Vulnerabilities / Threats

10:30 AM
Matthew Cook
Matthew Cook
Connect Directly
E-Mail vvv

Why Online Video Gaming Will Be The Next Industry Under Cyber Attack

As more money flows into games, criminals are targeting this new and lucrative market with the tools and techniques they once used to hack online banks and Internet retailers.

Late last year, Steam, one of the world’s largest online video game platforms, admitted that 77,000 of its gamer accounts are hacked every month. This revelation represented the first time that a major video game company acknowledged cyber crime.

In response, Kaspersky Lab researcher Santiago Pontiroli led an investigation into how adversaries were exploiting so many gamers. After three months of research, Pontiroli and his team discovered the existence of a new type of malware developed specifically to hack Steam accounts. Dubbed Steam Stealer, the malware can bypass the Steam client’s built-in multifactor authentication (MFA) protocols, thus enabling adversaries with the access necessary to compromise the integrity of a player’s account.

Cyber threats to online video games aren’t entirely new, but they are severely underreported. What’s ironic is that the video game industry is as big, if not bigger, than any industry in the world. Of the 1.2 billion video game players worldwide, nearly 700 million of them play online. For the video game industry, providing entertainment for one seventh of the world’s populace equates to revenues of more than $86.8 billion annually. This is nearly double the amount of the film industry, yet the Sony Pictures hack was covered for months. For financially motivated hackers, and fraudsters, there is perhaps no bigger opportunity to profit than the video game industry provides.

The Vulnerability of Online Video Games

As more money comes into online games, cyber criminals are shifting their efforts to exploiting games. Why the change in behavior? For one reason, the tools and techniques once used to hack online banks and Internet retailers are now, more than ever, directly applicable to breaking into game worlds. Techniques such as hijacking player accounts and draining real-money value from the game are reminiscent of the methods that once plagued the financial services industry. Second, the video game industry hasn’t yet fully come to terms with the reality that cyber attacks are a systemic problem, leaving thousands of games exposed to front-end, backend and the most damaging, in-game attacks.

In-video game attacks occur when a player’s account is hijacked using readily available malware that enables man-in-the-middle exploits, keylogging, remote access, and other hacks. Once inside, cyber criminals can steal player credentials, gain access to a player’s game account, transfer in-game assets to other accounts, and sell those assets on the ‘grey market,’ an unauthorized, but not necessarily illegal place that is used to sell virtual items and currency for real money. 

 The ‘grey market’ is perhaps the greatest unintended consequence of video games moving online. The demand for virtual items is so large that people ranging from U.S. college students working for beer money to Chinese children sitting at Internet cafes for 20 hours a day, are working to amass virtual items through regular game play and sell them for real money. This practice, known as ‘gold farming,’ is so widespread and lucrative that the World Bank wrote a report estimating that it generated $3 billion a year for people in developing countries.

To keep up with today’s demand for virtual items, gold farmers now automate their operations by running hundreds or thousands of bots to speed up the accumulation process. These actions have flooded games’ online economies, losing publishers as much as 40 percent of in-game revenue per month and irreversible reputational damage.

What’s the Fix?

To date, online video game cybersecurity is focused on protecting and monitoring the login and monetary transaction processes. This approach is similar to those taken by banks to eliminate online fraud, a method so ineffective that it cost them billions of dollars over time. Online games today also rely on MFA to protect the login process, although this safeguard is easily defeated by widely available keylogging and screen-scrape technology. Device reputation technology, which verifies that an IP address and device are known for a user, is also commonly used by game publishers, but is susceptible to man-in-the-middle hacks.

Additionally, some publishers have built internal solutions in which games are monitored for gold farmers, bots, and spammers. Many have also developed and implemented rules-based systems that define specific patterns of bad activity based on forensics and after-the-fact investigations. But rules-based security is deeply flawed, as most cybersecurity practitioners know.

As it stands now, either gamers will need to put pressure on publishers or a massive, crippling attack will need to occur for the video game industry to ‘get smart’ on cybersecurity. One thing is for certain: cyber criminals will not stop targeting an industry as lucrative as video games, unless someone makes them. 

Related Content:

Matthew Cook is a veteran security and risk professional and a lifelong gamer. He is currently the co-founder of Panopticon Laboratories, the first and only cybersecurity company for video game publishers. View Full Bio
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Author
5/16/2016 | 10:31:41 AM
Re: Beyond gold farming
Yeah, a big attack, exspecially if it manages to catch the notce of the mainstream press, would be a terrible thing, both for players as well as publishers. Thanks for calling out the additional vectors you've noticed; we've definiely seen evidence of some of these as well. Appreciate it!
User Rank: Author
5/13/2016 | 3:55:00 PM
Beyond gold farming
Let's hope the answer isn't a "massive crippling attack" and we can get some attention before then! I agree that video games (and mobile games) are definitely a new and fruitful frontier for fraudsters. A few additional attack techniques we've observed at DataVisor in addition to the ones you list above are: renting out proxy servers to bypass reputation-based detection systems and simulate presences in different locations, virtual currency arbitrage, and criminals acting as in-app purchase brokers. The list keeps growing and I agree we need to shout "rules-based security is deeply flawed" from the rooftops. If game publishers don't start paying attention now, they will pay deeply from their own pockets.
White House Cybersecurity Strategy at a Crossroads
Kelly Jackson Higgins, Executive Editor at Dark Reading,  7/17/2018
Mueller Probe Yields Hacking Indictments for 12 Russian Military Officers
Kelly Jackson Higgins, Executive Editor at Dark Reading,  7/13/2018
10 Ways to Protect Protocols That Aren't DNS
Curtis Franklin Jr., Senior Editor at Dark Reading,  7/16/2018
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2018-07-20
camel/providers/imapx/camel-imapx-server.c in the IMAPx component in GNOME evolution-data-server before 3.21.2 proceeds with cleartext data containing a password if the client wishes to use STARTTLS but the server will not use STARTTLS, which makes it easier for remote attackers to obtain sensitive ...
PUBLISHED: 2018-07-20
Apache Ignite 2.5 and earlier serialization mechanism does not have a list of classes allowed for serialization/deserialization, which makes it possible to run arbitrary code when 3-rd party vulnerable classes are present in Ignite classpath. The vulnerability can be exploited if the one sends a spe...
PUBLISHED: 2018-07-20
An issue was discovered in idreamsoft iCMS before 7.0.10. XSS exists via the fourth and fifth input elements on the admincp.php?app=prop&do=add screen.
PUBLISHED: 2018-07-20
In Msvod Cms v10, SQL Injection exists via an images/lists?cid= URI.
PUBLISHED: 2018-07-20
MetInfo 6.0.0 allows XSS via a modified name of the navigation bar on the home page.