The gaming industry is big business. So much so in fact that Statista predicts that the global video game market will be worth a staggering $138bn+ by 2021, and estimates that there are currently almost 2.5 billion video gamers worldwide.
In our modern day and age, one can game from their phone, tablet, computer, console and beyond. Clearly, things have come a very, very long way since the early days of video gaming back in the 1970s, when the likes of Pong and Space Invaders were the go-to games of choice. Gaming has evolved into not just one of the most popular and widely-enjoyed hobbies in the world, but as an industry, it has become one of the most dynamic and competitive markets in the tech sector.
However, while there has been continual increases in the number of people turning to the gaming industry for fun and entertainment over the last few decades, more recently, it has also drawn the attention of a subset of society whose interest in it is far less recreational: cyber-criminals.
A plethora of research and media reports have revealed that, over the last few years, cybercrime has well-and-truly got its claws into the gaming industry with attackers leveling various nefarious escapades to defraud and steal from the development, marketing and monetization of video games.
So, why and how has the gaming industry emerged as a target for cybercrime, and what needs to be done to protect it?
It’s in the Game
One of the most obvious factors that has played a significant role in the rise of gaming-based cybercrime is the unrelenting power of the internet, social media and mobile computing. “The speed of change opens the gaming industry to misconfigurations, policy violations, threats, and identity and access management challenges,” explains Chris DeRamus, CTO and co-founder, DivvyCloud.
More than that though, there are specific things about the very nature of the modern gaming industry that make it a particularly eye-catching and accessible target for cyber-attackers.
As Akamai states in the 2019 State of the Internet/Security Web Attacks and Gaming Abuse Report: “As an industry, gaming is a large, unregulated market of in-game purchases and rare items.”
Part of the reason why gaming is so lucrative, the report continues, is the trend of adding easily commoditized items for gamers to consume, such as cosmetic enhancements, special weapons, or other related items.
Mario Mercaldi, associate principal security consultant at Synopsys, agrees: “When a game has purchasable items or in-game content, there is a virtual ‘economy’ that can quickly kill a game if it sours.”
Another interesting element that comes into play here is the fact that “gamers are a niche demographic known for spending money, so their financial status is also a tempting target,” Akamai’s report adds.
“In a market with so many alternatives and great revenue potential, which we have seen with modern service models, attackers see games as services with piles of cash,” concurs Mercaldi. “This potential is fed mostly by literal children with access to their parents’ credit cards and guarded by boilerplate financial transaction frameworks monitored by internal teams that have way too much surface to cover.”
Then there’s the simple fact that “despite the massive amounts of gamer PII stored by game developers, the gaming industry is relatively new to cybersecurity when compared to other industries like finance and healthcare,” points out Ben Goodman, CISSP and senior vice-president of global business and corporate development at ForgeRock. Game development and publishing studios therefore often face the nightmarish task of protecting huge amounts of revenue and data with modest security divisions, and “there is still a tendency to greatly prioritize ease of use in the user experience over security,” Goodman argues.
The huge shift towards mobile has played a big part too. “People are increasingly using their phones for gaming,” Ashlee Benge, threat researcher at ZeroFOX, tells Infosecurity. “The availability of valuable information on phones, paired with low security barriers, makes mobile an attractive attack vector for cyber-criminals.”
It can be difficult for app stores to regulate mobile games given the sheer volume of applications in these stores, she adds. “Public perception also has not shifted fully to consider mobile protection yet, either. The average laptop user is probably at least somewhat aware that they should run some kind of anti-virus program at the very least, but few people view their phones as potential attack vectors.”
So cyber-criminals are targeting the booming but relatively security-immature gaming industry to go after quick, easy money. One could determine that, when it comes to cybercrime, that’s nothing new – but exactly how are fraudsters capitalizing on the gaming sector, and is that where things really start to get interesting?
“Cyber-criminals can also distribute a malicious application in the form of a game-related tool, patch, crack or mod”
Hackers Level Up
“Before talking about the attack strategies, we should first understand how exactly cyber-criminals tend to make money,” Mariya Fedorova, lead malware analyst for Kaspersky, tells Infosecurity. For example, they can sell gaming accounts, game-related artefacts or bait gamers into launching third-party software completely unrelated to the target game.
However, you can’t sell something that you don’t own, so you need to steal it first, Fedorova adds. “The most common practice today is to hijack accounts related to digital distribution platforms such as Steam, Origin, etc. While the developers take measures to minimize the risk of the accounts being simply brute forced, methods such as social engineering, using password stealing malware or the combination of both remain quite popular for stealing account passwords.”
According to Akamai’s report, hackers targeted gaming industry websites with 12 billion credential stuffing attacks between November 2017 and March 2019. Akamai notes that the total number of credential stuffing attacks it recorded across all industries during that period was 55 billion, so the 12 billion that the gaming industry suffered put it amongst the fastest rising targets for that type of attack.
