At the RSA Conference a session was held discussing hacking massively multiplayer online (MMO) games. And while exploiting game vulnerabilities or using automated macros to gain unfair gameplay advantage has been around for some time and will probably not interest many security experts, when these hacks are used to gain real profit due to the games interaction with the real economy then it becomes a serious problem.

Gary McGraw, CTO for software security consulting firm Cigital and moderator of the panel, explains that in-game economy produces virtual goods which are highly valued and are cashed in by some players for real money – a $1 billion yearly market in all. While seasoned enthusiasts have been aware and have been participating in this act for quite sometime already, security experts are beginning to take notice just now – particularly with the large amount of money that is involved.

The first panelist was Greg Hoglund, CEO of the consulting firm HBGary and Rootkit.com’s founder. Hoglund discussed the two main methods of exploitation of MMOs – exploiting bugs and using bots.

Players may sometimes abuse existing game mechanics or discover a previously unknown glitch in the game in order to do things the game will not ordinarily allow. Players have been known to extract real profit from game resources obtained as an underground market exist for these items – with bids fetching hundreds to thousands of dollars. A security expert has demonstrated in the popular game Second Life an exploit that can be used to not only steal in-game money from other users (a commodity that is directly convertible to US dollars) but also steal credit card information.

Bots, on the other hand, are automated scripts that can take advantage of legitimate game routines – such as performing actions over and over again at a pace an degree quite difficult or tedious for ordinary players to perform.. Many groups have then taken advantage of cheap labor in developing countries to employ people to run multiple bot machines that control multiply accounts amassing in game money. The in-game money amassed is then sold to paying customers for real cash. This practice is universally frowned upon by gaming communities and developers alike

Abusive metagaming was also discussed, especially in online card games that allow real bets to be placed. Players may run multiply accounts in a single table in order to cheat other players by manipulating the game in their favor. Basically, any virtual world with many participants and money involved will attract individuals that will seek to find ways to exploit the system.