The video gaming landscape has changed drastically over the past few decades. Some of these changes have led to considerable developments in the cyberthreat landscape as it applies to gaming companies, the games themselves and the user base that enjoys them.
Integration of the cloud, mobile apps and social networks, the diversity of games and platforms, the popularity of streaming, and the change in profit models to include loot kits mean that the attack surface is far greater than it has ever been. For this reason, it is important that gaming companies are prepared to defend against threats to their consumers and that gamers understand the types of threats they can face.
Whether exploiting vulnerabilities in gaming platforms, bundling malicious software with games, conducting ad fraud, phishing for gamer credentials or scam campaigns, there are a variety of threats that attackers may use to find victims among the various parties in the gaming industry.
Between the actual games and the platforms that host them, there is the software that makes it possible. And with software comes the risk of security flaws and vulnerabilities that can be exploited by both gamers and external attackers.
Where secure software development fails, companies must be quick to fix flaws and release patches. In August 2019, researchers went public with a zero-day privilege escalation vulnerability in one of the most popular gaming clients, which had previously been responsibly disclosed but not fixed. Around the same time, a major video game company was sued because of a vulnerability in its software that was exploited by attackers who used the access to make fraudulent charges on customer credit cards. If you think about massively multiplayer online role-playing games (MMORPGs), for example, the number of affected customers can be in the millions.
It is therefore important that companies that provide gaming platforms and software implement an effective vulnerability management program that includes a thorough review of vulnerabilities disclosed by third parties so necessary updates can be released on time.
From the gamer’s perspective, even if vulnerabilities are issued patches, users are not necessarily protected until their software is updated. It is important that gamers apply any released updates as soon as possible.
Some companies, such as Sony, prevent consumers from delaying updates by disabling access to the majority of applications and contents until patches are applied. This strategy can help reduce risk around the gaming platforms and the people who use them.
Recently, attackers have begun leveraging gaming infrastructure and services as a method to hide malicious content and communication in legitimate traffic.
One platform being targeted for usage is Discord, a voice and text chat application for gamers. The first example of Discord abuse was reported in October 2019 with the discovery of the Spidey Bot malware. Along with backdooring the local legitimate Discord application, this malware also uses a Discord webhook for command-and-control (C&C) communication with the victim host.
In a different case reported a month later, a report was released regarding multiple malware infection campaigns using Discord’s content delivery network (CDN) to host their malicious files. By sending malware payloads in Discord messages, attackers were able to generate a link on the legitimate Discord domain that could then be used to lure victims without detection from URL filters.
These examples show the need for companies to ensure that they secure and reduce the risk associated with distributing content or providing public API access, whether this means securing API tokens, implementing antivirus on CDNs, or creating procedures for identifying and purging malicious content or accounts. Gamers using third-party services like chat platforms should exercise caution when clicking links from unknown users, even if the link is related directly to the platform they’re using.
With many streaming platforms offering ad revenue to their creators, incentive exists to increase views. Some users may attempt to do this through illegitimate means.
A recent malware framework was found to be generating traffic to specific YouTube videos and Twitch streams for just this purpose. Companies should monitor their networks for abnormal traffic that may indicate illegitimate activity.
In a report from March 2019, the Belonard Trojan was found to be exploiting vulnerabilities in a game by Valve Corporation called Counter-Strike for a unique fraud campaign. After infecting machines, this malware used various techniques to promote game servers. This capability was then sold as a service to legitimate game server owners in order to have their servers appear in more users’ lists. Once again, reviewing traffic patterns associated with widespread botnet activity could help companies shut down illegitimate operations sooner.
Gamers are not immune when it comes to one of the most common attack methods. Phishing campaigns targeted at gamers come in diverse themes. In some cases, the attackers simply use the appeal of items or cheats to entice victims into paying for fake products. If the lure is convincing enough, consumers may hand over credit card information to these attackers just to find out they paid for fake in-game items.
In other cases, phishing attacks may target the gamers’ account credentials. These accounts bring a variety of benefits to attackers. The accounts may have credit card credentials stored that can be stolen and used elsewhere. If accounts have high-level characters or rare items, attackers may be able to sell them in order to turn a profit.
Lastly, accounts may simply be abused for account takeover so that spam or scams can be posted behind a legitimate account. While part of the responsibility to defend against these types of attacks falls on the gamers, gaming companies also need to take an active role in protecting their consumers.
In order to reduce the chances of a successful account credential phish, companies should be offering multifactor authentication (MFA) options to gamers. It is also a good idea for companies to notify of known phishing campaigns targeting their users. For platforms that require a higher level of security, gaming companies can opt to implement security solutions that can help authenticate legitimate users and keep malicious activity out.
Gaming Credentials on the Dark Web
IBM’s X-Force IRIS researchers performed dark web research to identify recent examples of compromised credentials related to the gaming industry. In February 2020, we identified two major dumps. One dump was of 881,000 credential sets for various gamer accounts, including those for video games and platforms. In the other dump were almost 33 million credentials for user accounts leaked from a mobile and online game developer’s platform.
With the recent rise in popularity of gaming across a variety of platforms, attackers have noticed an opportunity to social engineer users with game-related lures. Often, this involves distributing payloads that appear to be legitimate, popular games or trojanizing game apps by embedding malicious code into otherwise benign applications.
For example, the popular game Apex Legends is available to download on mobile devices via the developer’s website. However, attackers have built look-alike websites claiming to be legitimate to lure potential victims in. If a user visits the fake site, the downloaded payload will infect them with spyware and/or display phishing content to steal their credentials.
As another example, the Baldr Trojan masquerades as a tool to gain advantages in games but instead acts as an infostealer. Similarly, supposed Fortnite cheats have been used by attackers to infect players with data stealers.
Similar to phishing campaigns, most of the defense against these attacks involve vigilance on the user’s part. However, protecting user identities with added security, such as MFA, and keeping users informed of known threats can make a difference in the likelihood of success.
Most gamers are aware of bots plaguing the social aspects of gaming platforms. It is not uncommon to receive messages or invites from these fake, automated accounts trying to start a conversation. This is not a new issue and has been reported for years, especially as it relates to PlayStation Network and Xbox Live spambot activity.
These unwanted messages are often used to spread adult content and redirect users to pages they do not intend to visit. The reputation of social networks on gaming platforms can be quickly damaged when being used for mass distribution of such content and malicious pages.
The issue is even more significant when you consider the number of minors present on these platforms. Gaming companies often have methods of reporting inappropriate content or bot behavior, but they should also take a proactive stance and identify methods of detecting and preventing such activity so that consumers are not exposed to it on their platforms.
Gaming’s Expanding Threat Landscape
Gaming is becoming an increasingly prevalent part of our culture and is thus becoming a more enticing target for attackers. Whether it be through phishing attacks, malware distribution, vulnerability exploitation or fraud campaigns, attackers have found various ways to profit from gamers and gaming companies.
While, unlike the financial sector, for example, gaming companies would not consider themselves to be a top target in the overall global attack landscape, they are under constant attack through various vectors. For this reason, it is important that both gaming companies and their consumers understand relevant threats and protect themselves from such activity.
Learn more about IBM Security
Cyber Threat Researcher - IBM X-Force IRIS
Megan Roddie is a Cyber Threat Researcher with IBM's X-Force IRIS. She has a M.S. in Digital Forensics along with several industry Digital Forensics and Inci...