Digital Laundry: How Credit Card Thieves Use Free-to-Play Apps to Launder their Ill-Gotten Gains
Bob Diachenko, Head of communications, Kromtech Security:
"If you have ever played a free-to-play game you know that most of them require resources of one type or another to play. Whether it be gems, gold, power ups, or other, these resources are required to advance within the game, making them critical to the game play. Manually gathering the free resources is a slow process and one can play a game for months working to move up levels.
This is where the game makers make their money. They sell resources through “In-App Purchases” to help people play the game and speed up the game play. The lure of speeding up your play is a strong incentive to spend money on resources, and many spend to play. This has turned free-to-play games into a multi-billion dollar industry."
The resources even maintain value after purchase, because in many cases, once bought, they can be traded, adding to the game play. The game itself can also be transferred from one account to another. Because of this, resources gathered or bought and games built to advanced levels can also be resold. It is the selling of these on third party markets that holds the door open to the illicit activity that we found taking place.
Alexander Kernishniuk, Communications director, Kromtech:
"Money laundering through the Apple AppStore or Google Play isn’t a new idea and has been done before. In the 2011 the Danish part of the Apple App Store was flooded with expensive suspicious applications. More than 20 out of 25 of the most downloaded applications were from China. The price of the apps ranged from $50-$100. For example, one of them “LettersTeach”, was intended for children who are learning English letters, yet it cost nearly $78. This pointed to money laundering then, however, what we encountered now is much more sophisticated."
What did we find?
Following our MongoDB investigations and honey pots deployments from the beginning of this year, we did another round of security audit of unprotected MongoDB instances. In June 2018 we have spotted a strange database publicly exposed to the public internet (no password / login required) along with a large number of credit card numbers and personal information inside.
As we examined the database we rapidly became aware that this was not your ordinary corporate database, this database appeared to belong to credit card thieves (commonly known as carders) and that it was relatively new, only a few months old. So we dug much deeper.
It appeared to be a group of malicious actors with a complex automated system utilizing free-to-play apps, third party game and resource resale websites, and Facebook to launder money from stolen credit cards.
In one of the tables we found links to Facebook accounts. From those accounts we found links to a Facebook page in Vietnamese advertising a special “tool”, which was also only a few months old.
We have detailed the evidence of this active, automated system in a report sent to DOJ. According to our estimation, system processed approximately 20,000 stolen credit cards in just 1.5 months (from the end of April 2018 to mid June 2018).
Here is a simplified view of our findings (click to enlarge):
What is the scale?
Below you can see that that just with these three games, there are over 250 million aggregate users, generating approximately $330 million USD a year in revenue. These three games also have a very active third-party market, utilizing sites like g2g.com to buy and sell resources and games. All of which makes these a good choice to blend in for a little money laundering.
It is interesting to note that these three games are not even in the top five games. Scaling this scheme across other popular apps and games with in-app purchases places the potential market well into the billions of dollars USD per year.
|App||Offered by||Android Users||Release||Metacritic score||In-app Products price per item||Daily revenue $|
|Clash of Clans||Supercell||100 000 000+||2012||74/100||$0.99 - $99.99 per item||684 002||250M|
|Clash Royale||Supercell||100 000 000+||2016||86/100||$0.99 - $99.99 per item||153 150||56M|
|Marvel Contest of Champions||Kabam||50 000 000+||2014||76/100||$0.99 - $99.99 per item||64 296||23.5M|
Why is it possible?
It is easy to automatically create accounts on a large scale.
Apple only requires a valid e-mail address, a password, a date of birth, and three security questions to create an Apple ID. E-mail accounts are also very easy to create with a few providers requiring little in the way of verification. Combined, the carders were able to automate the account creation process, as you’ll see, allowing them to create accounts on a large scale.
- Some of the larger email services are making it a little more difficult to create accounts on a large scale by requiring phone verification. While this is not full-proof, due to the availability of free VoIP burner numbers, this extra step would make it more difficult to create these accounts in quantity.
- Apple does attempt to validate the credit card by charging and then refunding $1, interestingly, they must not perform much in the way of credit card verification because we saw that many were processed with an incorrect name and address. Perhaps verification is minimal due to the low dollar amount of the charge, but a stricter credit card verification would make it a bit more difficult for the carders.
