Security

Bob Diachenko, Head of communications, Kromtech Security:

"If you have ever played a free-to-play game you know that most of them require resources of one type or another to play. Whether it be gems, gold, power ups, or other, these resources are required to advance within the game, making them critical to the game play. Manually gathering the free resources is a slow process and one can play a game for months working to move up levels. This is where the game makers make their money. They sell resources through “In-App Purchases” to help people play the game and speed up the game play. The lure of speeding up your play is a strong incentive to spend money on resources, and many spend to play. This has turned free-to-play games into a multi-billion dollar industry."

The resources even maintain value after purchase, because in many cases, once bought, they can be traded, adding to the game play. The game itself can also be transferred from one account to another. Because of this, resources gathered or bought and games built to advanced levels can also be resold. It is the selling of these on third party markets that holds the door open to the illicit activity that we found taking place.

Alexander Kernishniuk, Communications director, Kromtech:

"Money laundering through the Apple AppStore or Google Play isn’t a new idea and has been done before. In the 2011 the Danish part of the Apple App Store was flooded with expensive suspicious applications. More than 20 out of 25 of the most downloaded applications were from China. The price of the apps ranged from $50-$100. For example, one of them “LettersTeach”, was intended for children who are learning English letters, yet it cost nearly $78. This pointed to money laundering then, however, what we encountered now is much more sophisticated."

What did we find?

Following our MongoDB investigations and honey pots deployments from the beginning of this year, we did another round of security audit of unprotected MongoDB instances. In June 2018 we have spotted a strange database publicly exposed to the public internet (no password / login required) along with a large number of credit card numbers and personal information inside.

As we examined the database we rapidly became aware that this was not your ordinary corporate database, this database appeared to belong to credit card thieves (commonly known as carders) and that it was relatively new, only a few months old. So we dug much deeper.

It appeared to be a group of malicious actors with a complex automated system utilizing free-to-play apps, third party game and resource resale websites, and Facebook to launder money from stolen credit cards.

In one of the tables we found links to Facebook accounts. From those accounts we found links to a Facebook page in Vietnamese advertising a special “tool”, which was also only a few months old.

We have detailed the evidence of this active, automated system in a report sent to DOJ. According to our estimation, system processed approximately 20,000 stolen credit cards in just 1.5 months (from the end of April 2018 to mid June 2018).

Here is a simplified view of our findings (click to enlarge):

What is the scale?

The credit card thieves we found are currently targeting just three games; two by the game maker Supercell - Clash of Clans and Clash Royale, and one by Kabam - Marvel Contest of Champions.

Below you can see that that just with these three games, there are over 250 million aggregate users, generating approximately $330 million USD a year in revenue. These three games also have a very active third-party market, utilizing sites like g2g.com to buy and sell resources and games. All of which makes these a good choice to blend in for a little money laundering.

It is interesting to note that these three games are not even in the top five games. Scaling this scheme across other popular apps and games with in-app purchases places the potential market well into the billions of dollars USD per year.

App Offered by Android Users Release Metacritic score In-app Products price per item Daily revenue $ Yearly revenue () Clash of Clans Supercell 100 000 000+ 2012 74/100 $0.99 - $99.99 per item 684 002 250M Clash Royale Supercell 100 000 000+ 2016 86/100 $0.99 - $99.99 per item 153 150 56M Marvel Contest of Champions Kabam 50 000 000+ 2014 76/100 $0.99 - $99.99 per item 64 296 23.5M

Why is it possible?

It is easy to automatically create accounts on a large scale.

Apple only requires a valid e-mail address, a password, a date of birth, and three security questions to create an Apple ID. E-mail accounts are also very easy to create with a few providers requiring little in the way of verification. Combined, the carders were able to automate the account creation process, as you’ll see, allowing them to create accounts on a large scale.

Some of the larger email services are making it a little more difficult to create accounts on a large scale by requiring phone verification. While this is not full-proof, due to the availability of free VoIP burner numbers, this extra step would make it more difficult to create these accounts in quantity.

Apple does attempt to validate the credit card by charging and then refunding $1, interestingly, they must not perform much in the way of credit card verification because we saw that many were processed with an incorrect name and address. Perhaps verification is minimal due to the low dollar amount of the charge, but a stricter credit card verification would make it a bit more difficult for the carders.

With the account creation process automated, the malicious actors then took the process further, automatically changing cards until a valid one is found, automatically buying games and resources, automatically posting the games and resources for sale, working with a digital wallet for order processing, and managing multiple Apple devices to distribute the load.

