In a blog post, the company said the thieves were targeting three online games: two by the game maker Supercell – Clash of Clans and Clash Royale, and one by Kabam – Marvel Contest of Champions.
The three games had more than 250 million users who generated about US$330 million annually, and also had an active third-party market that used sites like g2g.com to buy and sell resources and games. The scammers were operating through both the Apple App Store and the Google Play Store.
Kromtech said the prices asked for an in-game purchase like the 14000 Gems pack for Clash of Clans and Clash Royale ranged from US$94.38 in the Philippines to US$135.33 in Denmark.
"Apple does attempt to validate the credit card by charging and then refunding $1, interestingly, they must not perform much in the way of credit card verification because we saw that many were processed with an incorrect name and address," the Kromtech researchers wrote.
"Perhaps verification is minimal due to the low dollar amount of the charge, but a stricter credit card verification would make it a bit more difficult for the carders."
Once they had automated the account process creation, the credit card thieves "took the process further, automatically changing cards until a valid one is found, automatically buying games and resources, automatically posting the games and resources for sale, working with a digital wallet for order processing, and managing multiple Apple devices to distribute the load".
Kromtech said it had drawn the following conclusions from its findings:
- "The tool we found and its users currently work with countries such as Saudi Arabia, India, Indonesia, Kuwait, and Mauritania. We do not know if this was simply because the tool and Facebook page is new and this is just due to initial users, or if operating through these countries provides some kind of additional benefit to the thieves.
- "Credit cards we found belong to 19 different banks. They were probably bought on the carder markets as they were in groups of round numbers, like 10k, 20k, 30k.
- Apple appears to employ a lax credit card verification process. Cards with improper names and addresses were approved.
- "The large-scale abuse of the creation and verification process of Apple ID is possible because the group uses jailbroken iPhones to distribute the load, along with generated and stolen data.
- "Service providers need to meet today’s realities and properly secure their account creation process from abuse by automated tools.
- "Apple and the email providers used did not do enough to protect against this kind of abuse.
- "Game makers could do a better job of policing their policies along with tracking and pursuing abusers. Apple could do the same."
Kromtech Security communications chief Bob Diachenko said:"If you have ever played a free-to-play game you know that most of them require resources of one type or another to play. Whether it be gems, gold, power ups, or other, these resources are required to advance within the game, making them critical to the game play. Manually gathering the free resources is a slow process and one can play a game for months working to move up levels.
"This is where the game makers make their money. They sell resources through 'In-App Purchases' to help people play the game and speed up the game play. The lure of speeding up your play is a strong incentive to spend money on resources, and many spend to play. This has turned free-to-play games into a multi-billion dollar industry.
"The resources even maintain value after purchase, because in many cases, once bought, they can be traded, adding to the game play. The game itself can also be transferred from one account to another. Because of this, resources gathered or bought and games built to advanced levels can also be resold. It is the selling of these on third party markets that holds the door open to the illicit activity that we found taking place."
Graphics: courtesy Kromtech