"I'll take Legend of Zelda over first-person shooters," says Jonathan Singer, a self-proclaimed fan of single-player experiences and senior manager, global games industry at Akamai.
Singer says he would never buy cheat codes to help Link (Legend of Zelda's legendary hero) move past tough challenges. Yet, in the gaming industry, cheating and other cybercrimes are widespread and costly – to companies and players alike – and difficult to defend against.
"Gaming is one of the largest completely unregulated financial markets," Singer says. "That's because there are so many games out there, and there are multiple ways game accounts have value."
According to recent reporting from Forbes, some working in the "Fortnite underground" are making anywhere from $5,000 to $25,000 per week, with some earning over $1 million each year
Nevertheless, says Singer, game-related crimes are difficult to trace and prosecute.
"If your bank account gets hacked, you call the bank [and] they work with local authorities. ... Call the police and tell them your Fortnite account has been hacked, you're gonna get laughed off the phone," he says. "But if you put a lot of money into that account, it's not a laughing matter."
Types of Attacks
According to Grand View Research, the global video game market was valued at $151.06 billion in 2019. It is expected to grow at a compound annual growth rate of 12.9% between 2020 and 2027, with tech innovations and easy access to Internet games as the driving factors for growth.
The underground market is also active. In a recent blog, Singer broke down the world of cybercrime in games.
"The first thing to understand about the criminals who attack the games industry is that they participate in a working, fluid, day-to-day economy that they manage completely themselves," he wrote. "Cybercriminals have built informal structures that mirror the efficiencies of standard enterprise operations. They have developers, QA folks, middle managers, project managers, salespeople, and even marketing and PR people who hype vendors and products."
Austin Francisco, security analyst at Key Cyber Solutions (KCS) – who has "been gaming since the '90s" – says hackers advertise stolen goods and cheats as "a product and not like a hack," offering player values such as the ability to "have 100% accuracy aim" or "see people through walls," for example.
Singer doesn't understand the appeal, but "there are enough people who enjoy it that there's a thriving industry," he says.
One popular attack is account takeovers (ATO), which is used to steal other players' goods. It's a large market due to the sheer amount of value tied to a player account: from in-game currencies to achievements unlocked to player status and "skins" (virtual items, weapons, and outfits players buy for their in-game avatars). Says Singer, the account of someone who has put 3,000 hours into a game, for example, is valuable to a new player who doesn't want to spend the time to get to that level. Account takeovers are also useful, of course, for stealing personally identifiable information (PII).
Attacks go beyond ATOs – and beyond the realm of the game.
"DDoS attacks are often used in a boastful manner, as a demonstration of power and control over others by halting or manipulating game play," says Sam Small, chief security officer at ZeroFOX. "The intent of disruption can vary but is often meant to gain attention, influence, or credibility for other illicit endeavors."
Last year researchers at cloud security firm Cyren discovered a Fortnite gaming hack billed to help improve players' aim that was really ransomware in disguise. Known as "Syrk," when players downloaded and ran the "aimbot," it set off a series of events that allowed the Syrk ransomware to encrypt players' PC files, including images, videos, documents, music, and archives, and demand payment before deleting all data.
In another attack on multiplayer games including Fortnite, users were duped into downloading malware called Badr, which was circulated through links to cheating software promoted on YouTube and on Discord and Telegram message boards, where gamers communicate.
According to a blog from SophosLabs, which discovered the attack, "When it came to stealing data, Baldr was a fast and thorough hit-and-run artist," able to amass hoards of data within 30 seconds, including the user's location, saved credentials and browsing history, cached information like saved credit cards, FTP logins, configuration files for VPN services, Bitcoin wallets, and more.
An Overlooked Target
"Just like any other successful hack, they're really just exploiting the trust of humans: ‘Hey, I have something for you that'll help you, just give me your credit card info,'" KCS's Francisco says. Plus, a lot of these scams are targeted at kids who simply don't know as much about online threats, he adds.
Akamai's Singer concurs. "Gamers as a group are active in social communities, have disposable income, and spend it on gaming accounts and experiences, so they're just a target for a number of really good reasons," he said. "It's easy to figure out who they are, whether they're spending money, and just find a way to extract that money."
While all games are targets, Francisco notes that hacks are more common on PC games than console-based games that use proprietary technology.
Hank Schless, senior manager, security solutions at Lookout, a mobile phishing solutions provider, says mobile games – which top the charts in popularity – are even more vulnerable than console- and PC-based games.
"The lightweight nature of mobile games means that security could be overlooked in the development process," Schless says, adding they are a successful route for account takeover, achieved through mobile phishing via direct message.
How Game Companies Are Handling Security
To deal with the ongoing threats to their platforms, Akamai's Singer urges companies to use multilayered security.
"One layer isn't going cut it," he says. "You need to look at different entry points and make sure you're securing against all of them."
Small says gaming companies should "perform brand monitoring to look for phishing pages and scams that target young, impressionable gamers" and that they should also have a "robust trust and safety team to champion account recovery processes, anti-fraud operations, and law enforcement coordination."
Still, gaming companies have their work cut out for them.
"I do believe when it comes down to it, they're doing all they can," KCS's Francisco says. "When game releases have millions of people trying to find a single hole or exploit that one little bug, it's almost impossible to cover every single base like that."
ZeroFOX's Small's advice for players is to be wary of in-game purchases:
"Whenever a popular game offers in-game purchases [e.g., virtual items or skins], we now expect to see scam and fraud-related activity," he says. "When in-game trading is allowed, the problem is exacerbated. If users are tricked into divulging their login or account information, for instance, attackers are likely to steal in-game items or the users' accounts altogether."