Playing for Keeps: How Cyber-Criminals are Following the Money to Video Games

The global video game market just topped $100bn in value, and cyber-criminals want a piece of it. Danny Bradbury finds out how they operate

The video game has come a long way since the home hobbyist days of the BBC Micro and the ZX Spectrum. Eight-bit follies developed in the bedroom have given way to 32-bit masterpieces – and the games themselves aren’t the only thing to have evolved. Criminal activity in the video game market has grown, and changed.

What was a cottage industry is now a global one. Gartner puts the size of the global video game market at $101.6bn in 2014, up from $79bn in 2012. By 2015, it will top $111bn, the analyst firm says. But where revenues are high, cybercrime will surely follow.

Pirates Drop Anchor

Piracy is often mentioned by those exploring cybercrime in the games industry, because it has been a traditional problem. In the early days of computing, video games were almost entirely distributed on magnetic or optical media that was then cracked by pirate groups.

These cracker teams evolved from pre-internet BBS hobby groups, who would disassemble game code to remove software copy protection, before uploading it to ‘elite’ back-room sections of piracy BBSs and web chat rooms, or distributing it physically.

One of the earliest cracker groups was Razor 1911, which is still cracking games today. These days, cracked games are distributed mostly via peer-to-peer networks.

Game piracy is still a healthy criminal industry online, although less so than some industry groups would have us believe, according to researchers at MIT. They surveyed networks using the BitTorrent protocol, and found that 12.6 million unique networked peers from 250 geographical areas were sharing games.

There is a heavy concentration of titles and geography. Just over 40% of piracy focused on ten titles, and three quarters of piracy came from just 20 countries.

This game code often gets stolen from the source, rather than cracked after release. In July 2014, Dell SecureWorks identified TG–3279, a Chinese group that it said has been infiltrating videogame development companies since 2009.

TG–3279 used traditionally well-understood penetration techniques, including the use of network scanning to profile its targets, and the installation of remote access tools (RATs) to gain access to specific machines. SecureWorks said that the group could be stealing the source code for several reasons, including piracy, or in order to use the source code in competing products.

A Changing Industry

In spite of these traditional thefts, the industry is changing, according to Greg Boyd, partner and chairman of the Interactive Entertainment Group at legal firm Frankfurt Kurnit. Boyd has spent over ten years advising companies about the licensing and distribution of video games.

Tomorrow’s industry won’t look like today’s, he says.

“It used to be the case that bricks and mortar stores were the way to go, but that’s a dying business,” Boyd argues, suggesting that these retailers are chasing fading revenues, much as their counterparts did in the music business.

“There are still billions to be made from the end of the boxed goods market, but as digital distribution grows – as mobile devices become more powerful – the box stores become less relevant.”

Instead, he notes something that the MIT research paper also identified: game distribution is already shifting to direct online downloads. Companies such as Valve have emerged, with a business model of games that can be purchased or rented online and downloaded to a PC.

Boyd predicts the disappearance of disks altogether by the time the next generation of consoles emerges. That iteration is just a decade away.

Different Data Theft

Consequently, the goals for attackers have shifted. Increasingly, attackers are going after other kinds of data.

“The biggest threat now is to consumer information,” Boyd says. “The personal information threat is the largest, particularly when related to cross-border issues.”

The most notable attack was the Sony PlayStation Network hack of April 2011, in which the unencrypted personal details of 77 million customers were compromised, including names, passwords, addresses, and birth dates.

In November that year, Valve announced that its Steam network had been hacked, and that credit card information may have been compromised.

Follow the Money

In many cases, online networks can be used as tools by cyber-criminals, rather than exploited directly for data. In June 2013, the United Nations Office on Drugs and Crime (UNODC), issued a report reviewing cyber-criminals’  methods for money laundering.

The report identified online gaming as a key avenue for online money laundering, thanks to the rise of virtual economies in video gaming sites. Multi-player games use in-game currencies such as World of Warcraft gold that can be exchanged for real money.

Typically, a criminal will establish several accounts on various online games to move money around. These virtual players are used to obfuscate real identities. Money can be exchanged between them, and then cashed out, often in different countries, without the collusion or knowledge of the company running the game.

