MCV/DEVELOP News, events, research and jobs from the games industry
Chris Boyd, malware intelligence analyst at Malwarebytes, reveals the latest tactics being adopted by cyber criminals in their attempts to steal from gamers
Gaming accounts are one of the hottest targets for black hats as we roll into 2015.
Any form of financial investment in gaming – from paid memberships to rare in-game items – make consumers a prime target for hackers and scammers.
Even if they’re locked down tight, criminals can still make use of personal information by going after platform holders and developers and stealing from the source.
Although you won’t see malware [hostile and intrusive software] running on the latest consoles anytime soon, it works on PC and the higher profile of purchasable in-game items on Steam has greatly increased the likelihood of attacks.
We used to see many attacks take place in-game, such as mods being used in Modern Warfare 2 on Xbox 360 to send fake Message of the Day links to phish scams.
Over the last few years, we’ve seen the growth of in-game items and microtransactions, and hackers are seeing those as the path of least resistance to obtaining stolen accounts and items.
In fact, some of the smartest social engineering tricks we’ve seen recently have been aimed at gamers.
Fake EA customer support Twitter accounts would monitor conversations between gamers having problems and direct the victim to Origin phishing pages – all achieved with just a friendly tweet.
They’re also targeting Twitch users, with bots sending links in chat channels to account stealing malware.
"Gaming accounts are prime targets for hackers and scammers."
Chris Boyd, Malwarebytes
There are some recent positive security stories, though they’re something of a mixed bag.
While major titles such as Guild Wars 2 have adopted 2FA (two-factor authentication) login and Steam continues to promote its Steam Guard tool, a number of platforms and online titles currently show no sign of using similar account verification. Even Steam Guard will only be enabled once a user verifies their email address, and a look at the forums suggests many account holders don’t bother.
Worse, scammers are actively targeting those same security safeguards, often luring victims in with promises of rare items then having them download fake Steam Guard programs. These then dig out the SSFN file on the victim’s PC which is tied to Steam Guard verification, upload it to the attacker and let them login unhindered.
As we continue to tie more games to our (many) online gaming accounts, they will only increase in value to anybody wanting to turn a fast profit.
It’s up to console makers and digital download service providers to step up and look at ways they can increase the security of their customer’s accounts. They’re starting to make progress, but it’s on the slow side – and the number of people clamouring for the customer’s account show no sign of slowdown.
