There’s a story that when the notorious bank robber “Slick Willie” Sutton was asked why he robbed banks he replied “Because that’s where the money is” (see Sutton’s Law). As a strategy for maximizing the potential “take home” Sutton was, if you’ll forgive the pun, right on the money even if the risk was higher than, say, knocking over a supermarket.
So, if you’re a black hat hacker in the 21st Century who do you go after? Not the banks, they have defenses that are (usually) far too much work to penetrate. Nope, you look for a softer target, one that is less sophisticated, more numerous, and has a lower risk. That target would be gamers who rack up staggering numbers of visits to Web sites (the top 15 Web sites currently get a staggering 121.85 million visits per month … and those are long visits).
Phishers, recognizing the potentially rich pickings, use messages that lead to Web sites with very similar names to those of the gaming sites to get gamers to login in with the credentials they’d use for the real site.
On the legitimate trade website, a trade offer can be responded to by signing in with your game account using the OpenID protocol. When a user wants to sign in, he’s redirected to the game’s vendor website, where he logs in and confirms that he wants to login on the third-party website as well. / He is then redirected back to trading website where he is now logged in and can initiate or respond to any trade he wants. However, on the phishing website the situation is a bit different. / Once the gamer hits the sign in button, he’s not redirected to game vendor’s website, but to a page very similar to the vendor’s one on the same domain, where the user is asked to enter his account credentials.
At the heart of this scam is getting access to the games hosted by services such as Steam, an “internet-based digital distribution, digital rights management, multiplayer, and social networking platform developed by Valve Corporation” (Wikipedia). Why? Because:
Some games have so-called “in-game items” which players use to improve the gaming experience. These items are purchased during the game with real money and their price can vary from a few cents to several hundred dollars. Players use them in the game, exchange them for other items or sell them to other players in a “Community Market”. / This means a gamers account can be a rich prize if compromised by fraudsters. (Comodo Group).
For much more detail see the Comodo Group's discussion of the techniques used to attack gamers using Steam.
The genius, if such can be termed, of the phishing is that the target audience is generally naive about such attacks and the techniques are easily deployed. What should worry every corporate security executive is that while staff may face financial loss from these exploits there’s also the very real potential for gamers to becomes gateways for hackers’ entry into corporations particularly where Bring Your Own Device programs are supported.
Once again it becomes clear that no amount of security and education can remove all corporate risk; it’s become a matter of simply minimizing exposure and expecting some degree of loss. It rather makes you long for the simplicity of the days of Mario, doesn't it?