Data Privacy and Online Gaming: Why Gamers Make for Ideal Targets
Since the release of its alpha version in 2009, Minecraft has grown from an independent video game title by Swedish company Mojang to an immensely popular open-ended sandbox game. Now available on multiple platforms, it has since gained such a huge following that in 2014, Microsoft announced a deal to acquire Mojang—and the rights to the game—for $2.5 billion.
In January 2015, it was reported that a plain text list containing 1,800 Minecraft usernames and passwords had been leaked online. The leaked account details would allow anyone to log in as the original user and download the full version of the game. How the hackers managed to hack into user credentials remains unclear, as Microsoft has since confirmed that their services weren't compromised and that they've taken the appropriate steps to secure the accounts. This could mean that the accounts could have been acquired through phishing or the use of keylogging malware, placing the blame on lax user behavior.
While the 1,800 leaked accounts are a drop in the pond in terms of scale and damage to users, it could have been worse. Gaming has become a major industry, boasting a steadily growing market and economy involving companies that invest huge amounts to develop the next big thing. It's also driven by a huge market of players that are willing to spend serious money not just to buy new games and platforms, but to gain an edge with in-game items and add-ons.
Virtual Economies and the Online Gaming Ecosystem
To put this into proper context, some popular online games such as Blizzard's World of Warcraft feature an enormous open world designed to accommodate a vast number of players. Despite reports of waning popularity, Warcraft still listed a huge subscriber base of around 7.4 million players in the third quarter of 2014 1. Just like any other massively multiplayer online (MMO) game worth a player's attention, it features a virtual in-game economy where players earn or pick up virtual items and currency that can be used or traded within the game. Unfortunately, the competitive nature of some players who want to gain certain in-game advantages has caused the emergence of an alternative economy—one that's not driven or regulated by the game's developers, where the concept of virtual supply and demand involves the exchange of real world money.
Because of the demand, this alternative economy has spurred enterprising individuals who have the time to play to "farm" the game by earning in-game currency and rare items. They then sell these virtual goods to players outside the game, either through chat rooms and dedicated forums, or online auction sites such as eBay for amounts that could reach hundreds—and even thousands—of dollars 2. The amount depends on the demand and the item's rarity. Unfortunately, this alternative virtual economy also comes with a dark side. The demand and potential for earning real money in exchange for virtual items have also made online gaming platforms and its user base an ideal target for hackers and cybercriminals.
The Dark Side of Online Gaming: Hacked Accounts and Identity Theft
The motivation for account hacking isn't hard to comprehend. There are a lot of ways for a cybercriminal to profit from simply stealing a player's log-in credentials. A simple Google search string that includes a popular game's title, plus "cheats" or "hacks" will return a number of results, some of which are heavily search-optimized sites designed to get players to click on ads, fill out surveys, or download a possibly malicious file. Hackers could get into a player's account by simply designing a phishing site or "hacking" tool that asks for a player's credentials. They could also use methods that are similar to the ones possibly used in the recent Minecraft incident: get players to download a file that delivers info-stealing or keylogger malware onto a player's system. In any case, the end result of these methods is to gain access to a player's account.
Once inside the victim's account, a hacker could do a number of things for profit. The online gaming world is rife with reports of missing—and likely stolen—in-game items, accounts, or characters that are held hostage for ransom, and credit card bills that reflect unverified in-game purchases. While the loss of a virtual item might seem petty to a non-gamer, it's serious business for a player who may have invested hundreds of in-game hours and real-world dollars to get something rare and powerful. To the hacker, a stolen virtual item could be easily swapped for cash.
Moreover, online gaming accounts will also invariably contain personal information besides the user's login credentials, such as the player's name, birthdate, address, mobile number, email address for verification, social network ID, and even a linked credit card account. This information is ultimately more valuable than an in-game item, as it could either be sold in cybercriminal underground markets, or used to further invade the victim's privacy by accessing email and other online accounts.
Links Between Cybercriminals and the Gaming Economy
When gamers want to get a leg up on their peers, there are two common ways to go about it. They can go the conventional route, which usually involves putting in more time and effort than anyone else; or they can take the easy way up the ladder by opening their wallets and buying premium game currencies from third-party sellers. While it's technically not illegal to buy or trade for items and game currencies from other users, these sellers might have used illegal methods to gain these items. There's also evidence pointing to sellers who have used the proceeds from these trades to fund cybercriminal attacks.
Trend Micro researchers uncovered a link between the trade of online gaming currencies and cybercriminal activities. Certain groups have been observed amassing virtual game currency using methods that include the use of phishing and info-stealing malware, or by exploiting loopholes and bugs within the game itself. They then advertise the sale of the stolen currency through websites, forums, and social media, and launder the money by trading the items for cryptocurrency. According to the report, cybercriminal groups were found using the proceeds from these deals (called Real Money Trading, or RMT) to fund attacks against corporations and other organizations not related to the gaming industry.
The full details of these operations can be found in the research paper, "The Cybercriminal Roots of Selling Online Gaming Currency".
How Can Players Ensure Privacy and Security?
Video games aren't just for geeks anymore. With the availability of different platforms that range from personal computers and consoles to handhelds, smartphones and tablets, the number of people that play games around the world have made the gaming industry one of the fastest growing industries on the planet. Its popularity and market size makes game platforms and individual users ideal targets for cybercriminals who see it as a platform for stealing user information, invading privacy, or spreading malicious content and malware.
As such, gamers must be aware of the privacy risks involved, especially when a majority of the popular games these days have either an online component or a pay-as-you-play business model where in-game items and add-ons can be bought for real money. Here are some tips on how to ensure data privacy and prevent gaming-related threats:
- When signing up for a gaming account, go through the account details and determine which are truly important for your gaming experience. While giving out your real name, address and birthdate might be required, it doesn't mean players have to be accurate. Do you really need this game to know your real name and address? The same goes for the required email address. Dedicated gamers are advised to set up a separate email account for game registration purposes to keep it separate from email accounts that contain your address book, contact information, and verification information for other accounts such as social media or online banking.
- If you have to search for tips or files that could help improve your gaming experience, avoid visiting unverified sites or downloading third-party software from unknown sources. It also follows that players should avoid using their game account credentials to log into third party sites or apps.
- If you don't plan on buying in-game items, don't link your credit or debit card details to a gaming account. If you do plan on making online purchases, ask your card provider if they offer an online verification service for online transactions. Similarly, regularly review your bank statements to make sure there aren't any unverified purchases.
- Install reliable security software that can also detect malicious links and spam and regularly scan your system to make sure that your system is malware-free.
Like it? Add this infographic to your site:
1. Click on the box below. 2. Press Ctrl+A to select all. 3. Press Ctrl+C to copy. 4. Paste the code into your page (Ctrl+V).
Image will appear the same size as you see above.
- Ransomware Spotlight: TargetCompany
- Email Threat Landscape Report: Cybercriminal Tactics, Techniques That Organizations Need to Know
- Preventing an Imminent Ransomware Attack With Early Detection and Investigation
- Inside the Halls of a Cybercrime Business
- Securing Cloud-Native Environments with Zero Trust: Real-World Attack Cases