From real-time social virtual worlds to "massively multiplayer online games" (MMOGs), the Internet and advances in technology have enabled the creation of virtual communities where individuals can interact in cyberspace. The beginnings of virtual economies, emerging from these virtual communities, can be traced to online games in which players collect various forms of loot: virtual gold, magic spells, weapons, etc. But virtual economies were truly established when players began exchanging real money for virtual goods and currency. And, as always, when there's real money, there's potential for real fraud.
MASSIVELY MULTIPLAYER ONLINE GAMES
MMOGs are online games played by many individuals at once. They differ from regular computer role-playing games because their environments are perpetual. People log on, join the game, assume their roles, and leave whenever they wish, but the game continues.
"Real-money trades" (the buying and selling of virtual goods from MMOGs with real money) became possible with the emergence of online auction sites. Some auction sites have explicitly banned auctions for virtual property from online games, but others have filled this niche market. Some publishers of MMOGs include bans on real-money trades in their terms of use.
Because virtual goods can now be converted to real currencies, players are more susceptible to fraud. The "PWS.Win32.WOW.x" Trojan horse program, appearing in May 2006, stole usernames and passwords from players of the online game World of Warcraft. After attackers had sign-on information, they could transfer virtual goods to another account or sell them off in a virtual gray market.
Fraudsters are also using "farming" to generate illicit revenue from online games. Players in sweatshops perform repetitive in-game actions like slaying an enemy to generate gold or other in-game virtual currency, which they then harvest and sell on the gray market for real currency.
These two scams are the beginnings of online attempts to hijack players' accounts or compromise other aspects of MMOGs game play to convert virtual currencies and goods to the real thing.
VIRTUAL WORLDS
A player in a virtual world is immersed in a fantasy situation; he relates to other players socially but has to devise his or her goals. Users enjoy these virtual worlds as they interact with others in the same time and place. Players can also create a completely new background and appear as anybody they want to be outside the constructs of the real world. Second Life, Active Worlds, and Entropia Universe are some of the more popular virtual environments. "Residents" of virtual worlds represent themselves using "avatars" and interact with other avatars online. Avatars are computer users' representations of themselves, which they customize to take on various forms. Players use these representations to explore virtual worlds and conduct conversations with other avatars.1
The virtual economies, complete with virtual currencies, have grown large enough that several actual, well-established companies are building an in-world presence. The "inhabitants" of these virtual worlds make money by working in service industry jobs, such as casino hosting, or as virtual entrepreneurs who buy and sell buildings, cars, clothing, and artwork. Virtual real estate promoters can earn a great deal of money by buying and improving properties before selling them.2 Some of these properties fetch thousands of U.S. dollars.
Goods and services are paid for with in-world currencies, which can be exchanged for real currency on money markets, complete with exchange rates. A cybercriminal's ability to convert virtual proceeds of their illicit in-world acts to a real world currency accelerates fraud potential.
Some inhabitants of virtual worlds have fallen victim to virtual banking scams. In one case, hundreds of virtual inhabitants lost their savings when a virtual bank vanished after it lured them with promises of high returns on investments.
In December 2007, security researchers demonstrated the feasibility of a fraudulent attack in a virtual world.3 The researchers began by embedding a malicious media file that exploited a known media player vulnerability. After a player's avatar viewed the file in the virtual world, the researchers showed it was possible to take control of that player's computer and have the victim's avatar transfer virtual funds from its account to another avatar. This type of attack circumvents virtual world controls by manipulating software already residing on the victim's computer. If cybercriminals actually were to conduct this type of attack, they could then convert the transferred virtual funds to real currency.
SOME LEGAL ISSUES
As we've seen with other forms of online fraud, the Internet allows perpetrators a certain degree of anonymity as they pilfer (currently) small sums of real money through virtual fraud.
Recently the first case of copyright action was undertaken when a lawsuit, filed in a U.S. District Court, was brought against an individual for allegedly counterfeiting virtual goods. The action was based on existing law from real-world cases, which are similar to the alleged in-world activities. Originally filed against "Avatar/John Doe" because of the ephemeral nature of virtual worlds, the courts had to authorize subpoenas against the creators (and operators) of the virtual world and Internet service providers to ascertain the identities of the individuals running the counterfeiting operation.
In a case like this in unchartered territory, legal counsel is required to thoroughly understand the legal aspects and inner workings of virtual worlds. It will be interesting to see how the courts rule and watch the evolution of online virtual-world case law. Just as online fraud is changing the fraud examination landscape, the emergence of virtual worlds will undoubtedly influence the ways we conduct investigations and the ensuing litigation.
Here's another issue: Should or will governments tax gamers' and avatars' earnings? The Australian Tax Office4 has said that monetary benefits from online worlds will be taxed just like real-world income, but how is that country going to enforce that? Will they treat gaming and virtual-world activities as hobbies or businesses?
Controls, laws, and regulations have made e-commerce a safe practice. But will virtual worlds and economies change the way we do business online? Which changes will be needed to secure "financial" activities in the virtual worlds? Will its inhabitants build a controls framework, or will real-world intervention be required to allow this new e-commerce model to grow? As with previous cyberspace issues we've discussed, time will tell.
INTELLECTUAL PROPERTY THEFT
In the next column, we'll take a closer look at the impact of technology on the theft of intellectual property.
Jean-Francois Legault, CISSP, CISA, CISM, GCIH, GCFA, is a senior manager with Deloitte's Forensic & Dispute Services practice in Montreal, Canada.
The Association of Certified Fraud Examiners assumes sole copyright of any article published on www.Fraud-Magazine.com or ACFE.com. Permission of the publisher is required before an article can be copied or reproduced.
