Popular mobile games such as "Clash of Clans," "Clash Royale" and "Marvel Contest of Champions" are being used to launder money, according to a new report from a German cybersecurity company.
In its report Kromtech notes that more than 20,000 credit cards were stolen from April 2018 to June 2018.
"Money laundering through the Apple AppStore or Google Play isn’t a new idea and has been done before," said Kromtech communications director Alexander Kernishniuk in the blog post announcing the findings.
The aforementioned games were likely easy targets for thieves because of their size and scale. According to Kromtech, there are more than 250 million aggregate users for the three games, which generate a combined $330 million in annual revenue.
The thieves steal the credit card data, make purchases and then resell the accounts with the purchases to a third-party, so they have no connection to the stolen credit cards.
"The resources even maintain value after purchase, because in many cases, once bought, they can be traded, adding to the game play," said Kromtech Security head of communications Bob Diachenko. "The game itself can also be transferred from one account to another. Because of this, resources gathered or bought and games built to advanced levels can also be resold. It is the selling of these on third party markets that holds the door open to the illicit activity that we found taking place."
News of Kromtech's findings was first reported by Variety.
It's fairly simple for thieves to get the data they need. Apple IDs are needed to make purchases, but they only need items like a password, date of birth, security questions, and an email address.
"E-mail accounts are also very easy to create with a few providers requiring little in the way of verification," Kromtech wrote in its blog. "Combined, the carders were able to automate the account creation process, as you’ll see, allowing them to create accounts on a large scale."
Kromtech initially found stolen data on hacked MongoDB databases and from there, dug deeper, only to find that the database "appeared to belong to credit card thieves (commonly known as carders) and that it was relatively new, only a few months old."
Kromtech said it has sent its findings to the Department of Justice and is advising developers and Apple to make their systems more secure.
"Service providers need to meet today’s realities and properly secure their account creation process from abuse by automated tools," Kromtech wrote in its post. "Apple and the e-mail providers used did not do enough to protect against this kind of abuse."
The company continued: "Game makers could do a better job of policing their policies along with tracking and pursuing abusers. Apple could do the same."
Follow Chris Ciaccia on Twitter @Chris_Ciaccia