Online games and specifically the Massive Multi-Player (MMO) games, experience multiple attacks from hackers, platform competition that try to block players’ access to the gaming platforms, as well as cheating players that can attack other players slowing their connection, while gaining a competitive advantage. These attacks can take the entire game offline, resulting in hundreds of thousands of dollars lost, according to Radware’s threat research team.
SuperData's report of online games shows Fortnite, the top online game, is grossing $318 million per month. "If Fortnite was to suffer a cyberattack and it resulted in an outage, it could lose +$400,000 per hour (if you break it down using the following math: $318,000,000/ 30.5 (days a month)/ 24 (hours a day))," says Eden Amitai, Cyber Security Evangelist at Radware.
Other games may lose less, but it's still affecting profit margins, Amitai expains: "For instance, online games that bring in $150 million per month could experience $200,000 direct loss of revenue, or a less popular game that has a revenue of 75 million per month may lose $100,000."
Adding fuel to the fire is the fact that the online gaming world has exploded during the pandemic as a record number have turned to it for escapism, entertainment, and social interaction. Estimated to surpass $200 billion by 2023, gaming is now considered to be one of the fastest-growing industries on the planet.
“We are living in the golden age of online gaming. PlayStation5, Xbox X, new powerful GPUs, AX routers and other recent dedicated developments for gamers show us how much the tech-world focuses on providing the best, most flawless gaming experience. Online gaming has seen tremendous growth over the past years, and during the pandemic a record number have turned to it for escapism, entertainment and social interaction. However, it is also in high gear for hackers and cybercriminals who look to wreak havoc," says Amitai.
Amitai says Radware has observed a significant increase of thousands of web and DDoS attacks on gaming customers since the onset of the pandemic.
"Many gaming companies trying to serve their growing customer base ran too fast getting up their new architectures and networks, leaving them vulnerable to various attack vectors. The attack surface exacerbated when online gaming companies began to rapidly migrate to the public cloud," Amitai explains. Radware’s most recent C-suite report showed 76% of the respondents said that the pandemic accelerated their cloud migration plans, which leads to a major liability question and the need for a deep security understanding of the shared responsibility mechanism.
Alec Alvarado, Threat Intelligence Team Lead at Digital Shadows, a San Francisco-based provider of digital risk protection solutions, explains that a significant pressure facing the online gaming industry regarding cybersecurity is protecting its customers' data.
"This goal is increasingly difficult to accomplish as the online gaming industry has the task of safeguarding an attack surface that is continually expanding. The inherent requirement to be connected by online gaming consumers makes them attractive targets. Digital Shadows has seen multiple instances of mass phishing targeting consumers in this space. Obtaining credentials to online gaming accounts provide a wealth of information (i.e., payment card details, personally identifiable information) and digital gaming currencies (i.e., Fortnite's Vbucks). This information can be resold easily in the criminal market and is easily monetized."
There is also pressure to ensure a fair gaming experience, Alvarado notes. "This scenario is interesting as it is a unique issue that impacts online gaming organizations. Online gamers who don't see their gaming experience as fair aren't going to play, and losing players is exceptionally damaging for organizations in this space," he says. "Ensuring an adequate gaming experience is challenging to accomplish, as there are so many ways that players are attempting to tilt the odds in their favor."
Ransomware operators have also seen some success in targeting organizations in this space, placing more pressure on gaming organizations, Alvarado says. "The development of games spans years of work and considerable resources. Suppose there is valuable information to someone; it can be used for extortion in a ransomware attack. For example, the video game company Crytek was just named on the data leak site belonging to the Egregor ransomware variant's operators. Threatening gaming companies with the exposure of information related to games in development would be a strong negotiating tactic and would likely result in payment."
Hacking into games to steal in-game currency is another threat the online gaming communities face. This has been an issue for decades, and the rise of mobile gaming has only exacerbated it, explains Hank Schless, Senior Manager, Security Solutions at Lookout, a San Francisco, Calif.-based provider of mobile phishing solutions.
"Games built for smartphones and tablets are more lightweight than their counterparts on PCs and consoles, which means that security could be overlooked in the development process," Schless adds. "Account takeover (ATO) is a common goal for threat actors. They often achieve this by sending targeted mobile phishing links to steal their login credentials. What happens a lot is that threat actors will send a phishing link through the in-game messaging system, directing the player to a fake login page. Usually, the actor will pose as a member of the game’s support team to convince the target to go to that fake page. This is just another iteration of mobile phishing. Malicious links can be sent to you through any app now, not just in emails."
Malicious actors also build alternate versions of games and distribute them on third-party app stores that don’t have the same security requirements as the Google Play Store or iOS App Store, Schless notes. "These alternative apps are often trojanized, meaning they function like the legitimate version but have malicious code injected in them. These malware can gain access to anything that’s on your phone or tablet," he says. "Since we use mobile devices for both work and personal reasons, these malware are a threat to your organization as well. With information extracted from your mobile device, a threat actor could gain access to your organization’s infrastructure and carry out a larger attack."
"Without mobile security on employee devices, organizations have no way of detecting and blocking malicious apps that could introduce malware into the infrastructure," Schless notes. "True security professionals understand that discovering weaknesses or vulnerabilities in a mobile app of any type should be used for continuous improvement of app security. White hat hacking a mobile app as a security professional can go two ways:
- You’re testing the app’s security for your organization or the game developer to better improve its security.
- This is a legitimate way to help ensure the app is safe and free of exploitable vulnerabilities or hidden malware.
- You reverse engineer the app with ethical tactics, but for selfish reasons, such as making a profit.
- This goes against security best practices, violates the Terms & Conditions of mobile apps, and is illegal.
- Security professionals should know better than anyone that operating outside those best practices can put their entire organization at risk of an avoidable incident.
Alleviating overall cyber pressures is certainly no small feat, says Alvarado, but should be important to organizations in this industry. To help mitigate these pressures, he says security teams in charge of ensuring a smooth and secure online gaming experience:
- Need to have a strong understanding of their assets. Ghost assets that are not properly managed can be an easy attack vector for threat actors.
- Can incentivize their users to report instances of cheating or vulnerabilities through dedicated bug bounty programs.
- Should have a strong understanding of threats to their organization and the broader industry. Knowing what threat actors are active in the space, knowing what information they target, and how they target their victims is an excellent way to prioritize defense resources.
- Enforce and abide by cybersecurity basics - as should be the baseline for all organizations.
"As this is a multi-billion industry, we should expect gaming companies to follow the strict cyber resilience we see in other multi-billion industries. No gaming company wants to damage its brand name among its community, and no user wants to have a frustrating leg experience," says Amitai. "Hackers and botters that attack the gaming industry are on the rise, and we, the security people, must do our job to keep our online game, online.”