Online crooks are taking a new and nasty approach to cybercrime by rigging educational online games meant for preschoolers. Malicious software, including Trojans that can swipe your bank account details right from your computer, is injected into the Adobe Flash-based games' code.
Catalin Cosoi, head of the online-threats lab for the Romanian security firm Bitdefender, spotted more than a half-dozen infected children's games on Chinese websites.
"The games were not created expressly to distribute malware," he told SecurityNewsDaily, but online scammers will take legitimate games — "preferably quite popular ones" — and rig them with malware.
The games include some that let children nurture online pets or catch falling objects, and others that challenge kids to spot the differences between two similar images. They provide cybercriminals with a perfect opportunity to exploit the vulnerability of children too young to read.
So a 4-year-old, thinking he's participating in an innocent browser-based Flash game, could click on a button and potentially open up his parents' computer to any number of cybercrime threats, from spyware to Trojans such as Zeus, capable of harvesting online banking credentials. The manipulated games could even force the PC to join a botnet, an automated network of malware-spreading systems.
The corrupt games feature striking visuals and run on any Flash-enabled Web browser on any system, making them ideal traps to entice an unknowing child. (Fortunately for Mac and Linux users, only Windows malware has been found in the games so far.)
"Some scams might raise suspicions of adults — particularly when they [the games] seek to install software on the computer or redirect computer users to suspicious websites. So the scammers are going for easier targets," Cosoi says in a posting on Bitdefender's Malware City blog. "Kids are more easily tempted into [clicking] on that big green download button or flashing icon in hopes of having more fun. A 4-year-old, obviously, isn't worried about online banking vulnerabilities."
Bitdefender's Loredana Botezatu wrote that children are too young to understand that a button they press on a screen may not do what it is supposed to.
"They know how to play a game," she wrote, "but they can't discern between a game button and a malicious application designed to steal their parent's bank account details or redirect the browser towards malware."
Cosoi is not surprised crooks would sink this low.
"This is just another blend of social engineering," he said. "Targeting kids with popular games in order to infect their home computer is yet another way of obtaining more profit."
Cosoi told SecurityNewsDaily that PCs running up-to-date anti-virus software "should be protected" against these rigged games, but that some of the malware implanted in the games could prompt kids to disable the system's anti-virus software.