Gaming is booming. It’s catnip for cybercriminals…
Millions of people escaped the drudgery of the early years of the COVID-19 pandemic by turning to video games, where they could cast spells, slay zombies and compete as their favorite athletes.
These virtual worlds also attracted another kind of enthusiast – the kind who sought to steal people’s personal information and real-world dollars.
In recent months, cybersecurity firms have warned that cybercrime in games has increased significantly since the start of the pandemic, and that the vulnerabilities – for game studios as well as players – are far from being overcome.
“When you add more users or devices or applications to a user group, you create a larger attack surface,” said Tony Lauro, director of security technology and strategy at Akamai Technologies, a content delivery company that hosts large portions of the Internet. “Generally, that’s what’s driving this huge increase over time.”
An Akamai report published in August said that web application attacks, which exploit vulnerabilities in online applications such as mobile games, increased by 167 percent from May 2021 to April 2022 compared to the same period the previous year. And a report last month by Russian cybersecurity company Kaspersky Lab found a 13 percent increase in malicious software attacks on games in the first half of 2022 compared to the first half of 2021.
The range of attacks and goals in the game is huge. Game companies can lose large amounts of data and their games can be taken offline temporarily. Individual players may lose game progress, money and sensitive personal information.
Jessica Geoffroy, 29, was in some ways lucky that guilt was the main punishment she faced after she was hacked in December.
She realized something was wrong after receiving a flurry of phone alerts from friends asking why she was still messaging on Steam, a popular gaming platform, after she had gone to bed.
When Geoffroy found she couldn’t log into her Steam account, she knew she had been hacked.
“My heart was racing,” she said. “I thought, ‘Oh, my God, what if they get my bank account information? What if they hack my friends and get their bank account information?’ – I don’t know how far this will go.
Fortunately, Geoffroy was able to reset her password that night. Nothing appeared to have been stolen, she said, but she felt “terrible” that the hacker had sent messages to her friends with the same compromised link she unwittingly clicked on – which another friend had originally sent her. That friend’s account disappeared after the link was sent, and she has not been able to get in touch with him.
“A lot of people I know don’t think this is going to happen to them,” she said. “They don’t realize that it can happen and it will happen.”
When you add more users or devices or applications to a user group, you create a larger attack surface
Justin Cappos, a professor of computer science and engineering at New York University, said that one thing that makes the gaming industry vulnerable is that developers are not hired to create secure software. They are hired to deliver games quickly and often.
“If you’re writing code that’s meant for security, you’ll often spend a lot of time checking certain aspects of what’s going on in the program to make sure everything’s OK,” Cappos said. “You probably won’t have the same way of working through things if your main goal, the most important thing you care about, is to be fast.”
According to the Akamai report, gaming is the industry most affected by distributed denial of service, or DDoS, attacks, where an attacker uses an automated technique to overwhelm servers with requests, severely reducing service or taking it completely offline. These attacks can eat away at a company’s bottom line as it strives to restore access and address customer complaints.
Akamai warned that as the gaming industry expands, it will attract more cybercrime.
“Financial crime is happening to younger and younger players all the time because they’re in the gaming ecosystem now,” Lauro said.
Not all attacks involve exploiting source code or crafting compromised links. Some are just plain scams. Lauro said he once paid for a prize for his son on Roblox, an online gaming platform, and the prize never showed up. But the transaction was so small — less than a dollar — that his son wasn’t really bothered by it, and Lauro knew the police wouldn’t be either.
“Little transactions of 60 cents here, there – who’s going to investigate that?” he said.
For the person running such a scam, thousands or more of these payments, or microtransactions, can yield a high reward. Lauro and other cybersecurity firms have said that scammers often target small in-game purchases, which have become more popular in recent years, although there have been no large studies of how common these scams are.
Kaspersky warns that cheats are also a major threat to gamers: Criminals can use fake cheats to disable a target’s computer and steal information. In Kaspersky’s analysis of threats against 28 popular games, the company found thousands of files of this type, affecting more than 13,600 people from July 1, 2021 to June 30, 2022.
Kaspersky itself has come under scrutiny, underscoring the sinister complexity of cyber security. In March, the US Federal Communications Commission added the Moscow-based company to a list of communications services it considers national security threats. Kaspersky said the decision was made “on political grounds”. In any case, the company’s gaming research is consistent with other reports on the industry.
Game studios have also struggled to fend off attempts to steal users’ data, take their games offline or leak game code. In these attacks, hackers may use the stolen information as ransom or try to auction it for huge sums of money.
In June 2021, a hacker stole game code from Electronic Arts, the producer of the FIFA and Sims series. The stolen information was put up for auction with a starting bid of $500,000, according to a cyber security expert who spoke to the New York Times.
Rockstar Games, another prominent video game maker, revealed last month that “an unauthorized third party illegally accessed and downloaded confidential information” from its systems, including unfinished footage from the next game in the Grand Theft Auto franchise.
In July, Bandai Namco, which publishes popular titles such as Tekken and Elden Ring, said it had been hacked. After an investigation, the company said this month that it could not rule out “the possibility of external leakage of information”.
Mayra Rosario Fuentes, a senior threat researcher at Trend Micro, a cybersecurity company, said in an email that the big game companies are prime targets because they make billions of dollars and have huge numbers of customers.
“Cybercriminals know that they don’t want customers to be upset if their game goes offline, which then gets out in the media and can hurt revenue,” Fuentes wrote.
Fuentes said gaming companies needed to patch vulnerabilities in their code, improve employee training about hacks and check for online leaks of employee credentials.
She and the other cybersecurity experts interviewed for this article said that despite the rise in threats, gamers can take steps to protect themselves: Use two-factor authentication, don’t reuse passwords and keep software up to date.
Read more Gaming