Criminals can become invisible on these sites, warns Raj Samani, CTO EMEA at McAfee.

“It’s due to the vast amount of traffic that they have, but also that it’s outside the purview of law enforcement,” he says.

This is also a problem for online gambling sites, he argues. Money launderers can send each other money through gambling sites that unwittingly play host to the exchange of illegal funds. The money can be sent in various ways, either directly between accounts, or as winnings.

The online gambling market alone is expected to reach €28.2bn ($37.6bn) by 2015, according to research from Odobo/H2 Gambling Capital. But the unlicensed sector of the market is far greater.

As of November 2013 there were approximately 104 international jurisdictions that regulated a total of 2,734 internet gambling sites, Samani told Infosecurity, which he calls a “drop in the ocean”.

Those unlicensed sites are unlikely to report their transactions to the authorities, and will often take deposits through alternative channels to traditional financial institutions, or in crypto-currency payments such as Bitcoin.

Online gambling sites themselves can also be attacked for their own money.

Michael Hadjuk, an entrepreneur from Calgary, Canada, had to take his video poker site Infiniti Poker offline after an attack. Players had siphoned funds from his system using multiple accounts and player collusion.

One of the dangers lies in sites that offer no-deposit credit to attract new players. Typically, they’ll put a few dollars in a new player’s account, on the condition that they must accrue a certain amount of winnings to withdraw it.

“If you have 20 people and they each take out the no-deposit credit account, and then they all go to the table together, they can do what’s called chip dumping,” he explains.

The players would collude, all deliberately losing to one person, who then cashes out their winnings — including the free credit that other players had lost to them. “Multi-accounting works the same way,” he says. In this scenario, no collusion is needed. A single attacker creates several fake accounts, and ‘loses’ their no-credit deposit to a single account.

Online sites are supposed to block that, but his software failed. “The biggest problem is that admin tools didn’t block people quickly enough,” Hadjuk complains. He is now re-crafting his back-end system for a relaunch in Q4 2014.

DDoS Chaos

Multi-account and collusion attacks aren’t the only ways to attack an online gambling site. Distributed denial of service attacks are similarly damaging, say experts. Rod Soto is a senior security researcher at PLXsert, a response team operated by Akamai company Prolexic. He gathers intelligence on DDoS attacks around the world.

“One case is where you see extortion. So the criminals force the site to pay them or they take them down,” he says.

He alleges that some DDoS attacks on gambling sites may be carried out by competitors. “There have also been cases where online gambling activity is forbidden by the law, where there might be signs of participation by governments,” he says. 

Sometimes the attack sources, along with the quality of the tools used, suggest more capable attackers. “To get those types of tools you need a level of skill that is either financed by organized crime or behind a state actor,” says Soto’s colleague, Robert Morton. But with all of these cases, attribution is almost impossible.

DDoS attacks using online video game sites are also common, and can be launched for various reasons, explains Soto. In the simplest cases, rival gamers will seek to take each other offline to gain the upper hand in a gaming scenario. These DDoS attacks target other players’ IP addresses directly, uncovered using network analysis tools such as Wireshark or Cain and Abel.

The DDoS attacks can be run from an attacker’s own computer, or can be accessed as services running on third party servers.

Alternate attacks using ‘reflection’ DDoS attacks are often targeted at other, non-gaming institutions, but use the online gaming servers as attack sources.

These attacks use services that aggregate IP addresses for online game servers. The lists are swept for vulnerable servers, explains a report on the attack from Prolexic. Vulnerable servers are then used to reflect traffic from gamer clients to the attacker’s target, overwhelming it with packets.

The range of attacks is as broad as the reasons for the attacks — and the evolution of cybercrime online will only continue. With mobile gaming already constituting 16% of the global market, we can expect to see an increase in malware-ridden games that steal personal data or control the phone platform directly.

Innovation has driven amazing advances in the video gaming world, fuelling quantum leaps in graphics and gameplay. But there is a dark side to innovation, too. Whenever there is a new development in online entertainment, there will always be someone willing to exploit it.