“Once an account is compromised, it’s likely going to be quickly sold or traded,” Akamai states. “Some of the transactions dealing with the sale or trading of gaming accounts take place in public view, on easily accessible websites or forums, or social services like Discord. Other transactions happen in more exclusive areas, such as private forums or markets on the darknet.”
Once a criminal obtains access to an account, they can extract monetary value a few different ways, and any money made from the attack is pure profit. Of course, if there are any payment methods linked to the accounts for purchasing upgraded items or currency directly through the gaming system (which there very often are), even better.
Fraudsters are not just focusing on account takeover and credential theft to make money though; cyber-criminals have also taken to spreading malware to unsuspecting gamers.
Research from Kaspersky recently discovered that 930,000+ gamers were hit by ransomware between June 2018 and June 2019, with the firm citing the manufacturing and distribution of fake copies of popular video games such as Minecraft, Grand Theft Auto and The Sims as a key strategy used by scammers to spread viruses.
“Cyber-criminals can also distribute a malicious application in the form of a game-related tool, patch, crack or mod,” Fedorova says. “Or some criminals may opt to add or mix in the malicious logic to non-malicious game applications (usually, a game crack or trainer) to arise less suspicion from the user. Game tools and malware are packed in some bundles so when the user launches the package, both applications are started.”
DDoS attacks have impacted the modern gaming industry as well. In fact, a 23-year-old man, Austin Thompson, was recently sentenced to 27 months in prison for launching a series of DDoS attacks against Sony’s PlayStation Network, Electronic Arts and Nintendo in 2013/14, knocking gaming services offline by bombarding them with traffic. It’s believed that his intentions were simply to cause a nuisance over the festive period although, according to the Department of Justice, U.S. Attorney’s Office, Southern District of California, “Thompson’s actions caused at least $95,000 in damages.”
What’s more, Benge explains how the team at ZeroFOX was able to identify nearly 5000 different scam websites targeting users of the hugely popular online battle game Fortnite.
“These scam websites were phishing campaigns in disguise,” she says. “Additionally, as the Android version of the Fortnite mobile app is not available through the Google Play Store, it is a prime target for attackers. Malicious fake apps have been marketed as the legitimate Fortnite application. Users who do not see a Fortnite application for download on the Play Store may search for the app online and download it from a source other than the official Fortnite website. This makes a cyber-criminal’s job a lot easier, since they have a large number of potential victims who are already searching for applications to download.”
What’s abundantly clear is that modern video gaming is not all fun and games, and that players can land themselves in a lot more bother than an end-of-level boss fight with Bowser or a Fortnite battle royale, but what can be done about it?
Upping the Security Game
“If the gaming industry is going to make money reminiscent of the financial services industry, it’s going to need a security maturity model to match,” argues Mercaldi. “Not only diligent efforts in secure code review, but also targeted game mechanics reviews to identify exploits at the design phase and threats to the in-game economy, in addition to regular penetration tests, privacy reviews and insider threat analysis, among other tactics.”
For DeRamus, the gaming sector must adopt automated cloud security solutions that enable them to detect threats such as misconfigurations and policy violations, and use automation to deliver real-time remediation that stops issues before they are exploited. “These guardrails need to be implemented at runtime but also shifted left into the build process so that there is never even the opportunity to exploit an issue.”
Likewise, gaming organizations also need to leverage zero trust security strategies that implement real-time, contextual and continuous security that identifies anomalous internal and external behavior, then prompts further action, such as identity verification, adds Goodman. “For example, if a US PlayStation Network user’s login credentials were to be compromised and an unauthorized user attempted to obtain access from another country and device, that unauthorized individual would be prompted to provide additional verification.”
However, it’s also important to recognize that there is a significant human element to securing the gaming industry, Mercaldi points out. “To make the gaming industry more secure also means to make our modern connected digital world more secure – and that’s everyone’s responsibility.”
There are several steps gamers themselves can take to be more secure, Fedorova says, starting with only using legitimate services with a proven reputation. “Also, make sure to pay extra attention to a website’s authenticity when downloading or playing games online.”
Further to that, DeRamus advises consumers to take the assumption that any gaming service they use will be compromised. “Therefore, always use unique login credentials across all accounts and enable multi-factor authentication (MFA) where it is available. Limit the amount of personal information that you provide to services. Additionally, always use virtual credit cards for purchases online, as doing so means that you never provide your main credit card account number and thus protect this from theft or abuse.” Finally, DeRamus says to use a modern web browser and observe and listen to the security cautions that it provides.
As the gaming industry continues to grow and expand, so too will it increasingly be targeted by cyber-criminals looking to cash in on its profitability and popularity. The challenge is for game publishers to put greater emphasis on better, more sophisticated security within their products and services, and for consumers to be aware of the risks and respond with more secure behaviors and practices around their gaming exploits. If not, the gaming sector might just find itself in a losing battle in which fraudsters end up having all the fun.