Microsoft has filed a lawsuit against a Chinese company that operates an online service that sells virtual gaming currencies, accusing the company of hacking into Xbox accounts and illegally purchasing game coins via the account owners’ credit card.
According to court documents obtained by Bleeping Computer, Microsoft discovered the scheme last December, when its employees stumbled upon the iGSKY website, where visitors could purchase gaming currency for various console games, some of which were exclusive to the Xbox platform.
iGSKY was hacking into accounts using leaked credentials
In order to determine the source of these gaming coins, Microsoft’s staff performed six test transactions. Following these transactions, Microsoft’s investigators discovered that the site’s operators — a company named Gameest International Network Sales, Co. Ltd. — had illegally accessed the accounts of other Xbox users from where they purchased gaming currency using the payment card attached to that account.
Microsoft concluded that there was no breach of its systems, but the Chinese company had reused credentials leaked in data breaches at other services. In some cases, iGSKY accessed accounts directly, in other cases, they reset the owner’s password, after presumably taking control of his email.
iGSKY would then transfer these coins to the Xbox account of the person buying “cheap” gaming currency from its platform.
The iGSKY platform boasted it could provide cheap gaming currency for the following games:
ArcheAge, Black Desert, Blade and Soul, CSGO, Dofus, Dofus Touch, FIFA 14, FIFA 15, FIFA 16, FIFA 17, Forza Horizon 3, Grand Theft Auto V, Mabinogi, Madden NFL 17, Maple Story, MU Legend, MU Origin, NBA 2K17, NBA Live Mobile, NHL 17, Pokémon GO, Revelation Online,
Riders of Icarus, Rocket League, TERA, Tree of Savior, Trove, Twin Saga, and Wildstar
Prices for various of these gaming currency packages where almost half of their real prices on Microsoft’s site.
iGSKY customers used PayPal or direct payment card transactions to handle payments for their illegal activity, leaving a trail that Microsoft could track.
Hackers stole over $2 million in gaming currency
After investigating past incidents, Microsoft says it discovered nearly $2 million in fraudulent purchases of virtual gaming currencies. The OS maker said it issued refunds for all these transactions.
Microsoft has filed a lawsuit in a California court, and a judge has already frozen the Chinese company’s PayPal assets. Microsoft’s investigators are still working on unmasking the people behind Gameest, iGSKY’s operators.
Working as a cyber security solutions architect, Alisa focuses on bug bounty and network security. Before joining us she held a cyber security researcher positions within a variety of cyber security start-ups. She also experience in different industry domains like finance, healthcare and consumer products.