Gaming is booming. That’s catnip for cybercriminals.
Millions of people escaped the drudgery of the COVID-19 pandemic’s first year by turning to video games, where they could cast spells, kill zombies and compete as their favorite athletes.
These virtual worlds also lured a different kind of enthusiast — the kind who sought to steal people’s personal information and real-world dollars.
In recent months, cybersecurity firms have warned that cybercrime in gaming has increased substantially since the start of the pandemic, and that the vulnerabilities — for game studios as well as players — are far from being vanquished.
“When you add more users or devices or applications to a user pool, you’re creating a larger attack surface,” said Tony Lauro, director of security technology and strategy at Akamai Technologies, a content delivery company that hosts large swaths of the internet. “In general, that is what is driving this massive increase over time.”
An Akamai report published in August said web application attacks, which exploit vulnerabilities in online programs like mobile games, were up 167% from May 2021 to April 2022 compared with the same period the year before. And a report last month from Russian cybersecurity company Kaspersky Lab found a 13% increase in malicious software attacks on games in the first half of 2022 compared with the first half of 2021.
The range of attacks and targets in gaming is enormous. Gaming companies can lose huge batches of data, and their games can be taken offline temporarily. Individual players can lose game progress, money and sensitive personal data.
Jessica Geoffroy, 29, was in some ways lucky that guilt was the main penalty she faced after she was hacked in December.
She realized something was wrong after she received a flurry of phone notifications from friends asking why she was still sending messages on Steam, a popular gaming platform, after she had gone to bed.
When Geoffroy found that she couldn’t log in to her Steam account, she knew she had been hacked.
“My heart was racing,” she said. “I thought, ‘Oh, God, what if they get my bank account information? What if they hack my friends and get their bank account information?’ — not knowing how far this is going to go.”
Fortunately, Geoffroy was able to reset her password that night. Nothing appeared to have been stolen, she said, but she felt “horrible” that the hacker had sent messages to her friends with the same compromised link that she had mindlessly clicked on — which another friend originally sent to her. That friend’s account disappeared after the link was sent, and she has not been able to get in contact with that person.
“A lot of people I know don’t think this stuff is going to happen to them,” she said. “They don’t realize it can happen and it will happen.”
Justin Cappos, a professor of computer science and engineering at New York University, said one thing that makes the gaming industry vulnerable is that developers are not hired to create secure software. They are hired to deliver games fast and frequently.
“If you are writing code that is meant for security, you often will spend a lot of time checking certain aspects of what is happening in the program to make sure everything is OK,” Cappos said. “You probably won’t have that same way of working through things if your primary goal, the main thing you care about, is to be fast.”
According to the Akamai report, gaming is the industry most hit by distributed denial-of-service, or DDoS, attacks, in which an attacker uses an automated technique to overwhelm servers with requests, severely slowing down the service or taking it offline altogether. These attacks can eat into a company’s bottom line as it scrambles to restore access and address customer complaints.
Akamai warned that as the gaming industry expands, it will attract more cybercrime.
“Financial crime is happening to younger and younger players all the time because they are in the gaming ecosystem now,” Lauro said.
Not all attacks involve exploiting source code or crafting compromised links. Some are just straightforward scams. Lauro said he once paid for a prize for his son on Roblox, an online game platform, and the prize never showed up. But the transaction was so small — less than a dollar — that his son was not really bothered by it, and Lauro knew that law enforcement would not be, either.
“Little transactions of 60 cents here, there — who is going to investigate that?” he said.
For the person running such a scam, thousands or more of these payments, or microtransactions, can net a high reward. Lauro and other cybersecurity firms have said that fraudsters often target small in-game purchases, which have become more popular in recent years, although there have been no major studies on how common these scams are.
Kaspersky warns that cheat codes are also a major threat for gamers: Criminals can use fake cheat programs to disable a target’s computer and steal information. In Kaspersky’s analysis of threats to 28 popular games, the company found thousands of files of this type, which affected more than 13,600 people from July 1, 2021, to June 30, 2022.
Kaspersky itself has come under scrutiny, underscoring the murky complexities of cybersecurity. In March, the Federal Communications Commission added the company, which is based in Moscow, to a list of communications services it considers national security threats. Kaspersky said the decision was made “on political grounds.” In any case, the company’s gaming research is consistent with other reports on the industry.
Game studios have also struggled to fend off attempts to steal their users’ data, take their games offline or leak their game code. In these attacks, hackers may use the stolen information as ransom or try to auction it for huge sums of money.
In June 2021, a hacker stole game code from Electronic Arts, the maker of the FIFA and Sims series. The stolen information was put up for auction with a starting bid of $500,000, according to a cybersecurity expert who spoke with The New York Times.
Rockstar Games, another prominent video game maker, disclosed last month that “an unauthorized third party illegally accessed and downloaded confidential information” from its systems, including unfinished footage from the next game in the Grand Theft Auto series.
In July, Bandai Namco, which publishes popular titles like Tekken and Elden Ring, said it was hacked. After an investigation, the company said this month that it could not rule out “the possibility of external leakage of information.”
Mayra Rosario Fuentes, a senior threat researcher at Trend Micro, a cybersecurity company, said in an email that the big gaming companies are prime targets because they make billions of dollars and have huge pools of customers.
“Cybercriminals know they do not want customers upset if their game goes offline, which then makes it to the media and could hurt revenue,” Fuentes wrote.
Fuentes said gaming companies needed to patch vulnerabilities in their code, improve employee training about hacks and look out for online leaks of employee credentials.
She and the other cybersecurity experts interviewed for this article said that despite the increase in threats, gamers could take steps to protect themselves: Use two-factor authentication, do not reuse passwords and keep software updated.
This article originally appeared in The New York Times.