SoS Musings #59 -
Cyber Threats Facing the Video Game Industry
During the COVID-19 pandemic, online gaming skyrocketed globally, becoming an increasingly popular way to pass the time and connect with others through a virtual medium. Although this surge in gaming activity has benefited the gaming industry, it has also led to an increase in cyberattacks. NortonLifeLock's "2021 Norton Cyber Safety Insights Report: Special Release - Gaming & Cybercrime," conducted by The Harris Poll reveals the results from a survey of more than 5,300 adults over the age of 18 across 8 countries, including 702 US adults who play online games. Almost half of American gamers (47%) have faced a cyberattack on their gaming account or device. Of the American gamers, 76% reported having been financially affected as a result of the cyberattack on their gaming account or device, losing an average of $744 per person. In addition, many US gamers have admitted to engaging in risky online gaming habits such as reusing the same password for multiple gaming accounts and devices, sharing personal information while playing a game online, or downloading add-ons from a website not associated with the official game distributor. Among American gamers who had experienced a cyberattack on their gaming device or account, one in five have had their personal information stolen and publicly shared online. The realm of video gaming has presented additional opportunities for hackers to carry out malicious activities such as stealing sensitive information, distributing malware, and more.
Game players are subjected to a steady bombardment of cybercriminal activity. Akamai Technologies, Inc., a global content delivery network, cybersecurity, and cloud service company, released a report on cyberattacks targeting video game players and companies, most of which are credential stuffing and phishing attacks. The company observed over 100 billion credential stuffing attacks between July 2018 and June 2020, with about 10 billion of which targeted the gaming sector. These credential stuffing attacks are performed by using lists of username and password combinations, typically available for purchase through criminal websites and services, to access games and gaming services. Every successful login is the compromise of a gamer's account. Phishing is the other most common tactic used by attackers to trick unsuspecting gamers into divulging sensitive information. Researchers have discovered attacker-created legitimate-looking websites related to a video game or a gaming platform, designed to fool players into revealing their login credentials. More than 150 million of the 10.6 billion web application attacks observed by Akamai across its customers were directed toward the gaming industry. Most of these web application attacks were SQL Injection (SQLi) attacks aimed at exploiting user login credentials, personal data, and other types of information contained by a targeted server's database. The other notable attack vector was Local File Inclusion (LFI), which allows an attacker to include files on a server via the web browser. An LFI vulnerability stems from the inclusion of a file on a web application without properly sanitizing the input, thus allowing an attacker to manipulate the input and inject path traversal characters, as well as include other files from the web server. Through LFI, attackers can expose player and game details that can later be used for further exploitation and cheating. According to Akamai, cybercriminals often launch SQLi and LFI attacks against mobile and web-based games because of the access to usernames, passwords, and account information that comes with successful exploits. It is essential for the gaming industry to take such findings into consideration when implementing and maintaining gaming accounts, devices, or platforms to enhance security.
Gamers and the platforms that serve them have faced significant attacks, incidents, and vulnerabilities. A popular developer for several mods for the "Cities: Skylines" city-building game was banned after hiding an automatic updater in their mods to deliver malware to those who downloaded them, potentially impacting over 35,000 players. The modder, named Chaos, released a redesigned version of a core framework project, called Harmony, that most "Cities: Skylines" mods rely on to function. Chaos then redesigned other popular mods, listing his Harmony redo as a core download to require players to download it in order to get the mods to work properly. However, Chaos' version of the Harmony framework was found to contain an updater that enabled the modder to infect the devices of those who downloaded it with malware. The malicious developer also poisoned other mods with malware to bog down gameplay to force players into downloading additional tainted mods that he had presented as solutions. The modder's accounts were suspended, and some of his mods have been removed from the Steam Workshop, which is a part of the gaming client Steam and a community-driven platform where gamers and content creators upload and download content for games. John Bambenek, a principal threat hunter at the digital IT and security operations company Netenrich, pointed out that the distribution of malware via games, game mods, or pirated/cracked games has become a fairly common tactic among American and European malicious actors. The latest installment of the popular Dark Souls gaming franchise, Elden Ring, which had sold more than 12 million units worldwide by March 16, was discovered by Malwarebytes Labs to contain a Remote Code Execution (RCE) vulnerability that can be exploited by bad actors to render the game unplayable for players on PCs. Attackers were able to use the now patched flaw to infiltrate PC players' games and throw their avatars into a continuous loop of "dying." One player tweeted about the bug in the Elden Ring game, saying that an exploit was being circulated among hackers to corrupt PC players' save file. Players have speculated that the hackers were able to edit their save files while in game or adjust parameters associated with the victim's save points. This is not the first time the developer of the Dark Souls series has faced security issues. Malwarebytes Labs researcher Christopher Boyd highlighted that the developer was confronted with a similar RCE exploit in Dark Souls 3 during the lead-up to the Elden Ring release in January, which forced online play for PC players to be shut down. Through the exploitation of this vulnerability, attackers could install malware on a victim's computer to access confidential information or abuse resources for cryptocurrency mining. The flaw also impacted earlier games in the Dark Soul series, forcing the developer to temporarily turn off Play-versus-Player (PvP) servers across Dark Souls Remastered, Dark Souls II, and Dark Souls III. These incidents further suggest the importance of implementing stricter vetting and vulnerability analysis capabilities for video games and the platforms that support them.
