The fact that many online games rely on in-game purchases is the reason behind the plethora of cyberattacks against the video game industry. Due to the use of in-game currency and subsequent micro-transactions, threat actors have gravitated to the gaming industry in a gold rush to compromise gaming accounts so they can steal these payments.
Employing a wide array of sophisticated intrusion methods in their pursuit to exploit players, the hackers are gaining the upper hand against gaming companies around the world.
Over $40,000 a week is being heisted by cybercriminals who are breaking into video game accounts, especially from popular titles like Fortnite, Roblox and Minecraft. Those games are among the most lucrative of all black market accounts being bought and sold on the darkweb, which has escalated into a billion dollar a year black market industry.
As of May 2020, Fortnite has amassed 350 million players. The mobile versions of Roblox alone have been downloaded 290 million times between Android and Apple devices, with Minecraft sales hitting 200 million.
Billions of gamers, billions of potential targets
There are around 2.7 billion gamers across the world. According to industry market estimates, the video games industry forecasts that this year’s market will churn out a revenue of $159.3 billion dollars, a 9.3% increase from $120.1 billion in 2019, and experts are forecasting that the video game market will skyrocket to a whopping $196 billion by the year 2022.
As the cyberattacks keep rolling in, video game companies have not been successful in mitigating the attacks, as user accounts continue to become compromised by ambitious intruders who steal a ballpark estimate of around six and seven figures every year in illicit profits.
Earlier this year, hackers broke into 160,000 Nintendo ID accounts. The attack prompted the company to re-evaluate how users login as well as reset the passwords to the compromised accounts.
Funds associated with many of the user accounts were also compromised, and used to make unauthorized in-game purchases. Personal user information was exposed. Payment services such as PayPal and credit cards were illegally accessed and used by the intruders to make purchases on the Nintendo gaming platform.
Gravity, a South Korean video game company popular for the title “Ragnarok,” was also among the latest string of hacking attacks carried out by a notorious threat-group known as the Winnti Group. Winnti is believed to be a Chinese state-sponsored cyberespionage group being operated by the Ministry of State Security, which is China’s intelligence branch.
However, not only threat actors break into user accounts to steal their personal and payment information, but also to launder money through in-game currencies.
Converting stolen money into in-game currencies and items
As the popularity of in-game purchases continues to proliferate and expand the gaming economy, cyber thieves continue to manipulate it in order to launder the loot from their other criminal enterprises.
Cyber intelligence firm Sixgill and The Independent conducted a collaborative investigation into the criminal use of Fortnite V-bucks, the in-game currency that can be spent to purchase items. According to their findings, cybercriminals use stolen credit card details to buy V-bucks from the official Fortnite store, after which they sell V-bucks at a discounted rate to players, thus “cleaning” the funds.
There have been several online web forums where users discuss how to take advantage of multiplayer games in order to launder stolen money. Included in the topic discussion was how to launder currency associated with Clash of Clans and World of Warcraft.
Darkweb forums discussing money laundering through in-game currencies. Source: “Laundering Money Online: a review of cybercriminals’ methods” report
Thus, taking over poorly protected accounts or establishing several accounts on various online gaming platforms, bad actors move illegally obtained money between those accounts or sell off the digital assets. Such a scheme helps them obfuscate real identities and eventually cash out the money below the radar.
Once the attacker has real world money in their possession, they have a few options to remove traces from previous transactions. One of them is converting the money to cryptocurrency, with some criminals going further and “clean” the cryptocurrency via a crypto mixing service.
Threat actors also can invest the money back into their operations, cash it out, shop or procure gaming currencies in large quantities, subsequently reselling it in smaller batches at higher rates. Trend Micro also wrote about incidental profits hackers can make, detailing:
“For example, if the cybercriminal used an infostealer or RAT to hack into a player’s account, then the cybercriminal can loot that account for other credentials or personal information, which can be sold to other cybercriminals. Cybercriminals can also retain control of the hacked system and use it for malicious purposes, such as DDoS attacks, identity theft or fraud, and even for social engineering.”
Speaking about bad actors using in-game currencies and items, Mike McGuire, senior lecturer in criminology at Surrey University, said:
“Gaming currencies and items that can be easily converted and moved across borders offer an attractive prospect to cybercriminals. This trend appears to be particularly prevalent in countries like South Korea and China – with South Korean police arresting a gang transferring $38 million laundered in Korean games, back to China. The advice on how to do this is readily available online and explains how cybercriminals can launder proceeds through both in-game currencies and goods.”
