1968) is an Indian businessman who served as a former Google executive.[1] He later served as the president for SoftBank Group, joining the company in October 2014… As President & Chief Operating Officer of SoftBank Corp.[5][6] Arora received over $200 million in compensation over the last two years” while at the head of Softbank’s operations.[7] This pay package made him world’s highest paid executive… Arora has served on the board of directors at Aviva, Airtel, Colgate-Palmolive, Richemont (Current) Sprint, Softbank, The Harlem Children Zone, Tipping Point (Current) and Yahoo Japan (Chairman). While at Softbank – due to their investing in Ola, Grabtaxi, Didi, Snapdeal, Oyo, Coupang, Guardant, Supercell etc – he and his team had board positions and observer rights…”-Wikipedia

https://en.wikipedia.org/wiki/Nikesh_Arora

Odd Chinese connection to Softbank via Alibaba, Yahoo Japan possibly ex-Google chief Aroa who may have rubbed elbows with g2g com and maybe to Snapchat. These private eastern companies are hard sort out. Any of you financial types care to guess?

“Snapdeal was started on 4 February 2010 as a daily deals platform, but expanded in September 2011 to become an online marketplace… In August 2015, Alibaba Group, Foxconn and SoftBank invested USD $500 million as fresh capital [Arora was boss in Google, which was in Softbank which tangentially in Alibaba – but not for sure -ed]… August 2016, rumors surfaced through a VCCircle exclusive article that Snapdeal was considering possibilities[39] of mergers with its bigger rivals Flipkart and Amazon. The speculations about a possible merger became more concrete in April 2017 when a number of media houses reported that Softbank, one of the major investors in Snapdeal, wanted the company to merge with Flipkar [which never Materialize –ed]”-Wikpedia

Odd lot g2g com which seems to be in the Kromteck report on cashing out gamming currecy:
Quora poster ask the trustworthyness of g2g com:

“Is g2g.com trustworthy enough to give it my game center account?”

“1 Answer

“Yes. Gaming Virtual Goods Marketplace & Trading Platform is a very well known and trustable platform for buying / selling gaming related virtual goods. Anyway, you do not need to give G2G your Game Centre account when you are creating your sales listing, or before your listing is sold. What you need to do is, wait for a buyer, when there is a buyer places order on your sales listing, you will receive email notification from G2G email notification system, then only you pass the game account info to the buyer via the G2G system (inside the order page). Be noted that, when you receive email notification, that means the buyer has already paid to G2G, and G2G is holding the payment until you send the game account info to the buyer. Once you have sent the game account info to the buyer and once the buyer confirms receive it, then G2G will release the payment to you.”

https://www.quora.com/Is-g2g-com-trustworthy-enough-to-give-it-my-game-center-account

This answer just leads to g2g com site and trading in gamming currency

https://www.g2g.com/
or
https://www.g2a.com/en/category/gift-cards-gaming

Hong Kong companies information. Note Hong Kong is part of the People Republic of China.

G2G (HK) Limited was incorporated on 2018-02-01 as a Private company limited by shares registered in Hong Kong. It’s company registration number is: 2651048. The company is Live now.
Company Name:
G2G (HK) Limited
Company Name (Traditional Chinese): 智易致有限公司
CR No.
2651048
Date of Incorporation:
2018-02-01
Company Type:
Private company limited by shares
Company Status:
Live

Remarks:

Register of Charges:
Unavailable
Name History:
2018-02-01
G2G (HK) Limited

https://www.hkcompanydirectory.com/en/g2g-hk-limited-

If anybody has a bit more information on this g2g com site and who financed it please speak up.

Excuse all of the mistakes. I had to bang this out.