Across the gaming industry, developers and publishers are not the only victims of the growing tide of cyberattacks. Now, the gaming community itself is an emerging attack surface. Are gamers becoming sitting ducks for cybercriminals?
The gaming industry has grown tremendously in the last couple of decades, with revenues surging to $180 billion over 2020 and video game companies collectively reaching hundreds of billions of dollars in market caps.
It’s no surprise then that such a lucrative industry has been increasingly plagued by cyberattacks. Threat actors carried out more than 12 billion attacks against gamers and gaming companies in 2018/2019, and the trend is showing no signs of slowing down during the past year, with the likes of Nintendo, Stalker Online, and even Cyberpunk 2077 maker CDProject Red being successfully targeted.
Experts have been raising awareness of security issues in gaming for years, yet the growing number of hacks and breaches seems to indicate a lack of tangible progress.
According to Chris Hauk, consumer privacy champion at Pixel Privacy, game publishers and developers should do more to focus on security in their games and servers in order to protect gamers’ personal and financial data.
Hauk warns that “numerous security flaws have been found in online games in recent years, including such popular games as Fortnite, where a flaw in the authentication process was discovered, leaving gamers vulnerable to redirect attacks.”
At the same time, gaming companies are not the only victims of the growing tide of cyberattacks. Now, the gaming community itself is an emerging attack surface, with threat actors masquerading as players and gaining access to their victims’ devices and personal data.
With criminals increasingly circling both corporate and individual targets, and the number of attacks rising across the industry, gamers might be facing a cybersecurity reckoning in the not-too-distant future.
A false sense of security
Even though their average age has been steadily increasing, a significant percentage of gamers are school-aged children who are inevitably much less security-conscious and more trusting of those they meet in-game. And since privacy and security are learned behaviors, young gamers are often left open to exploitation, at least before they are taught how to protect themselves online.
Older gamers, on the other hand, often spend a lot of money on their online characters and game libraries, making them especially tempting targets for cybercriminals because virtual assets can often be sold for cash on gray and black markets.
Chris Hauk thinks that despite the fact that most gamers may not think of their online accounts as attractive targets, there are many reasons why threat actors find gamers ripe for exploitation.
“Gamers hand over a wealth of information to gaming companies, both when signing up for games and during game play and/or when purchasing in-game items.”
“This can include email addresses, credit card info, and much more. Plus, in-game inventory items can be stolen by taking over an account. Accounts with high levels of in-game items can be sold for attractive amounts,” Hauk told CyberNews.
The dangers faced by gamers can also be exacerbated by their false sense of security when it comes to protecting their personal information. “You’d think that gamers would be more security-savvy, not less, but in my experience, they’re pretty much equally misinformed or careless. They’re vulnerable in the same way other users are who spend a lot of time online,” says Heinrich Long, Privacy Expert at Restore Privacy.
“They also tend to throw all caution to the wind and forget about security when they’re in the heat of the game. It’s easy to forget, because you’re focusing on something else, but that’s when they strike.”
According to Long, the same goes for any ‘friends’ that many gamers - children in particular - may make on online gaming platforms. “People who catfish have all the patience in the world for you to gain trust and let them into your life,” he told CyberNews.
Does this apparent carelessness make gamers sitting ducks for cybercriminals? Not necessarily. However, there are some industry-specific risks that gamers should pay extra attention to.
Gaming-specific security risks
Virtually all of the most successful video games of today are being played online, with millions of players connected to gaming servers at the same time. This means that the gaming industry is sitting on a treasure trove of player data, including massive amounts of credit card details and personally identifiable information of gamers worldwide.
Emil Sayegh, global cybersecurity expert and CEO of Ntirety, argues that apart from credential stuffing attacks, gamers are especially susceptible to security breaches and fraud. “Gaming platforms are full of young and inexperienced users who can often be gullible and eager to share information. Credit card fraud and personal information leaks are already highly prevalent on gaming platforms,“ says Sayegh.
According to him, popular gaming platforms are also beginning to show their age and are falling behind when it comes to protecting player accounts. “Very few, if any, are using multi-factor authentication for security, but a more involved security protocol could discourage users from joining their platforms,” Sayegh told CyberNews.
