The National Cyber Security Centre SK-CERT recommends to pay attention to security when playing online games

A current situation, connected with the spread of COVID-19, has caused that many people had to change their daily habits and are spending most of their time at home. Many people are engaged in various hobbies that might be limited at the moment, so they try to look for other ways of using their spare time. One of the ways of having fun is of course to play computer games, especially those ones that can be played by several players at once without a need for physical proximity – so-called online computer games.

Offensive activities towards players of computer games are as old as playing itself. However, the growth of cyberspace players[1] increases the chances for attackers to obtain sensitive data, specific to the environment for playing online.

Methods of attack

There are several methods of attack through which attackers try to obtain a victim’s sensitive data. It is either a direct attack on a player using various attack techniques or an attack aimed at obtaining the players’ data indirectly.

Account theft

The most common target of attackers is to gain access to the victim’s account. Such an account can contain several valuable pieces of information at once – personal data, payment details and also saved credit card information. Games and completed transactions which add additional content to games (so-called micro transactions) are valuable as well. In particular zealous players have a large number of games and premium content purchased that, after the theft of the account, attackers can easily sell or use for their own benefit (especially payment card information).  

Attackers use various methods – most often phishing e-mails that contain a malicious code or social engineering principles, for example the tools of the gaming platform itself, such as a game chat, private messages and so on.

Compromise of gaming platforms

Attackers have access to sensitive data of players also in other ways than by their direct compromise. There are dozens of platforms in the computer game market that offer games and the game content. These can also be targeted by attackers who are mostly interested in user data. Basically, one complex attack is sufficient for attackers to gain access to several thousand accounts which afterwards attackers can cash in or misuse sensitive or payment information to their advantage.

Nintendo company recently admitted[2] that 160 000 game accounts from their gaming platform were compromised. This happened after a massive attack, which resulted in the leak of identification login numbers and passwords to users’ game accounts, while according to the company, the users’ nicknames, dates of birth, countries of origin and e-mail addresses could have leaked as well. Nintendo confirmed that some accounts were misused and unauthorized purchase of games and game content were made as well. The company has reset the passwords of all accounts and issued security recommendations to users, while promising that unauthorized purchases will be cancelled and the money will be returned to users.

However, this was not the first case of such an attack on the gaming platform. In 2011, about 77 million game accounts were compromised on the PlayStation Network platform, where the attack prevented users from using the platform. Sony company was forced to shut down PlayStation Network for 23 days, while admitting the leakage of personal information of all compromised accounts. This attack is considered to be one of the biggest data leaks in the gaming industry.

At Christmas 2014, there was another attack targeting the Sony PlayStation and Microsoft Xbox platforms. It was a massive DDoS attack on both platforms, for which the Lizard Squad group claimed responsibility. Network service users were unable to connect to game servers for several days. Subsequently, in September 2015, both platforms were attacked, compromising 2 and a half million user accounts.

Fake websites and fake game offers

Increasing interest in playing computer games may also result in creation of fake websites that offer cheaper games or premium content, nevertheless, their purpose is to steal the victim’s personal and payment information. For example, a user after payment may receive an activation code for playing a game but it may be fake, expired or already used by another user. However, the attacker has already got the victim’s personal data or payment card information for further misuse or sale.

Fake websites with games and game content appear not only as a result of increased interest in playing games, but are often associated with other events, such as the release of new versions of popular games, introduction of new game consoles or globally organized sales (such as Black Friday, Cyber Monday and so on).

Attacks on users

When playing online, there are other types of attacks whose goal is not to obtain sensitive data from the user. They are also not carried out by experienced attackers. These attacks are directly aimed at users in order to intimidate them, disgust them or otherwise mentally affect them. The advantage for the attacker is a high degree of anonymity that can be achieved in playing online. The most common form of attack is certainly cyberbullying that is present particularly among younger players when playing online. Bullying in the game can take the form of either verbal attacks through built-in communication tools (a game chat, functions for spoken communication directly in the game) or unfair behaviour directly in the game. Like this, the attacker wants to achieve various goals with the victim – from distaste for playing to humiliation in front of other players. Cyberbullying can manifest itself as blackmailing which in playing online takes the form of “exaction” of game items from the victim, or victims can be forced to make also real payments for games and game content.

In the world of playing online, there is also often present a so-called cyberstalking – persecution of the victim. Most often, the attacker constantly monitors the victim’s activity (what he plays, when he plays, with whom he plays and so on) or constantly demands attention. If a stalker’s needs are not satisfied, his activity can grow for example into cyberbullying.

Players often use communication tools in online games to have fun while playing but also for coordination or giving advice. In these communication tools there is often present a so-called Bombing. It includes disrupting players’ conversations in order to disturb them while playing or disgust them by doing senseless activities, such as playing loud music into a microphone, producing excessive noise and so on.

Cheating is as old as playing itself. Playing online is no exception, and there are many players who spoil the game by cheating and using illegal tools to move them ahead of other players. This way of cheating means not only an attack on players, but also on the reputation of the game itself. Once there are several players cheating in the game, the other players stop playing, and thus the game developer will suffer not only financially but also its reputation will be injured.

Recommendations

Based on methods of attack described above, the National Cyber ​​Security Centre SK-CERT issues the following recommendations in order to reduce the risk of attacks during playing online and to mitigate the consequences of such attacks:

• Do not share your game account login information with anyone
• Do not click on suspicious attachments and links in emails
• Do not respond to private messages or messages in a game chat that prompt you to provide your login or other sensitive information
• Set up two-factor authentication to log into your account (avoid SMS authentication if possible)
• Use complex and hard-to-guess passwords to log into your account
• If you have different game accounts, use a different password for each one
• Do not share unnecessary personal information in your profile
• Use nicknames when playing online; do not share your personal information such as your name, age or address with other players
• Do not save payment card information in your account profile; use one-time virtual payment cards for purchases
• Buy games and game content only in official stores of game platforms or through trusted websites. If you want to know how to recognize a trustworthy store, read our article about shopping online: https://www.sk-cert.sk/en/advices-regarding-shopping-on-black-friday-and-cyber-monday/
• If someone attacks you verbally or otherwise makes your game uncomfortable, use game tools such as reporting or blocking the user to prevent another such behaviour
• Parents are recommended to use the tools of parental control to check playing online of their children – account control, transaction control and so on.

Sources

[1] https://www.forbes.com/sites/paultassi/2020/03/15/as-coronavirus-keeps-everyone-home-steam-is-breaking-concurrent-player-records/#32685c8762b8

[2] https://www.nintendo.co.jp/support/information/2020/0424.html

« Späť na zoznam