With the account creation process automated, the malicious actors then took the process further, automatically changing cards until a valid one is found, automatically buying games and resources, automatically posting the games and resources for sale, working with a digital wallet for order processing, and managing multiple Apple devices to distribute the load.
The end result, an automated money laundering tool for credit card thieves.
The buying, selling, and other legit and non-legit ways of increasing resources are well known. The companies involved do take a stand against the exploitation of their games and do have policies to ban, but they do not quite go far enough. Supercell, the company behind Clash of Clans and Clash Royale, has the following warning on their site.
UNAUTHORIZED GEM BUYING/SELLING
Certain websites and individuals might offer cheaper gems/diamonds. Don't be fooled - it's a scam.
Such services request private login data (such as Apple ID, Google Play credentials, etc) in order to access your game account. These vendors will gain access to your account and oftentimes, hijack the account and try selling it to other players.
IMPORTANT: If you release your private information/credentials to 3rd parties, you're permanently placing your game and financial/online security in a high-risk situation.
Consequences of misconduct: Purchasing gems or diamonds from 3rd party vendors can lead to revoked in-app currency and can even get your account permanently banned.
Unfortunately, they are only addressing a small part of the overall problem, they should also target:
- Scams on “free” resources generators: there are approximately 176 Google results attempting to lure people with unlimited resources for Clash of Clans. Considering the revenue generated, some of it should be spent towards the monitoring and takedown of such sites.
- Accounts for sale: the account ID should simply be banned following suspicious payments. Track the money, perhaps creating unique gem hashes that can be tracked to original account purchase and revoked after purchase if made with a stolen card.
- Odd gem transfers between accounts: Large transfers between accounts may be a warning flag that the gems were purchased or otherwise acquired from an outside source.
We have not seen many actions to ban such activities on a large scale. In fact, on related forums we saw only individual users banned who admitted to buying these gems from unofficial shops.
The ability to rebind your account an unlimited number of times from Apple ID to Supercell ID and back is considered a feature. It is useful for legitimate changing of accounts, but it also lends itself to the sale of accounts for profit outside the game maker’s control.
Apple ID during and after these transactions are more likely to be completely compromised as most of users have lots of personal info attached to it. That’s why some time is needed after user can encounter ransom cases.
Google play buying instructions avoid direct account credentials transferring (but we hadn’t analyzed all marketplaces)
We saw instructions with rebinding crafted Google accounts (with payments) to the Users Supercells ID (credentials of which they should provide)
Detailed MongoDB analysis
|Table name||Count of docs||Contains||Interesting notes|
|users||3||Name, username, hashed password||Accounts were created on 2018-04-24|
|suppliers||9||Full name and facebook of responsible person|
Starting from 2018-05-20 users were added
Generate address flag, add_card flag,
Apple ID password(same for bunches of accounts), country, city, state, phone(only first 3 numbers are visible), game, wallet, proxy settings, scenarios in use, gems packages to try and buy
|idstores||11||Name, selected flag|
|cardstores||10||Name, selected flag|
· Kho Card Marin (Bin 434061)
· Kho Card Marin (Bin 458755)
|emails||13436||Email, password, is_used flag, timestamps|
is_used, is_support flags,
expiration date, ccv, timestamps
|appleids||37 645||Is_used, has_card flags, email, password, timestamps, owner, serial, is_support, verify_fail flags|
|activities||899||Apple ID, action, target, timestamps|
|logs||97 431||User, action, target, type,timestamps||48128 unique targets in logs|
Profiles are configured for work in 5 countries:
- Saudi Arabia
One of the main questions we had was “Are these cards valid?”
It’s true that many of the cards were used as a payment method with Apple. Also that Apple verifies them just after adding. It’s a common operation where they charge $1 to the card then refund it to test if it is valid.
But we needed more evidence…
It’s unethical, not to mention illegal, to purchase something with found credit card data, so we investigated the data set without third parties. The following is what we found:
- 150833 unique cards in the database, each with full card number, expiration date, and CCV.
