Vulnerabilities / Threats

10:30 AM
Matthew Cook
Matthew Cook
Connect Directly
E-Mail vvv

Why Online Video Gaming Will Be The Next Industry Under Cyber Attack

As more money flows into games, criminals are targeting this new and lucrative market with the tools and techniques they once used to hack online banks and Internet retailers.

Late last year, Steam, one of the world’s largest online video game platforms, admitted that 77,000 of its gamer accounts are hacked every month. This revelation represented the first time that a major video game company acknowledged cyber crime.

In response, Kaspersky Lab researcher Santiago Pontiroli led an investigation into how adversaries were exploiting so many gamers. After three months of research, Pontiroli and his team discovered the existence of a new type of malware developed specifically to hack Steam accounts. Dubbed Steam Stealer, the malware can bypass the Steam client’s built-in multifactor authentication (MFA) protocols, thus enabling adversaries with the access necessary to compromise the integrity of a player’s account.

Cyber threats to online video games aren’t entirely new, but they are severely underreported. What’s ironic is that the video game industry is as big, if not bigger, than any industry in the world. Of the 1.2 billion video game players worldwide, nearly 700 million of them play online. For the video game industry, providing entertainment for one seventh of the world’s populace equates to revenues of more than $86.8 billion annually. This is nearly double the amount of the film industry, yet the Sony Pictures hack was covered for months. For financially motivated hackers, and fraudsters, there is perhaps no bigger opportunity to profit than the video game industry provides.

The Vulnerability of Online Video Games

As more money comes into online games, cyber criminals are shifting their efforts to exploiting games. Why the change in behavior? For one reason, the tools and techniques once used to hack online banks and Internet retailers are now, more than ever, directly applicable to breaking into game worlds. Techniques such as hijacking player accounts and draining real-money value from the game are reminiscent of the methods that once plagued the financial services industry. Second, the video game industry hasn’t yet fully come to terms with the reality that cyber attacks are a systemic problem, leaving thousands of games exposed to front-end, backend and the most damaging, in-game attacks.

In-video game attacks occur when a player’s account is hijacked using readily available malware that enables man-in-the-middle exploits, keylogging, remote access, and other hacks. Once inside, cyber criminals can steal player credentials, gain access to a player’s game account, transfer in-game assets to other accounts, and sell those assets on the ‘grey market,’ an unauthorized, but not necessarily illegal place that is used to sell virtual items and currency for real money. 

 The ‘grey market’ is perhaps the greatest unintended consequence of video games moving online. The demand for virtual items is so large that people ranging from U.S. college students working for beer money to Chinese children sitting at Internet cafes for 20 hours a day, are working to amass virtual items through regular game play and sell them for real money. This practice, known as ‘gold farming,’ is so widespread and lucrative that the World Bank wrote a report estimating that it generated $3 billion a year for people in developing countries.

To keep up with today’s demand for virtual items, gold farmers now automate their operations by running hundreds or thousands of bots to speed up the accumulation process. These actions have flooded games’ online economies, losing publishers as much as 40 percent of in-game revenue per month and irreversible reputational damage.

What’s the Fix?

To date, online video game cybersecurity is focused on protecting and monitoring the login and monetary transaction processes. This approach is similar to those taken by banks to eliminate online fraud, a method so ineffective that it cost them billions of dollars over time. Online games today also rely on MFA to protect the login process, although this safeguard is easily defeated by widely available keylogging and screen-scrape technology. Device reputation technology, which verifies that an IP address and device are known for a user, is also commonly used by game publishers, but is susceptible to man-in-the-middle hacks.

Additionally, some publishers have built internal solutions in which games are monitored for gold farmers, bots, and spammers. Many have also developed and implemented rules-based systems that define specific patterns of bad activity based on forensics and after-the-fact investigations. But rules-based security is deeply flawed, as most cybersecurity practitioners know.

As it stands now, either gamers will need to put pressure on publishers or a massive, crippling attack will need to occur for the video game industry to ‘get smart’ on cybersecurity. One thing is for certain: cyber criminals will not stop targeting an industry as lucrative as video games, unless someone makes them. 

Related Content:

Matthew Cook is a veteran security and risk professional and a lifelong gamer. He is currently the co-founder of Panopticon Laboratories, the first and only cybersecurity company for video game publishers. View Full Bio
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Author
5/16/2016 | 10:31:41 AM
Re: Beyond gold farming
Yeah, a big attack, exspecially if it manages to catch the notce of the mainstream press, would be a terrible thing, both for players as well as publishers. Thanks for calling out the additional vectors you've noticed; we've definiely seen evidence of some of these as well. Appreciate it!
User Rank: Author
5/13/2016 | 3:55:00 PM
Beyond gold farming
Let's hope the answer isn't a "massive crippling attack" and we can get some attention before then! I agree that video games (and mobile games) are definitely a new and fruitful frontier for fraudsters. A few additional attack techniques we've observed at DataVisor in addition to the ones you list above are: renting out proxy servers to bypass reputation-based detection systems and simulate presences in different locations, virtual currency arbitrage, and criminals acting as in-app purchase brokers. The list keeps growing and I agree we need to shout "rules-based security is deeply flawed" from the rooftops. If game publishers don't start paying attention now, they will pay deeply from their own pockets.
The Case for Integrating Physical Security & Cybersecurity
Paul Kurtz, CEO & Cofounder, TruSTAR Technology,  3/20/2018
A Look at Cybercrime's Banal Nature
Curtis Franklin Jr., Senior Editor at Dark Reading,  3/20/2018
City of Atlanta Hit with Ransomware Attack
Dark Reading Staff 3/23/2018
Register for Dark Reading Newsletters
White Papers
Current Issue
How to Cope with the IT Security Skills Shortage
Most enterprises don't have all the in-house skills they need to meet the rising threat from online attackers. Here are some tips on ways to beat the shortage.
Flash Poll
[Strategic Security Report] Navigating the Threat Intelligence Maze
[Strategic Security Report] Navigating the Threat Intelligence Maze
Most enterprises are using threat intel services, but many are still figuring out how to use the data they're collecting. In this Dark Reading survey we give you a look at what they're doing today - and where they hope to go.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.