Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

5/13/2016
10:30 AM
Matthew Cook
Matthew Cook
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Why Online Video Gaming Will Be The Next Industry Under Cyber Attack

As more money flows into games, criminals are targeting this new and lucrative market with the tools and techniques they once used to hack online banks and Internet retailers.

Late last year, Steam, one of the world’s largest online video game platforms, admitted that 77,000 of its gamer accounts are hacked every month. This revelation represented the first time that a major video game company acknowledged cyber crime.

In response, Kaspersky Lab researcher Santiago Pontiroli led an investigation into how adversaries were exploiting so many gamers. After three months of research, Pontiroli and his team discovered the existence of a new type of malware developed specifically to hack Steam accounts. Dubbed Steam Stealer, the malware can bypass the Steam client’s built-in multifactor authentication (MFA) protocols, thus enabling adversaries with the access necessary to compromise the integrity of a player’s account.

Cyber threats to online video games aren’t entirely new, but they are severely underreported. What’s ironic is that the video game industry is as big, if not bigger, than any industry in the world. Of the 1.2 billion video game players worldwide, nearly 700 million of them play online. For the video game industry, providing entertainment for one seventh of the world’s populace equates to revenues of more than $86.8 billion annually. This is nearly double the amount of the film industry, yet the Sony Pictures hack was covered for months. For financially motivated hackers, and fraudsters, there is perhaps no bigger opportunity to profit than the video game industry provides.

The Vulnerability of Online Video Games

As more money comes into online games, cyber criminals are shifting their efforts to exploiting games. Why the change in behavior? For one reason, the tools and techniques once used to hack online banks and Internet retailers are now, more than ever, directly applicable to breaking into game worlds. Techniques such as hijacking player accounts and draining real-money value from the game are reminiscent of the methods that once plagued the financial services industry. Second, the video game industry hasn’t yet fully come to terms with the reality that cyber attacks are a systemic problem, leaving thousands of games exposed to front-end, backend and the most damaging, in-game attacks.

In-video game attacks occur when a player’s account is hijacked using readily available malware that enables man-in-the-middle exploits, keylogging, remote access, and other hacks. Once inside, cyber criminals can steal player credentials, gain access to a player’s game account, transfer in-game assets to other accounts, and sell those assets on the ‘grey market,’ an unauthorized, but not necessarily illegal place that is used to sell virtual items and currency for real money. 

 The ‘grey market’ is perhaps the greatest unintended consequence of video games moving online. The demand for virtual items is so large that people ranging from U.S. college students working for beer money to Chinese children sitting at Internet cafes for 20 hours a day, are working to amass virtual items through regular game play and sell them for real money. This practice, known as ‘gold farming,’ is so widespread and lucrative that the World Bank wrote a report estimating that it generated $3 billion a year for people in developing countries.

To keep up with today’s demand for virtual items, gold farmers now automate their operations by running hundreds or thousands of bots to speed up the accumulation process. These actions have flooded games’ online economies, losing publishers as much as 40 percent of in-game revenue per month and irreversible reputational damage.

What’s the Fix?

To date, online video game cybersecurity is focused on protecting and monitoring the login and monetary transaction processes. This approach is similar to those taken by banks to eliminate online fraud, a method so ineffective that it cost them billions of dollars over time. Online games today also rely on MFA to protect the login process, although this safeguard is easily defeated by widely available keylogging and screen-scrape technology. Device reputation technology, which verifies that an IP address and device are known for a user, is also commonly used by game publishers, but is susceptible to man-in-the-middle hacks.

Additionally, some publishers have built internal solutions in which games are monitored for gold farmers, bots, and spammers. Many have also developed and implemented rules-based systems that define specific patterns of bad activity based on forensics and after-the-fact investigations. But rules-based security is deeply flawed, as most cybersecurity practitioners know.

As it stands now, either gamers will need to put pressure on publishers or a massive, crippling attack will need to occur for the video game industry to ‘get smart’ on cybersecurity. One thing is for certain: cyber criminals will not stop targeting an industry as lucrative as video games, unless someone makes them. 

Related Content:

Matthew Cook is a veteran security and risk professional and a lifelong gamer. He is currently the co-founder of Panopticon Laboratories, the first and only cybersecurity company for video game publishers. View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
fredweiser
50%
50%
fredweiser,
User Rank: Apprentice
1/9/2019 | 12:09:22 AM
Re: Beyond gold farming
Nowadays, with the help of advanced technology and popularity, the online video gaming industry has expanded rapidly over these years. There are a variety of video games that have been launched last year which has increased the popularity and growth of this industry. There are many online gaming sites like Instant Gaming, FIFA Coin, etc., are also available which have become extremely popular, and gives very high quality of games.
Panopticon_Matt
50%
50%
Panopticon_Matt,
User Rank: Author
5/16/2016 | 10:31:41 AM
Re: Beyond gold farming
Yeah, a big attack, exspecially if it manages to catch the notce of the mainstream press, would be a terrible thing, both for players as well as publishers. Thanks for calling out the additional vectors you've noticed; we've definiely seen evidence of some of these as well. Appreciate it!
tingfangyen
100%
0%
tingfangyen,
User Rank: Author
5/13/2016 | 3:55:00 PM
Beyond gold farming
Let's hope the answer isn't a "massive crippling attack" and we can get some attention before then! I agree that video games (and mobile games) are definitely a new and fruitful frontier for fraudsters. A few additional attack techniques we've observed at DataVisor in addition to the ones you list above are: renting out proxy servers to bypass reputation-based detection systems and simulate presences in different locations, virtual currency arbitrage, and criminals acting as in-app purchase brokers. The list keeps growing and I agree we need to shout "rules-based security is deeply flawed" from the rooftops. If game publishers don't start paying attention now, they will pay deeply from their own pockets.
97% of Americans Can't Ace a Basic Security Test
Steve Zurier, Contributing Writer,  5/20/2019
TeamViewer Admits Breach from 2016
Dark Reading Staff 5/20/2019
How a Manufacturing Firm Recovered from a Devastating Ransomware Attack
Kelly Jackson Higgins, Executive Editor at Dark Reading,  5/20/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-5798
PUBLISHED: 2019-05-23
Lack of correct bounds checking in Skia in Google Chrome prior to 73.0.3683.75 allowed a remote attacker to perform an out of bounds memory read via a crafted HTML page.
CVE-2019-5799
PUBLISHED: 2019-05-23
Incorrect inheritance of a new document's policy in Content Security Policy in Google Chrome prior to 73.0.3683.75 allowed a remote attacker to bypass content security policy via a crafted HTML page.
CVE-2019-5800
PUBLISHED: 2019-05-23
Insufficient policy enforcement in Blink in Google Chrome prior to 73.0.3683.75 allowed a remote attacker to bypass content security policy via a crafted HTML page.
CVE-2019-5801
PUBLISHED: 2019-05-23
Incorrect eliding of URLs in Omnibox in Google Chrome on iOS prior to 73.0.3683.75 allowed a remote attacker to perform domain spoofing via a crafted HTML page.
CVE-2019-5802
PUBLISHED: 2019-05-23
Incorrect handling of download origins in Navigation in Google Chrome prior to 73.0.3683.75 allowed a remote attacker to perform domain spoofing via a crafted HTML page.