The end result, an automated money laundering tool for credit card thieves.

The buying, selling, and other legit and non-legit ways of increasing resources are well known. The companies involved do take a stand against the exploitation of their games and do have policies to ban, but they do not quite go far enough. Supercell, the company behind Clash of Clans and Clash Royale, has the following warning on their site.

https://supercell.com/en/safe-and-fair-play/

UNAUTHORIZED GEM BUYING/SELLING Certain websites and individuals might offer cheaper gems/diamonds. Don't be fooled - it's a scam. Such services request private login data (such as Apple ID, Google Play credentials, etc) in order to access your game account. These vendors will gain access to your account and oftentimes, hijack the account and try selling it to other players. IMPORTANT: If you release your private information/credentials to 3rd parties, you're permanently placing your game and financial/online security in a high-risk situation. Consequences of misconduct: Purchasing gems or diamonds from 3rd party vendors can lead to revoked in-app currency and can even get your account permanently banned.

Unfortunately, they are only addressing a small part of the overall problem, they should also target:

Scams on “free” resources generators: there are approximately 176 Google results attempting to lure people with unlimited resources for Clash of Clans. Considering the revenue generated, some of it should be spent towards the monitoring and takedown of such sites.

Accounts for sale: the account ID should simply be banned following suspicious payments. Track the money, perhaps creating unique gem hashes that can be tracked to original account purchase and revoked after purchase if made with a stolen card.

Odd gem transfers between accounts: Large transfers between accounts may be a warning flag that the gems were purchased or otherwise acquired from an outside source.

We have not seen many actions to ban such activities on a large scale. In fact, on related forums we saw only individual users banned who admitted to buying these gems from unofficial shops.

The ability to rebind your account an unlimited number of times from Apple ID to Supercell ID and back is considered a feature. It is useful for legitimate changing of accounts, but it also lends itself to the sale of accounts for profit outside the game maker’s control.

Apple ID during and after these transactions are more likely to be completely compromised as most of users have lots of personal info attached to it. That’s why some time is needed after user can encounter ransom cases.

Google play buying instructions avoid direct account credentials transferring (but we hadn’t analyzed all marketplaces)

We saw instructions with rebinding crafted Google accounts (with payments) to the Users Supercells ID (credentials of which they should provide)

Detailed MongoDB analysis

Table name Count of docs Contains Interesting notes users 3 Name, username, hashed password Accounts were created on 2018-04-24 suppliers 9 Full name and facebook of responsible person Starting from 2018-05-20 users were added profiles 18 Generate address flag, add_card flag, Apple ID password(same for bunches of accounts), country, city, state, phone(only first 3 numbers are visible), game, wallet, proxy settings, scenarios in use, gems packages to try and buy Profile names: indo

mauritania_421349

mauritania_434061

mauritania_458755

binh_mauritania_421349

binh_mauritania_434061

binh_mauritania_458755

taoid_mauritana_421349

binh_india_463217_24052018

taoid_Kuwait

indo B

Kuwait_483819

indo_tao

kuwait_o2

kuwait_o2_id

saudiarabia

kuwait_479423

kuwait_455880

Profiles are used for automated work with the tool idstores 11 Name, selected flag cardstores 10 Name, selected flag Names: · indo · Indo_support_ton_19052018 · Kho Card Marin (Bin 434061) · Kho Card Marin (Bin 458755) · card_india_24052018 · card_kuwait_26052018 · card_saudiarabia_11062018 · card_kuwait_479423 · card_kuwait_459327 · card_kuwait_455880 emails 13436 Email, password, is_used flag, timestamps cards 150976 is_used, is_support flags, card number, expiration date, ccv, timestamps appleids 37 645 Is_used, has_card flags, email, password, timestamps, owner, serial, is_support, verify_fail flags activities 899 Apple ID, action, target, timestamps logs 97 431 User, action, target, type,timestamps 48128 unique targets in logs

Profiles are configured for work in 5 countries:

India

Indonesia

Kuwait

Mauritania

Saudi Arabia

One of the main questions we had was “Are these cards valid?”

It’s true that many of the cards were used as a payment method with Apple. Also that Apple verifies them just after adding. It’s a common operation where they charge $1 to the card then refund it to test if it is valid.

But we needed more evidence…

It’s unethical, not to mention illegal, to purchase something with found credit card data, so we investigated the data set without third parties. The following is what we found:

150833 unique cards in the database, each with full card number, expiration date, and CCV.

