Video-game-related crime is almost as old as the industry itself. But while illegal copies and pirated versions of games were the previous dominant form of illicit activities related to games, recent developments and trends in online gaming platforms have created new possibilities for cybercriminals to swindle huge amounts of money from an industry that is worth nearly $100 billion. And what’s worrisome is that publishers are not the only targets; the players themselves are becoming victims of this new form of crime.
Recent trends prove just how attractive the gaming community has become for cybercriminals and how lucrative the game-hacking business is becoming, which underlines the importance for developers, manufacturers and gamers alike to take game security more seriously.
New features breed new hacking possibilities
The recent wave of malware attacks against Steam, the leading digital entertainment distribution platform, is a perfect example of how game-related crime has changed in recent years.
For those who are unfamiliar, Steam is a multi-OS platform owned by gaming company Valve, which acts as an e-store for video games. But what started as a basic delivery and patching network eventually grew into a fully featured gaming marketthat counts more than 125 million members, 12 million concurrent users and thousands of games. Aside from the online purchase of games, the platform offers features for game inventories, trading cards and other valuable goods to be purchased and attached to users’ accounts.
The transformation that has overcome the gaming industry, or more specifically the shift toward the purchase and storage of in-game assets, has created new motives for malicious actors to try to break into user accounts. Aside from sensitive financial information, which all online retail platforms contain, the Steam Engine now provides attackers with many other items that can be turned into money-making opportunities.
This has fueled the development of Steam Stealer, a new breed of malware that is responsible for the hijacking of millions of user accounts. According to official data recently published by Steam, credentials for about 77,000 Steam accounts are stolen every month. Research led by cybersecurity firm Kaspersky Lab has identified more than 1,200 specimens of the malware. Santiago Pontiroli and Bart P, the researchers who authored the report, maintain that Steam Stealer has “turned the threat landscape for the entertainment ecosystem into a devil’s playground.”
The malware is delivered through run-of-the-mill phishing campaigns, infected clones of gaming sites such as RazerComms and TeamSpeak or through fake versions of the Steam extension developed for the Chrome browser.
Once the intruder gains access to victims’ credentials, they not only siphon the financial data related to the account, but also take advantage of the possible assets stored in the account and sell them in Steam Trade for extra cash. Inventory items are being traded at several hundred dollars in some cases. According to the Steam website, “enough money now moves around the system that stealing virtual Steam goods has become a real business for skilled hackers.”
Steam Stealer is being made available on malware black markets at prices as low as $3, which means “a staggering number of script-kiddies and technically-challenged individuals resort to this type of threat as their malware of choice to enter the cybercrime scene,” the Kaspersky report states. The malware-as-a-service trend is being observed elsewhere, including in the ransomware business, which, at present, is one of the most popular types of money-making malware being used by cybercriminals.
What makes the attacks successful?
A number of factors have contributed to the success of the attacks against the Steam platform, but paramount among them is the outdated perception toward security in games. Developers and publishers are still focused on hardening their code against reverse engineering and piracy, while the rising threat of data breaches against games and gamers aren’t getting enough attention.
“I think it’s because in the gaming world as well as in the security industry, we haven’t paid much attention to this issue in the past,” says Pontiroli, the researcher from Kaspersky, referring to the malware attacks against games.
Gamers are also to blame for security incidents, Pontiroli believes. “There’s this view from the other side of the table — from gamers — that antivirus apps slow down their machines, or cause them to lose frame rate,” he explains, which leads them to disable antiviruses or uninstall them altogether. “Nowadays you just need to realize that you can lose your account and your information.”
A separate report by video-game security startup Panopticon Labs about cyberattacks against the gaming industry maintains that in comparison to financial services and retail, the video-game industry is new and highly vulnerable to cyberattacks. “Whereas other industries now have cybersecurity rules, regulations and standards to adhere to, online video games are just now recognizing that in-game cyberattacks exist and are harmful to both revenue and reputation,” writes the report.
Matthew Cook, co-founder of Panopticon, believes that publishers are putting up with the unwanted behaviors of bad actors and accept it as a cost of doing business. “So often, the publishers we talk to refer to fighting back against these unwanted players as a game of ‘whack a mole’ that they can never win,” he says.
In contrast, he believes, publishers can fight back and eliminate fraudulent or harmful activities, provided they get a head start in securing their games and are dedicated to keeping bad players out after they’re gone. “Unfortunately, slow, manual processes like combing through suspected bad actor reports, or performing half-hearted quarterly ban activities just won’t cut it anymore,” Cook stresses. “The bad guys have gotten too good, and there’s simply too much financial opportunity for them to be dissuaded by reactive rules and reports.”
What’s being done to deal with the threats?
Efforts are being made to improve security in software, but there’s still a long way to go. For its part, Steam has rolled out Steam Guard functionality to help block account hijacking, and it is also offering two-factor and risk-based authentication through the Steam Guard Mobile Authenticator. The company is also toughening up the market place and has added new restrictions recently that use email confirmation and put a 15-day hold on traded items in order to mitigate the risks of fraud.
However, lack of awareness and focus on gaming experience leads many users to forgo activating these features. “While [the security features] do provide a certain level of safety to their users, not all of them are aware of their existence or know how to properly configure them,” says Pontiroli. “Even with all the solutions in the world you still need to create awareness among the gaming crowd.”
Security vendors are also taking strides to provide security for gamers without disrupting the gaming experience. Most security products now offer a “gaming mode” that allows players to keep their antivirus software active but avoid receiving notifications until the end of their session.
Other firms, such as Panopticon, are working on special in-game security solutions that distinguishes suspicious in-game activities from normal player behavior through anomaly detection and analytics. The model is taking after techniques used by fraud detection tools in banking and financial platforms. This approach also helps deal with other fraudulent activities such as “gold farming,” the process of using botnets to generate in-game assets and later sell them on grey markets, an activity that is raking in billions of dollars of revenue every year.
No one is safe
The attacks against Steam are dwarfed when compared to some of the bigger data breaches that we’ve seen in the last year. Nonetheless, it is a stark indication of the transformation and shift that online gaming security is undergoing. Moreover, Steam isn’t the only platform that has suffered data breaches in the past months and years.
A similar attack — though at a much smaller scale — was observed against Electronic Art’s gaming platform, Origin late last year (the gaming giant never confirmed the attacks, however). Several other gaming consoles and networks have been targeted in recent years, and the plague ofransomware has already found its way into the gaming industry. This shows that every online game and platform can become the target of cyberattacks.
Nowadays, online games contain a wealth of financial and sensitive information about users, along with other valuable assets. And as is their wont, online fraudsters and cybercriminals will be following the money and aim for the weaker targets. So why bother taking the pains of hacking a banking network when there’s easier cash to be made in the gaming industry?
Securing the games requires the collective effort of security vendors and publishers. As Kaspersky’s Pontiroli puts it, “Security should not be something developers think about afterwards but at an early stage of the game development process. We believe that cross-industry cooperation can help to improve this situation.”