A Trojan that promises RuneScape players gold but instead steals their passwords was developed by an 11-year-old, researchers claim.
Antivirus biz AVG said it made the discovery after studying a piece of code masquerading as a cheat tool for the wizards'n'warriors online role-playing game. The malware asks victims for their login details and, rather than send them in-game currency as promised, it passes the sensitive data to its munchkin master.
But the little tyke was outed by his own source code: it contained personally identifiable information that a more experienced VXer would never reveal.
AVG Technologies said this isn't the first time a child-built nasty has wandered onto its radar, and said the age of the Canadian developer suggests that kids are "digitally fluent far earlier than previous generations".
While snooping on players' login details may at first seem a petty triumph, gaming accounts often store credit-card details or virtual currency for in-game purchases.
And many people use the same passwords for their accounts on Facebook, Twitter, Google and other websites and gaming networks, potentially putting the victims at serious risk across the entire web: as well as the inconvenience of regaining access to compromised accounts, there's a possibility information could be exploited by online bullies and identity thieves.
"We have now seen a number of examples of very young individuals writing malware, including an 11-year-old from Canada," said Yuval Ben-Itzhak, chief technology officer at AVG Technologies, referring to the RuneScape Gold Hack tool.
"The code usually takes the form of a basic Trojan written using the .NET framework, which is easy to learn for beginners and simple to deploy via a link in an email or posted on a social media page.
"We believe these junior programmers are motivated mainly by the thrill of outwitting their peers, rather than financial gain, but it is nevertheless a disturbing and increasing trend. It is also logical to assume that at least some of those responsible will be tempted to experiment with much more serious cyber-crimes."
The rise of the pre-pubescent VXer is documented in AVG Technologies' latest security dossier (PDF here), which also reports that almost 60 per cent of all threat activity online was carried out using exploit toolkits. The newly created Cool Toolkit accounted for 16 per cent of the top web threats in Q4 2012, topped only by the Blackhole Exploit Kit at 40 per cent. ®