Ben McCarty, cybersecurity professional and author of Cyberjutsu, lists cryptojacking as another gaming-specific security risk. “A stable high-powered gaming machine with a good graphic card(s) is useful for crypto mining and would be an attractive target to cryptojackers,” who use compromised systems to mine cryptocurrencies - and powerful gaming rigs are particularly suitable for this kind of exploitation.
“Any mining earnings would be sent to the cryptojackers’ wallets, while the gamer is left wondering why their machine is running so hot all the time and the electricity bill is up.”Ben McCarty
On the other hand, threats don’t have to be industry-specific to pose real danger to gamers, argues Ray Walsh, digital privacy expert at ProPrivacy. According to him, one of such widespread threats is phishing.
“Gamers need to be aware that they are potentially at risk of cyberattacks that purposefully imitate gaming services and brands to engage in phishing attacks,” says Walsh. For gamers, phishing is most likely to involve spear-phishing attacks that are centered around game offers that are too good to be true, as well as messages from phishers masquerading as representatives of well-known gaming brands.
According to Walsh, phishing attacks and weak passwords are some of the gamers’ biggest blind spots security-wise, “both of which can lead to account penetration, malware infections, and data theft.” Moreover, as the potential rewards for compromising player accounts keep increasing, bad actors will undoubtedly allocate ever more resources to attack both games and gamers.
And with so much personal and financial information at stake, taking security seriously becomes more important than ever.
What can gamers do to protect themselves?
The notion that gaming companies need to do more to protect players’ accounts from cyberattacks is more or less self-evident. But there are also steps gamers can take to make themselves less vulnerable.
Ray Walsh argues that strong authentication practices are essential when it comes to securing online accounts. “Gamers should ensure that they always use strong, unique passwords for all the games and online game services they maintain accounts with to ensure that if any one of those accounts is penetrated, the other gaming accounts are safe,” says Walsh.
According to Heinrich, gamers tend to have “stupid passwords that are easy to guess or are related to the game.” He urges gamers to not make that mistake: “Instead, choose a real password with multiple characters, symbols, and make sure to not keep it written anywhere in a file.”
“While such apps are considered by gamers to be a drain on their system resources, preventing their machines from performing as well as they could, there are security apps that are easy on system resources.”
According to Hauk, gamers need to be “a little more concerned with protecting their personal and financial information and hard-earned in-game items than they are with bragging and boasting of their latest conquests, inadvertently sharing information that could be used to hack their accounts.”
The Final Boss hardcore security build
Finally, for gamers who want to take their security to the next level, McCarty recommends creating a gaming persona on a separate, dedicated gaming machine used exclusively for gaming and nothing else. Such a persona would exist on its own subnet and would even have its own email account that would have no ties to the gamer’s real identity.
Furthermore, the owner should install a complete security solution on the dedicated gaming machine. This security solution should support “game mode,” which would “automatically enable various security controls” on the machine “while not hindering your gaming experience.”
For those not intimidated by such an undertaking, McCarty also lists further steps that hardcore security-conscious gamers can take to achieve watertight protection:
- Set your DNS resolver to a security-based one, such as 18.104.22.168.
- Consider using a nightly build for web-browsing (such as ChromeCanary) which often receives new security features and enhancements before other versions.
- Establish user account controls to not allow you to play or install your games as Administrator/Root.
- Enable auto-download for new OS security patches and updates.
- Manage your firewall to only keep the open ports/protocols/networks that are necessary for online gaming.
- Use app-lockers that only allow certain software (ideally, the games you just bought) to be installed or executed.
- Double-check the name, download count, publisher, and signing certificates on game software before downloading and installing it.
- Keep physical access to your gaming machine protected and consider setting up BitLocker and hardware locks to protect it from tampering or theft.
- Uninstall all the bloatware and other unneeded software not needed for gaming in the machine to mitigate against vulnerabilities.
- Exercise caution to avoid the risks from sketchy mods, pirated games, account sharing, or dubious claims of performance-enhancing software.
- Use best practices like using trusted anti-virus, VPNs, password managers, 2FA, and secured internet like WPA2-PSK.
More great CyberNews stories:
Subscribe to our monthly newsletter