BBC Home > BBC News > Technology

Runescape creator pursues 'phishing thieves'

30 November 09 12:09 GMT
By Mark Ward
Technology correspondent, BBC News

A British man has been arrested and cautioned for stealing accounts for online game Runescape.

Jagex, creator of Runescape, said it was likely to be the first of several arrests as it tackled in-game fraud.

Online game Runescape has more than 100 million active players and play revolves around collecting and spending virtual cash and loot.

The company said it was working with UK police and the FBI to track down and catch those targeting Runescape.

Crime trail

A statement from the Police National e-crime unit said: "A 23-year-old man was arrested in Avon and Somerset on the morning of Tuesday 24 November by officers from the Police Central e-crime Unit, on suspicion of a number of computer misuse offences."

The offences are believed to be for using phishing e-mails to trick people into handing over login details for Runescape accounts.

Once hi-tech thieves have these credentials they plunder the accounts, strip characters of their items and sell off the rare virtual goods for Runescape gold. This virtual money can be traded to others in-game or sold for real world cash.

Current underground exchange rates suggest that 2m Runescape gold costs about £6 ($10).

"We have pinned down and identified the handful of ring leaders and we are going after them with both barrels," Mark Gerhard, chief executive of Jagex told BBC News.

"Any online games company will tell you that as soon as the game has value, there's a very small foreign element that tries to exploit that value," he said.

Mr Gerhard said the arrest on 24 November was not the result of something that happened the day before. It was one result, he said, of a long term investigation that had sought out those behind the phishing attack that caught out a "few thousand" Runescape players.

The biggest audience for Runescape is in the US and UK and Mr Gerhard said it was working with forces in both nations to track down the virtual thieves. He predicted that there would be more arrests as Jagex knew the handful of people behind the crimes and where they were based.

Laundering cash

Trade in Runescape game gold is against the terms and conditions of the game and Jagex has made many changes to its underlying code to stamp out gold farming in which players repeat activities that generate lots of virtual cash or valuable items.

Mr Gerhard said its efforts to tackle gold-farming may have forced the thieves to try a different approach.

"Once you close one vulnerability you move the attack surface to another part," he said. Jagex's efforts to tackle farming had removed 90% of the problem, said Mr Gerhard.

"They were going directly after the user credentials and trying to get at the wealth that way," he said.

"Players invest years of time and effort into developing their Runescape character so the theft of a Runescape account shouldn't be treated differently to the theft of any other valuable possessions such as a games console, television or car," he said.

Alisdair Faulkner, a computer security expert at ThreatMetrix, said it was seeing many more hi-tech thieves turn to stealing virtual rather than real goods.

Virtual goods were much easier to launder and dispose of than tangible items such as flat screens and computers, he said. It was a particular problem in Asia where the sales of virtual game goods were well established.

Many thieves stole credentials from networks of hijacked home computers - known as botnets - or used them as proxies to make the theft look like it was coming from a legitimate source.

"For some of these botnets their sole purpose is to act as a gateway to help fraudsters," he said.

ISPs, merchants and other firms were using ways to pierce a proxy and find out who was really in charge of it, said Mr Faulkner.

Related BBC sites

*