Video game companies in Asia indeed seem to be prime targets by threat actors. Mathieu Tartare, malware researcher at cybersecurity firm ESET, told BeInCrypto that:
“[…] it could be related to the fact that APAC [Asia Pacific] is the region generating the largest revenue: in 2015, $43.1 billion for APAC vs $23.8 billion for North America and $15.6 billion for Europe. So, it could be because there is more money spent by players and a larger pool of potential victims.”
Poor passwords and vulnerabilities
Cybercriminals search for the plethora of gaming websites across the world which may be susceptible to attacks. Once exploited, it can allow them to illegally gain unauthorized access to the user/password table, which stores each user’s registration details such as username, password, email address, credit card information, among other things. This information may also be obtained from data dumps posted on hacking websites, or purchased on the darkweb.
One in every five gamers reportedly fall victim to some method of payment fraud in prominent games.
According to a report published by IT security consulting firm Night Lion Security, a well known method for breaking into accounts is through the use of brute force password cracking. An example of this intrusion method was given by a renowned cracker mentioned in the report by the name of DonJuji, who stated that Fortnite account cracking tools can average anywhere between 15 to 25,000 checks per minute, or approximately 500 account checks per second.
Poor password choices selected by users only increase the account’s susceptibility of being compromised by hackers, more so if the password can be guessed.
Akamai Technologies explained in their threat research report entitled “Web Attacks and Gaming Abuse” that the two most commonly used attack methods being employed by threat actors are SQL injection and Local File Inclusion, which just so happens to account for 89.8% of all application layer attacks.
Because users often have a habit of reusing the same login credentials across multiple websites, the attackers can enumerate a list of sites a user is subscribed to using the stolen username and password. This is accomplished through a popular attack vector known as a “credential stuffing attack.”
This occurs when the threat actor uses bots in order to attempt automated login requests on a large scale that is directed against various web login pages, hoping to successfully access as many accounts as possible using the stolen credentials.
Akamai’s analysis showed that the gaming industry attracted a colossal degree of credential stuffing attacks between November 2017 and March 2019 amounting to 12 billion. Tartare explained:
“Credential stuffing seems also quite common: usually cybercriminals are selling what they call ‘combos’ which are combinations of multiple credential leaks along with user friendly tools to easily and automatically perform a large number of authentication trials using these combos. Additionally, the attackers can exploit a vulnerability on the gaming platform to take control of any gamers and thus access their personal information.”
In addition to the wide array of attack methods utilized by threat actors, players have also experienced attacks in the form of fake promotions. These appear as legitimate promotional offers appearing to be solicited by gaming companies. This kind of attack is known as phishing, which may trick unsuspecting players into entering their credit card information to purchase items for their games, but can also be utilized to secretly download malware onto the players devices.
Security firm Kaspersky indicated that the number of attempts to lure video game users to phishing pages increased by 54% in April compared with January 2020, while the number of redirects to malicious websites for popular gaming platform Steam rose by 40% compared to February 2020.
Penetrating game developers’ servers
In several instances threat actors were able to penetrate and compromise a developer’s build orchestration server, which gave the cybercriminals the keys to automated build systems. It allowed them to tamper with the video game’s downloadable executables by introducing a backdoor trojan in order to infect gamers’ devices on a massive scale.
Tartare said that “threat actors get access to the victim’s machine by using the backdoor embedded in the trojanized videogame. In that case it means the attacker compromised the videogame developer/distributor in the first place.”
Due to location concealing tools it can be difficult to determine the actual origin of an attack with any absolute certainty, making it much easier for threat actors to follow the money and perform the heist while operating ostensibly below the proverbial radar.
“When we look at where application attacks originate, the traffic is much more evenly distributed around the globe. The United States maintains an unhealthy lead as the biggest source of these attacks, but Russia, the Netherlands, and China all show significant amounts of alerts originating from their countries. It should be noted that ‘source country’ designates where the traffic is coming from and does not necessarily indicate where the actual attacker is located,” Akamai reported.
The development of virtual currency and introduction of in-game tokens by video game developers have indeed made online games a favorable environment for malicious actors to make a quick buck, as well as launder their ill-gotten funds.
As Akamai said “part of the reason why gaming is so lucrative is the trend of adding easily commoditized items for gamers to consume, such as cosmetic enhancements, special weapons, or other related items. Furthermore, gamers are a niche demographic known for spending money, so their financial status is also a tempting target.”