They reportedly use stolen credit cards to boost new accounts they make with micro-transactions, before selling the accounts online for profit.
A new report from German-based cyber-security company Kromtech. The report on their website details that they found a database, that contained “a large number of credit card numbers and personal information inside.” Apparently, 20,000 stolen credit cards were used to purchase micro-transactions inside three popular mobile games: Clash Of Clans, Clash Royale and Marvel: Contest Of Champions in the last one-and-a-half months.
The accounts that contained these boosted games were then reportedly sold on third party market sites such as gtg.com. According to Kromtech, the thieves automated a system that did all the work for them: creating the email address, the Apple ID/Google Play Account, buying the micro-transactions and posting the account online for sale. They also utilized another tool called Racoonbot, that automates playing Clash of Clans and grinding through the game to gain gems, which were then sold online.
On top of this, It seems they found thousands more unused credit cards, from about 19 different banks. Although, the tools they had seemed to only work in Saudi Arabia, Indonesia, Kuwait, India and Mauritania. Worryingly, It was allegedly found that Apple had sometimes approved credit cards to be used, when the full names and addresses had been incorrect.
Kromtech noted that many of the involved companies didn’t do enough to prevent this kind of online scam. “Apple appears to employ a lax credit card verification process…Service providers need to meet today’s realities and properly secure their account creation process from abuse by automated tools: Apple and the e-mail providers used did not do enough to protect against this kind of abuse…Game makers could do a better job of policing their policies along with tracking and pursuing abusers.”
In an interview with Kotaku, Bob Dianchenko, the Head of Communications, said that he was shocked and that the “Process should be much more complicated than it is now,” The report comes as a result of a previous investigation by Kromtech into NoSQL database program MongoDB, after it was found that many of the databases created did not require authentication to access by default.
The database detailed above was one such insecure database made with MongoDB, found by Kromtech last June.
How do you feel about these apps being used for money laundering? Where you already aware of the investigation into MongoDB? Join the discussion below.
Image Source: Supercell’s Clash Of Clans Page