In-Depth: Why Online Game Hacking Is 'Spiking'

Every January, security software firm ESET releases its Global Threat Report -- and this year, online game password security has become a primary concern. Gamasutra spoke with Jeff Debrosse, ESET's research director, to learn more. ESET, a vendor of virus and malware removal solutions -- best known for its Smart Security software -- tracks threats across all aspects of computing, not just games. But over the course of 2008, says Debrosse, "We saw [gaming] just spiking above all of the malware or types of security threats that we've seen." According to the Global Threat Report, the transition of virus and malware activity from thrill-seeking hackers to criminal syndicates is also what's driving the targeting of games. "That's really the crux of it all, that's really what it boils down to," says Debrosse. "In the past, it was really mischievous. People would deface a website or send a virus... something that would be more of just an irritant. But the criminal element has really figured out that if folks are going to spend their time creating malware, why not make it lucrative at the same time?" Why Games? Why Now? Games became a natural target, because of the "money trail" crooks follow, says Debrosse. "It really comes down to the really simple fact of they're looking for the trail where the most money is amassed... and in this case the money trail really leads to online gaming." Continues Debrosse, "A big part of it is really around the reselling of what I'd like to call 'virtual assets', whether it be the actual characters themselves... weaponry, shields, energy, any of those things that you can actually transfer in the virtual world... that's the goal behind getting the username and the password, and literally stripping it of all of its assets." But it's not that the games themselves are compromised by the malware creators, though, cautions Debrosse - rather, the user's machines are hacked to extract their passwords. What's Really Happening Out There? Attackers rely on more traditional, broader tactics -- tools like social engineering, or interacting with and convincing players to fall victim to attacks. This helps them introduce viruses and malware, like keystroke-logging Trojan horses. Debrosse notes, "From a research perspective, we look at the amount of malware that we're detecting that's targeting password stealing -- Trojans specifically -- that's built for games. We can see that when we reverse engineer [the software], that it's trying to get passwords and it's targeted to certain strings... and that has grown immensely over the last 12 months." The method? Debrosse explains: "It's a two-phase attack. If someone's account was compromised, then someone else can actually [using their avatar] during a chat session, or through in-game communication... they could leverage that people trust this person and point them at various URLs, and those URLs will either have drive-by malware or a specific [malware] executable." "What ends up happening is that folks may end up downloading and using it. This is just one methodology." These attackers also target gamers in external community sites, says Debrosse, through "banners on websites or URLs in chat rooms or forums" -- which can lead to unsafe URLs. "If [users] don't have adequate protection, they could very well be downloading malware without their knowledge." "The folks that are trying to get your credentials, your username and password, to get something from you, or to get you even to click on malware -- it all comes down to armchair psychology. A lot of the infections do not occur without user interaction." The Criminal Motivation What drives these criminals, and why don't they typically try to hack game clients directly? Says Debrosse, "What it comes down to... Someone who's on the non-criminal side tries to look at what their return on investment is." "The criminal element is thinking, 'Well, if I could just steal these credentials through a social engineering/malware method... it's easier to capture it from a keylogger than it is to create a specially-targeted piece of malware for that game'." And what's the major target? It's no surprise, says Debrosse. "World of Warcraft is the big prize for a lot of these criminals, because they know that there is a lot of in-world commerce and value, and they go for where the money is, and they know that there's a lot of money tied into World of Warcraft." "It's a volume game with them. Even if they don't get a lot per account, there are a lot of accounts they can go after." Though gamers can discover that their characters have been stolen and petition MMO customer service reps for assistance, it may be too late. These attackers often move quickly, strip the account of goods, and sell them off at bargain prices -- and once they have the money, they're gone. "Because it's at an attractive price, and the games are so popular, they'll have quite a few takers," Debrosse says. "It's fairly quick, the process is done... if [the stolen equipment] can be tracked down, the person who paid for it is out of luck at that point. They're gone, they've made their money, and they're going to move on to the next victim." What Can Developers Do? According to Debrosse, "The developers are doing a fairly good job. It's not that the games themselves have all of these vulnerabilities where someone can exploit them." "The problem comes around the client operating system, where the user is. It typically comes back to a user problem. It's user behaviors that come back, that level them vulnerable to someone exploiting them." "There's no software that's 100%, you'll always find some vulnerability," Debrosse maintains. "But what we've found from the stealing of online gaming credentials, it revolves around that malware and that social engineering, and if you were to figure out the root cause, it's someone doing something not correct -- trying to run stolen software, or clicking on a bad URL." While developers could put more warnings in games and forums to try and deter users from trusting strangers with their sensitive information, or to avoid clicking on external URLs, social engineering often wins over automatic messages. Debrosse does think that "if the developers were able to continue adding verbiage, to educate or remind their gamers" that security is important, there might be a positive effect. However, he also warns that, between human interaction and automated messaging, "there's a tremendous difference in effectiveness... There's this thing called click fatigue. If you were to pop up these warnings... people just want to click their way through so they can get started." There are also some possible technical aides. For example, Blizzard has introduced the World Of Warcraft authenticator RSA key generator. This is a physical token device that allows you to augment account security by entering a specially generated password created by the device every time you log in. But stopping attacks, in general, has little to do with adding better security to games. Debrosse concludes: "It does come down to something as simple as behavior modification. That behavior -- having not risky behavior online, but having a more careful, more insightful personality online," is what will protect users from having their accounts violated.