The Account Hijacking Epidemic: What Online Video Game Publishers Need to Know

Account hijacking, or the process by which a hacker or fraudster gains unauthorized and complete access to a player’s account, is not new. In 2012, Kaspersky Labs identified 5,000 new types of malware targeting online games DAILY. In 2015, a hacking group posted 1800 Minecraft usernames and passwords online. According to the cybersecurity firm Trend Micro, this “allowed anyone to log in as the original user and download the full version of the game” and goes on to list multiple vectors of damage account hackers can cause, including stolen virtual items, characters being held for ransom, credit card fraud, and identity theft. Another high-profile example of account takeover is Steam Stealer malware, which is propagating 77,000 Steam account takeovers on a monthly basis.

What is new, however, is the frequency that hackers and fraudsters are targeting online video games for account takeover. The explanation as to ‘why’ is simple: it is the unintended consequence of the video game industry’s rapidly changing business model. Under the new business model, the majority of revenue is driven through dynamic, multiplayer, online experiences with virtual economies that interface with the global ‘real money’ economy. This correlates to billions of dollars flowing in and out of video games each year. With so much money at stake, hackers are simply being hackers, and following the money, which has led them straight to video games.

Today, traditional malware that enables man-in-the-middle exploits, keylogging, and remote access is being used to hack into players’ online game accounts. What’s particularly frustrating is that the tools and techniques currently being used to compromise video game accounts are the same tools and techniques that were used to steal online bank account information almost a decade ago.

Some video game publishers, to their credit, are attempting to prevent account takeover by using common login controls, such as multifactor authentication, secret questions, device reputation, and IP/geolocation technology. Unfortunately, hackers have had more than a decade to learn to defeat these front-end controls, thus providing little resistance and only delaying the inevitable takeover by a few hours, or days, at best.

To monitor in-game activities, video game publishers typically create manual reports
 and database queries based on forensic investigation of confirmed takeover events to try and identify suspicious behavior. Game companies, unfortunately, are learning what banks learned ten years ago: reactive reports are expensive to set up, hard to keep updated, and require extensive manual review. Ultimately, neither login controls nor forensic reports can effectively prevent hackers and fraudsters from initiating attacks.

Once cyber criminals hijack a player’s account, they can steal their accumulated virtual items and wealth, commit traditional credit card fraud, and even introduce destructive bots into the game that farm resources and currency. Subsequently, a thriving online ‘Gray Market’ for virtual items and currency that are normally won or purchased inside of games has erupted; providing a safe haven for cyber criminals to sell their illegally obtained items for a fraction of the publisher’s price.


Learn from the Bank Hacks: Using Behavioral Analytics & Anomaly Detection to Fight Back

It is all too common for online video game operators to learn that a player’s account has been hijacked only when that player contacts customer support or when an unauthorized credit card transaction 
is charged back by the cardholder, sometimes as much as 60 days after the takeover.

By this time, significant damage has likely been done: the player’s accumulated items and wealth have been stolen and sold on the gray market, their credit card information has been compromised, and/or destructive bots have been introduced into the game to farm resources and in-game currency. It can be difficult, if not impossible, for the operator to restore stolen items and currency, and even if they can, the player is likely to leave the game for good after he or she’s been taken over due to a sense of unease or violation.

To mitigate, or defeat account hijackers, online video game publishers must take notice of the banking industry and utilize in-game security that can provide video game publishers with a 360-degree overview of player behavior over time. Using proprietary anomaly detection and behavioral analytics, our product, called Watchtower, enables video game publishers to identify and alert on suspicious behavior by modeling normal, historic player behavior and looking for activity that varies from what is normal. The SaaS-based product’s real-time, actionable alerts and research tools allow analysts to make quick and informed decisions that stop malicious in-game behavior before damages can occur.

Would you like to know more? Click here to read our use case based on the true story of a diehard gamer named Crafty.