Is_used = True 37606 (This was equal to the number of Apple ID accounts in the database)

Is_used = False 113370

Visa = 149620

Mastercard = 1211

Year 2023: 34873

Year 2022: 34990

Year 2021: 34940

Year 2021: 34940

BIN Bank Country Type Count Name from suppliers table 421349 CHINA CONSTRUCTION BANK CORPORATION China Visa 14000 423323 Chad Visa 87 424965 BANCO PROVINCIA DE TIERRA DEL FUEGO ARGENTINA Visa 1000 434026 HILLS BANK AND TRUST COMPANY UNITED STATES Visa 2 434061 CHINA CONSTRUCTION BANK CORPORATION China Visa 10000 Kho Card Marin 434062 CHINA CONSTRUCTION BANK CORPORATION China Visa 1274 446284 CHASE MANHATTAN BANK USA, N.A. UNITED STATES Visa 8761 455880 CHINA CONSTRUCTION BANK CORPORATION China Visa 20000 card_kuwait_455880 458755 CHINA CONSTRUCTION BANK CORPORATION China Visa 29500 Kho Card Marin 459327 BANCARD, S.A. PARAGUAY Visa 23000 card_kuwait_459327 463217 VIJAYA BANK INDIA VISA 1 479423 GRUPO INTERNACIONAL DE FINANZAS S.A.E.C.A. (GRUPO INTERFISA) PARAGUAY VISA 20000 card_kuwait 483819 CHINA MERCHANTS BANK CHINA VISA 12000 499831 BANCO FAMILIAR S.A.E.C.A. PARAGUAY VISA 10000 521983 PT. BANK NEGARA INDONESIA (PERSERO) TBK. INDONESIA MASTERCARD 94 528674 PT. BANK CIMB NIAGA TBK. INDONESIA MASTERCARD 1120 529721 PT. BANK NEGARA INDONESIA (PERSERO) TBK. INDONESIA MASTERCARD 35 536788 PT. BANK CIMB NIAGA TBK. INDONESIA MASTERCARD 101

Interesting findings:

Cards used [is_used] - 37606

Field [add_fail]: bool - 4560 cards that are already blocked

[add_success]: 18 072 bool flag that indicates that operation of adding a credit card to account was successful.

So, it appears that they have so far used 37,606 credit cards and at the time of investigation had 18,072 cards verified by Apple (successully added to accounts).

Detailed emails investigation

Emails standalone total count - 13 436

They chose email providers with little to no protection against automated account creation.

Mail domain Count of mails go2.pl 3391 o2.pl 2745 prokonto.pl 3391 tlen.pl 3391 yahoo.com 518

Detailed accounts investigation

37 645 emails with passwords and creation date

240 mail domains

Digging further

Instructions were found for a way to automatically play and advance Clash of Clans for profit on one of the game automation forums using Racoonbot.

Supercell states that any kind of automation tools are forbidden and if detected the account gets banned from the system.

Raccoonbot.com is an automated bot dedicated to Supercell’s Clash of the Clans. It advertises itself in it’s forum as a way to “Become rich at Clash of the Clans”. This is done by automating the game and selling the gems. It can potentially be used in conjunction with MaxTooliOS to further enhance the profit from the stolen credit cards. It’s a direct violation of Supercell policy, it aids in laundering money, and it also remains in operation.

iGameSupply is an approved marketplace for selling Racoonbot generated gems https://www.raccoonbot.com/forum/forum/80-approved-marketplace/

Conclusions

Conclusions

The tool we found and its users currently work with countries such as Saudi Arabia, India, Indonesia, Kuwait, and Mauritania.

We do not know if this was simply because the tool and Facebook page is new and this is just due to initial users, or if operating through these countries provides some kind of additional benefit to the thieves.

Credit cards we found belong to 19 different banks.

They were probably bought on the carder markets as they were in groups of round numbers, like 10k, 20k, 30k.

Apple appears to employ a lax credit card verification process.

Cards with improper names and addresses were approved.

The large-scale abuse of the creation and verification process of Apple ID is possible because the group uses jailbroken iPhones to distribute the load, along with generated and stolen data.

Service providers need to meet today’s realities and properly secure their account creation process from abuse by automated tools.

Apple and the e-mail providers used did not do enough to protect against this kind of abuse.

Game makers could do a better job of policing their policies along with tracking and pursuing abusers.

Apple could do the same.

ABOUT MACKEEPER

With MacKeeper, we aim to make using your Mac easier and safer through reliable technology solutions. MacKeeper comes with the essentials to clean up and speed up your Mac and make your online experience more private and secure.