As more and more money goes into games, criminals are targeting this new and lucrative market with the tools and techniques they once used to hack online banks and Internet retailers.
Steam, one of the world’s largest online video game platforms, admitted that 77,000 of its player accounts are hacked each month. This revelation was the first time a major video game company admitted to cybercrime.
In response, Kaspersky Lab researcher Santiago Pontiroli led an investigation into how opponents were exploiting so many players. After a three-month investigation, Pontiroli and his team discovered the existence of a new type of malware designed specifically to hack into Steam accounts. Known as Steam Stealer, this malware can bypass the Steam client’s built-in multi-factor authentication (MFA) protocols, allowing opponents to gain the access necessary to compromise the integrity of a player’s account.
Cyber threats to online video games are not entirely new, but they are severely under-represented. Ironically, the video game industry is as large, if not larger, than any other industry in the world. Of the 1.2 billion video gamers in the world, nearly 700 million play online. For the video game industry, providing entertainment to one-seventh of the world’s population represents more than $86.8 billion in annual revenue. That’s almost twice as much as the film industry, yet Sony Pictures has been covering the hack for months. For financially motivated hackers and scammers, there may be no greater profit opportunity than the video game industry.
The vulnerability of online video games
As more money goes into online games, cyber criminals are shifting their efforts to the exploitation of games. Why the behavioral change? For one reason: The tools and techniques once used to hack online banks and internet merchants are now more than ever directly applicable to intrusion into game worlds. Their techniques are similar to the ones used for hijacking in the financial services industry: they hijack player accounts and seize the real money value out of the game. Secondly, the video game industry has not yet fully come to terms with the reality that cyber attacks are a systemic problem, leaving thousands of games exposed to front-end, back-end and the most damaging in-game attacks.
Attacks on video games occur when a player’s account is hijacked with easily accessible malware that enables man-in-the-middle attacks, keylogging, remote access and other hacks. Once inside, cybercriminals can steal a player’s credentials, gain access to a player’s game account, transfer in-game assets to other accounts, and sell those assets on the “grey market”, an unauthorized but not necessarily illegal place used to sell virtual items and currency for real money.
The “grey market” is perhaps the greatest unintended consequence of the online movement of video games. The demand for virtual items is so great that people – from US college students working for beer money to Chinese children sitting in Internet cafes 20 hours a day – are working to accumulate virtual items through regular play and sell them for real money. This practice, known as “gold farming”, is so widespread and lucrative that the World Bank has produced a report in which it estimates that it generates $3 billion a year for people in developing countries.
To keep up with today’s demand for virtual items, gold farmers today automate their operations by running hundreds or thousands of bots to speed up the accumulation process. These operations have flooded the online economy of games, earning publishers up to 40 percent of in-game revenue and irreversible damage to their reputation each month.
What is the solution?
To date, the cyber security and cloud saving of online video games has focused on protecting and monitoring the registration and financial transaction processes. This approach is similar to the approach banks are taking to stop online fraud, a method so ineffective it costs them billions of dollars over time. Online games today also rely on MFA to protect the sign-up process, although this protection can easily be overcome by the widespread use of keylogging and screen-scrape technology. Device Reputation technology, which checks whether an IP address and device are known to a user, is also widely used by game publishers, but is vulnerable to man-in-the-middle hacks.
In its current form, either players must put pressure on publishers or a massive, crippling attack must be launched to make the video game industry “smart” about cyber security. One thing is certain: cybercriminals will not stop targeting an industry as lucrative as video games unless someone makes them.