Video-game-related crime is almost as old as the industry itself. But while illegal copies and pirated versions of games were the previous dominant form of illicit activities related to games, recent developments and trends in online gaming platforms have created new possibilities for cybercriminals to swindle huge amounts of money from an industry that is worth nearly $100 billion. And what’s worrisome is that publishers are not the only targets; the players themselves are becoming victims of this new form of crime.
Recent trends prove just how attractive the gaming community has become for cybercriminals and how lucrative the game-hacking business is becoming, which underlines the importance for developers, manufacturers and gamers alike to take game security more seriously.
New features breed new hacking possibilities. The recent wave of malware attacks against Steam, the leading digital entertainment distribution platform, is a perfect example of how game-related crime has changed in recent years.
For those who are unfamiliar, Steam is a multi-OS platform owned by gaming company Valve, which acts as an e-store for video games. But what started as a basic delivery and patching network eventually grew into a fully featured gaming market that counts more than 125 million members, 12 million concurrent users and thousands of games. Aside from the online purchase of games, the platform offers features for game inventories, trading cards and other valuable goods to be purchased and attached to users’ accounts.
The transformation that has overcome the gaming industry, or more specifically the shift toward the purchase and storage of in-game assets, has created new motives for malicious actors to try to break into user accounts. Aside from sensitive financial information, which all online retail platforms contain, the Steam Engine now provides attackers with many other items that can be turned into money-making opportunities.
This has fueled the development of Steam Stealer, a new breed of malware that is responsible for the hijacking of millions of user accounts. According to official data recently published by Steam, credentials for about 77,000 Steam accounts are stolen every month. Research led by cybersecurity firm Kaspersky Lab has identified more than 1,200 specimens of the malware. Santiago Pontiroli and Bart P, the researchers who authored the report, maintain that Steam Stealer has “turned the threat landscape for the entertainment ecosystem into a devil’s playground.”
The malware is delivered through run-of-the-mill phishing campaigns, infected clones of gaming sites such as RazerComms and TeamSpeak or through fake versions of the Steam extension developed for the Chrome browser.
Once the intruder gains access to victims’ credentials, they not only siphon the financial data related to the account, but also take advantage of the possible assets stored in the account and sell them in Steam Trade for extra cash. Inventory items are being traded at several hundred dollars in some cases. According to the Steam website, “enough money now moves around the system that stealing virtual Steam goods has become a real business for skilled hackers.”
Every online game and platform can become the target of cyberattacks.
Steam Stealer is being made available on malware black markets at prices as low as $3, which means “a staggering number of script-kiddies and technically-challenged individuals resort to this type of threat as their malware of choice to enter the cybercrime scene,” the Kaspersky report states. The malware-as-a-service trend is being observed elsewhere, including in the ransomware business, which, at present, is one of the most popular types of money-making malware being used by cybercriminals.
What makes the attacks successful?
A number of factors have contributed to the success of the attacks against the Steam platform, but paramount among them is the outdated perception toward security in games. Developers and publishers are still focused on hardening their code against reverse engineering and piracy, while the rising threat of data breaches against games and gamers aren’t getting enough attention.
“I think it’s because in the gaming world as well as in the security industry, we haven’t paid much attention to this issue in the past,” says Pontiroli, the researcher from Kaspersky, referring to the malware attacks against games.
Gamers are also to blame for security incidents, Pontiroli believes. “There’s this view from the other side of the table — from gamers — that antivirus apps slow down their machines, or cause them to lose frame rate,” he explains, which leads them to disable antiviruses or uninstall them altogether. “Nowadays you just need to realize that you can lose your account and your information.”
A separate report by video-game security startup Panopticon Labs about cyberattacks against the gaming industry maintains that in comparison to financial services and retail, the video-game industry is new and highly vulnerable to cyberattacks. “Whereas other industries now have cybersecurity rules, regulations and standards to adhere to, online video games are just now recognizing that in-game cyberattacks exist and are harmful to both revenue and reputation,” writes the report.
Matthew Cook, co-founder of Panopticon, believes that publishers are putting up with the unwanted behaviors of bad actors and accept it as a cost of doing business. “So often, the publishers we talk to refer to fighting back against these unwanted players as a game of ‘whack a mole’ that they can never win,” he says.
In contrast, he believes, publishers can fight back and eliminate fraudulent or harmful activities, provided they get a head start in securing their games and are dedicated to keeping bad players out after they’re gone. “Unfortunately, slow, manual processes like combing through suspected bad actor reports, or performing half-hearted quarterly ban activities just won’t cut it anymore,” Cook stresses. “The bad guys have gotten too good, and there’s simply too much financial opportunity for them to be dissuaded by reactive rules and reports.”
Комментариев нет:
Отправить комментарий