The attitudes and behaviors prompted by the competitive nature of gaming have also contributed to the likelihood of gaming-related cyberattacks. According to findings shared in NortonLifeLock's report on gamer-to-gamer risks, nearly one in four (24%) of US gamers are likely to hack into a gaming account belonging to a friend, family member, or romantic partner if they knew it would give them more of a competitive advantage in an online game. This point of view was more obvious among US gamers who dedicate a large portion of their time towards gaming, as 42% agreed, further highlighting serious gamers' strong desire to win. Still, the competitive drive was found to extend across all types of gamers in the US, from casual to hardcore gamers. About one in four American gamers are likely to exploit a loophole or bug in a game, pay to take over another user's gaming account, install cheats on their own gaming or devices, or hack into a random person's gaming account. Darren Shou, Head of Technology at NortonLifeLock, pointed out cheats and exploits as significantly alluring for highly competitive gamers, and therefore, attractive elements for cyberattackers to exploit. Threat actors will often try to trick gamers into clicking phishing links or downloading malware by advertising limited edition game items or secret cheats that promise to give them an advantage in the game. For example, Korean security researchers at ASEC discovered a malware distribution campaign aimed at infecting the Valorant online gaming community with RedLine Stealer malware, involving the use of YouTube videos on cheats as lures. The malicious actors behind the campaign attempt to trick Valorant players into downloading and running Redline Stealer through a link to an auto-aiming bot in a YouTube video's description. The exploit is reportedly an add-on that allows players to quickly and precisely aim at targets in the game. Those who download the file linked in the video's description are sent to an anonfiles page where they are provided a RAR package with the executable "Cheat installer.exe," which is actually a duplicate of RedLine Stealer, one of the most prevalent malware strains capable of stealing information such as a list of processes on a victim's computer, credit card numbers, passwords, AutoFill forms, browser cookies, cryptocurrency wallets, and more. The abuse of YouTube has increased among threat actors because it is easy to pass the online video sharing platform's content submission evaluations and create new accounts after being reported and prohibited. Another malware campaign was discovered by researchers from Cisco Talos targeting video game players and modders that involves malvertising and YouTube videos on game modding as lures for deploying a cryptor. The cryptor prevents reverse-engineering or analysis of various malware strains, most of which have been found to be Remote Access Trojans (RATs).
There are steps that gamers should take to proactively safeguard their gaming accounts and devices from threats. The cybersecurity provider and content delivery network Akamai recommends users never share or recycle passwords across devices and accounts as attackers often find success in using credentials stolen through old data breaches. Research efforts have been made to help inform and strengthen password creation, usability, and security that could be useful to the gaming industry. The passwords research group in Carnegie Mellon's CyLab Security and Privacy Institute developed a science-backed policy for password creation that balances security and usability. The policy allows users to create memorable and increasingly secure passwords by doing away with rules pertaining to uppercase and lowercase letters, numbers, and symbols. A user's password would instead be required to be at least 12 characters long, and pass a real-time strength test developed by the CyLab researchers. The CyLab researchers' password-strength meter is driven by an artificial neural network small enough to be encoded into a web browser, and provides a strength score along with suggestions to users in real-time. Gamers are encouraged to enable Multi-Factor Authentication (MFA) on sites where it is an option. It is also essential that gamers download and access gaming resources only from official gaming apps and services. Gamers should adhere to standard phishing advice by avoiding clicking suspicious links such as those that are claimed to download game resources or cheats that could give them a competitive advantage in an online game.
Game developers, publishers, and distributors could also take some steps to help maintain security for players. Avast emphasizes that MFA is only effective if the game company in question has a framework for it. Game companies should provide features for players to quickly lock their accounts if compromised, especially if financial information is involved. Developers should consider implementing features such as geofencing to protect gamer accounts. Geofencing is a location-based service in which an app or other software uses Radio Frequency Identification (RFID), Wi-Fi, cellular data, or the Global Positioning System (GPS), to trigger a pre-programmed action when a device or RFID tag enters or exits a virtual boundary set up around a geographical location called a geofence. The gaming industry could also further explore the implementation of behavioral biometrics for enhanced security and account protection, which uniquely identifies and measures patterns in human activities, including keystroke dynamics, gait analysis, mouse use characteristics, and more. Game companies should also increase efforts to support user security knowledge and awareness by making information about known threats and following basic security best practices to avoid them as accessible and digestible as possible.
Security vulnerabilities and incidents faced by the gaming community could greatly impact enterprise networks. Video game-based attacks not only call on individual gamers and gaming companies to follow and implement proper security practices and measures, but also emphasizes the need for security professionals to constantly monitor the behavior of systems within their network. As many employees continue to work remotely during the COVID-19 pandemic and mix daily work activities with their private computer usage, enterprises are more likely to experience cyberattacks via compromised personal Internet-connected devices belonging to their employees. Employees who play vulnerable video games as well as download modding tools or cheat engines from questionable sources to modify their games installed on the same device used for their job, pose a significant threat to enterprise networks. The security community is encouraged to further explore and develop security solutions, and emphasize the importance of following proper security practices that can bolster all realms, including the gaming industry.