- Is_used = True 37606 (This was equal to the number of Apple ID accounts in the database)
- Is_used = False 113370
- Visa = 149620
- Mastercard = 1211
- Year 2023: 34873
- Year 2022: 34990
- Year 2021: 34940
- Year 2021: 34940
Name from suppliers table
|421349||CHINA CONSTRUCTION BANK CORPORATION||China||Visa||14000|
|424965||BANCO PROVINCIA DE TIERRA DEL FUEGO||ARGENTINA||Visa||1000|
|434026||HILLS BANK AND TRUST COMPANY||UNITED STATES||Visa||2|
|434061||CHINA CONSTRUCTION BANK CORPORATION||China||Visa||10000||Kho Card Marin|
|434062||CHINA CONSTRUCTION BANK CORPORATION||China||Visa||1274|
|446284||CHASE MANHATTAN BANK USA, N.A.||UNITED STATES||Visa||8761|
|455880||CHINA CONSTRUCTION BANK CORPORATION||China||Visa||20000||card_kuwait_455880|
|458755||CHINA CONSTRUCTION BANK CORPORATION||China||Visa||29500||Kho Card Marin|
|479423||GRUPO INTERNACIONAL DE FINANZAS S.A.E.C.A. (GRUPO INTERFISA)||PARAGUAY||VISA||20000||card_kuwait|
|483819||CHINA MERCHANTS BANK||CHINA||VISA||12000|
|499831||BANCO FAMILIAR S.A.E.C.A.||PARAGUAY||VISA||10000|
|521983||PT. BANK NEGARA INDONESIA (PERSERO) TBK.||INDONESIA||MASTERCARD||94|
|528674||PT. BANK CIMB NIAGA TBK.||INDONESIA||MASTERCARD||1120|
|529721||PT. BANK NEGARA INDONESIA (PERSERO) TBK.||INDONESIA||MASTERCARD||35|
|536788||PT. BANK CIMB NIAGA TBK.||INDONESIA||MASTERCARD||101|
- Cards used [is_used] - 37606
- Field [add_fail]: bool - 4560 cards that are already blocked
- [add_success]: 18 072 bool flag that indicates that operation of adding a credit card to account was successful.
So, it appears that they have so far used 37,606 credit cards and at the time of investigation had 18,072 cards verified by Apple (successully added to accounts).
Detailed emails investigation
Emails standalone total count - 13 436
They chose email providers with little to no protection against automated account creation.
Detailed accounts investigation
- 37 645 emails with passwords and creation date
- 240 mail domains
Instructions were found for a way to automatically play and advance Clash of Clans for profit on one of the game automation forums using Racoonbot.
Supercell states that any kind of automation tools are forbidden and if detected the account gets banned from the system.
Raccoonbot.com is an automated bot dedicated to Supercell’s Clash of the Clans. It advertises itself in it’s forum as a way to “Become rich at Clash of the Clans”. This is done by automating the game and selling the gems. It can potentially be used in conjunction with MaxTooliOS to further enhance the profit from the stolen credit cards. It’s a direct violation of Supercell policy, it aids in laundering money, and it also remains in operation.
iGameSupply is an approved marketplace for selling Racoonbot generated gems https://www.raccoonbot.com/forum/forum/80-approved-marketplace/
- The tool we found and its users currently work with countries such as Saudi Arabia, India, Indonesia, Kuwait, and Mauritania.
- We do not know if this was simply because the tool and Facebook page is new and this is just due to initial users, or if operating through these countries provides some kind of additional benefit to the thieves.
- Credit cards we found belong to 19 different banks.
- They were probably bought on the carder markets as they were in groups of round numbers, like 10k, 20k, 30k.
- Apple appears to employ a lax credit card verification process.
- Cards with improper names and addresses were approved.
- The large-scale abuse of the creation and verification process of Apple ID is possible because the group uses jailbroken iPhones to distribute the load, along with generated and stolen data.
- Service providers need to meet today’s realities and properly secure their account creation process from abuse by automated tools.
- Apple and the e-mail providers used did not do enough to protect against this kind of abuse.
- Game makers could do a better job of policing their policies along with tracking and pursuing abusers.
- Apple could do the same.
With MacKeeper, we aim to make using your Mac easier and safer through reliable technology solutions. MacKeeper comes with the essentials to clean up and speed up your Mac and make your online experience more private and secure.