It is reported that the basic free game application was used for washing the funds of the stolen credit card

There are " free-to-play (basic free)" game apps that you can play on smartphones. A German security company · Kromtech has reported that he found evidence that money washing of the stolen credit card was done using this basic free game application.

Digital Laundry: how credit card thieves use free-to-play apps to launder their ill-gotten gains
https://kromtech.com/blog/security-center/digital-laundry

In the basic free game, the acquisition of the application software of the game itself is free and the game play is free. However, in most cases the acquisition of the complete version of the game and the contents of the game is charged. In particular, a game of style " Pay-to-win " that allows you to advance the game more advantageously by purchasing paid content can get items that are more powerful and attractive as you spend money, Although it is a basic free game, it brings income incomes to publishers.

Depending on the game, it is also possible to give gifts collected or purchased items to others, so the value of the item after purchase does not go down. On the contrary, some of the items available in the root box (Gacha) are more valuable than the amount you input, which is a major problem overseas . Although it is a breach of contract to buy and sell the account of the game itself, it is the present situation that transfer and sale are done at an unofficial resale site and auction site.

Meanwhile, Kromtech was conducting security audits of unprotected MongoDB instances, and found an unidentified database that was released online. Since a lot of credit card numbers and personal information were recorded in it, it was carefully examined that this list was not leaked from any company, but a relatively new one created by credit card thief It turned out that it was.

Furthermore, by investigating this list, we found a complex automated system using a basic free game application, account, content resale website and a Facebook page to clean funds obtained from a stolen credit card . According to Kromtech 's estimate, this system was processing about 20 thousand theft credit cards in about one and a half months from the end of April 2018 to the middle of June 2018.

Kromtech found that the credit card theft group used only three titles - fundamental free " crash of clan ", " crash · royal " and " MARVEL All Star Battle " for money laundering. With only 3 titles, the number of users exceeds 250 million people, and annual income reaches about 330 million dollars (about 37 billion yen). In addition, these three titles were an active place for reselling games accounts and data, making it a perfect place to wash funds.

In the first place, in order to create an account with the smartphone game application, Apple ID is required for iOS, and Google Play gamer ID is required for Android. However, each ID can be created with simple personal information and conditions. Also, Apple initially bills 1 dollar and then refunds again, checking whether the registered credit card is usable, but the number that the theft was not discovered goes through the examination as it is So if you use a jailbroken Apple device you can also handle a lot of game accounts and credit card numbers. Kromtech argues that the automatic creation of accounts was possible because the security measures of Apple IDs and email providers were not enough.

by MIKI Yoshihito

On the other hand, is the publisher of the "Clash of Clans", "crash Royale" Supercell is "sales of games in the resource", "buying and selling and sharing of game account" and are prohibited aroused we are again the. However, Kromtech says "Since reselling sites will come out as soon as they are searched by Google, you should benefit from monitoring and removing a series of violation sites, and simply exclude suspicious account IDs Also, we need to be alert if there are a lot of intra-game resources moving, "he says that the consciousness of the publisher who operates is too sweet.