Target Locked: Game Accounts

Millions of people play video games in some way, shape, or form, from Call of Duty to World of Warcraft to Candy Crush, on multiple devices. As with anything popular, games are drawing the attention of those who want to exploit the unaware. As technology has grown, so has cybercrime, and gaming is no safe zone. Even as leading companies in gaming are working to increase security, the best way to keep your accounts safe and secure is to rely on good and unique passwords, awareness, and implementing two factor authentication wherever possible.

The gaming industry is worth as much as a dragon’s loot

The trading and selling of game accounts has become a lucrative business, enough that some sellers are making six figures a year. Since this activity takes place in somewhat of a legal grey area, some of these people are legitimately taking advantage of a largely untapped market, such as KHaccounts or toonvendor. However, many people are trying to steal accounts and sell them, as selling accounts has grown to be a billion-dollar business. According to research, account resellers make on average $2K -$8K/week (toonvendor) for those that are good at it, and this business is only increasing as online gaming becomes more and more widespread.

Locking onto social engineering

Malicious actors have developed many different ways they want to steal your account and ultimately gain access to your sensitive information. The top method for stealing personal information in the gaming community is social engineering. Social engineering attacks commonly take the form of phishing emails or in game messages in which malicious actors attempt to solicit sensitive (or account) information from victims. Attackers often try to masquerade as the game support company, crafting a professional looking support e-mail leading to a realistic support page. This e-mail and web page will include the links to legitimate pages on the company’s website except for link to the login page, which usually looks a little bit different, but since everything else looks legitimate, victims don’t often notice. Once attackers have captured your credentials, your account will have all the passwords and information changed.

A different type of attack called ransacking involves the concept of power leveling. Power leveling is the optimization of leveling up the character in the shortest possible time. Players don’t always have the time or patience to undertake the seemingly endless grind to level their own online characters, and so an entire sub-industry has surfaced in which players can pay other people to level their characters for them. Essentially, A player gives a power leveler their account information, and, while the player is away, they level the character up. Of course, certain people offer this service with malicious intent. After these credentials have been given to them, they ransack the accounts. With valid credentials, they can login and change everything including login information and even credit cards attached to the account. Moreover, anything a player might have gained in the game is almost always forfeit.

Ransacking of an account is often done using account sharing, where multiple people share one account, which is never a good idea. Online friends might repeatedly ask to share and “trade” games, but the risk of doing this is very high, as allowing someone access to an account also allows access to billing information, and the potential for hijacking the entire account. Account sharing is a major concern for children, who can be coaxed into sharing their account with a stranger online, and may only share a fake or burner account in trade. If a parent’s billing info is saved on the account, the attacker might have gained all the info they need for identity fraud.

Attackers also often look to trade in-game currency for real money in online games. The attackers will direct players to a website they created to take credit card info or use a money transfer service such as PayPal. Using this fake promise, they can then ask for credentials to get into an account and conduct the trade or just take the player’s money and kill off the website/burner account.

Attacking gamers though other means

Social engineering isn’t the only way to attack gamers. A malicious user with physical or logical access to a victim system can install a hardware or software-based key logger. Key loggers are devices or software that record all of the keystrokes on a connected computer. This type of attack is not specific to gaming, but it is no less effective, and can lead to a compromise not only of a specific gaming account, but often additional information on the system.

Sophisticated attackers often target gamers through malware, malicious programs that can perform a variety of actions, but often allow intruders into your system. Often, these programs appear to be a legitimate game, but are actually malware in disguise. For example, when Pokemon Go was released, it wasn’t long until there was a malware version appeared. Users will think they are downloading the actual game, when in reality they are downloading malware. Additionally, malware can be attached to special items in the game that the malicious user can propagate throughout the in-game world.

+5 Security armor

All of these attacks may seem scary, but there are plenty of ways for players to protect themselves, and the game companies are starting to work to better protect players. One of the easiest strategies for players is just never giving out their account passwords. Most game companies will never need it, and as long as their passwords are lengthy and complex, they are unlikely to be cracked. Limiting access to any account will help keep it protected, as the more people that use it, the more opportunities there will be for malicious things to happen. Several game platforms now allow players to have a family account where the account parent can control all of the child (sometimes called “sub”) accounts and prevent them from accidentally giving credit card info away.

If a player suspects they are being email phished, they should carefully inspect the links in an email before clicking on them. By hovering the mouse over a link, the player can inspect where will take them and validate if that address is good or not. Additionally, the player can right click and choose Inspect Element and check to see if there is any validity in the link or form. Also, many phishing messages contain broken or improper grammar, but this is becoming less common, so it should not be relied upon. Seeing any of these problems in a message should raise a red flag about the message authenticity. Similarly, game developers and publishers do not require a password in any support messages, so if a player is asked to provide account info beyond just an account name, the email should be regarded as suspicious. Another large hint can be the domain from where an email is from; if the email should come from “Company Name:”, a spoofed phishing email can come from an email address such as “Company Name:”. Attackers may even try to change the “.com” to “.net” or something else as well. The best defense is to always check all parts of the email and be aware.

From the game companies, two-factor authentication (2FA) is being implemented, which adds an additional layer of security. 2FA requires having an additional login method that is different from the primary login method. Normally, authentication requires something you know (i.e. a password), something you have (i.e. a phone), or something you are (i.e. biometric). 2FA simply requires that in addition to a password, you provide a secondary piece (usually a phone in the form of an SMS or application like Google Auth) before being granted access to the game. Some game companies have even taken to offering in-game rewards if you set up 2FA. No one wants to spend more time getting into a game, but the risk of an account being compromised when using 2FA is significantly lower than without 2FA.

Games are supposed to be a place to unwind and relax. Players want to be able to escape to new worlds and live beyond their current reality, but unfortunately, there are those who want to prey on this beloved hobby. It is critical that players become aware of the malicious attacks in the gaming industry and take better steps to protect themselves. Using stronger passwords, enabling 2FA, and being more aware about e-mails and in game messages can make all the difference.  Have fun and play what you want, but just keep your information safe!


Latest posts by Saurus (see all)