Features 03.10.2024
Game Over? Cybersecurity Threats Surge in Online Gaming
Are your employees gamers? And if so, what does that mean for your security posture?
Features 03.10.2024
Are your employees gamers? And if so, what does that mean for your security posture?
The sheer size of the gaming industry might surprise you. By the end of 2024, the sector’s worldwide revenue is estimated at $282 billion. To put that into perspective, the global movie industry is expected to hit $104 billion this year, and the North American sports market was worth $83.1 billion in 2023.
Yes, you read that right: gaming is now bigger than cinema and North American sports combined.
Yet, despite the industry’s sheer scale and monetary value, it’s not routinely discussed in cybersecurity circles. Instead, when it comes to threat vectors, email clients, productivity tools, and other business-orientated software receive the lion’s share of attention.
This is a concern. When any sector is worth hundreds of billions and is visible on many of our devices, you can bet your bottom dollar it attracts bad actors. Gaming is no exception.
“Gaming has long been a notable threat vector for actors who target it for financial gain,” says Ken Dunham, cyber threat director at Qualys Threat Research Unit.
He points to a story from 20 years ago of Chinese hackers leveraging “a zero-day vulnerability to target online gaming by performing an account takeover and selling virtual gaming commodities for real-world cash.”
This is one of many examples. There was a panic in the ‘80s and ‘90s because Leisure Suit Larry, a risqué adventure game, was potentially being used to spread a virus that targeted financial institutions.
“A zero-day vulnerabilityperformed an account takeover and sold virtual gaming commodities for real-world cash” Ken Dunham
More recently, a tank simulator called War Thunder played host to the leak of military secrets. A player claimed the game’s design of the UK’s Challenger 2 tank was inaccurate and uploaded classified documents to prove themselves correct after some online goading.
Gaming has been a thorn in cybersecurity’s side for some time. As the gaming sector grows rapidly, so does its potential for abuse.
It’s happening already. A Kaspersky report revealed that gaming-related cyber attacks increased by over 50% in the last three years, while a Norton study stated that over 10% of malware attacks in 2023 could be traced back to gaming-related platforms.
“The rise of online gaming platforms, mobile games, and the gaming community’s migration to cloud-based services have created new opportunities for cyber attacks,” says Carlos Faria, chief technology officer at Yacooba Labs.
The more popular gaming is, the more potential paths of attack there are. But what does this look like in reality?
When games are on company devices, there are a gamut of ways they can be dangerous. Andrey Slastenov, head of security at Gcore, says one of the biggest risks is when titles are downloaded from unverified sources, whether that’s via illegal methods or from unofficial websites.
“These often come bundled with malicious elements such as ransomware, malware, and viruses, posing serious cybersecurity threats,” he says.
“The rise of online gaming platforms migrating to cloud-based services have created new opportunities for cyber attacks” Carlos Faria
As games become increasingly huge and complex, the number of potential vulnerabilities in the software also rises. This can give hackers more chances to unearth sensitive information.
Another issue, and one Slastenov raises, is the thriving add-on market for games. “Malicious software can also be hidden in supplementary content like skins, patches, or mods,” he tells Assured Intelligence. If users download this sort of material, they can also be putting companies at risk.
The danger of gaming doesn’t stop if titles are removed from work machines, though. Many experts raised the issue of reusing passwords and login information across accounts and the exposure to those who use them.
As Dunham from Qualys points out: “If credentials are compromised, no matter where they are harvested, criminals are quick to attempt to leverage them in other locations.”
With many games made by small studios worldwide, there’s little guarantee over the safety of users’ data. If people reuse their credentials and they’re accessed by hackers, many bad actors are quick to test this information across other platforms, including social media, banking, and corporate sites.
Another avenue hackers use games for is social engineering attacks. What separates this approach from other phishing methods is that online gaming often encourages people to form bonds, as players will work with other individuals to complete tasks, spending time chatting as they do so. This can make people more amenable to sharing sensitive data than they would be with someone who, for example, sent them a random email.
The million-dollar question, then, is how companies can mitigate these vulnerabilities.
Boris Cipot, senior security engineer at the Synopsys Software Integrity Group, sums up the dangers succinctly: “The main risk, in my opinion, stems from the fact that employees often treat their corporate devices as personal ones, with corporate administrators allowing this.”
Solving this is a two-fold issue. To begin with, Cipot believes that “the top priority should be education.” Informing employees about the danger of reusing credentials and phishing attacks in gaming is critical to prevent them, especially as many might not view their favourite pastime as an avenue for cyber attacks.
“When employees are aware of these risks,” Cipot says, “they better understand the need for corporate security measures.”
The second part of stemming the risk of employees treating corporate devices as their own comes from Yacooba Labs’ Faria. He thinks companies must “clearly define the separation of work and personal devices, ensuring employees do not download games or play them on work devices.”
Faria also suggests proper management of this hardware. “[Businesses must] deploy advanced endpoint security on all devices, including mobile, to detect malicious software or activities tied to gaming,” he says.
“While the cybersecurity industry is generally aware of the threats posed by gaming, it’s often under-prioritised in comparison to other attack vectors” Carlos Faria
Companies can also use other tactics to reduce the risk of gaming. Dunham from Qualys suggests altering login systems, either using multi-factor authentication (MFA) or moving beyond passwords and using biometrics instead. This approach would seriously hinder hackers who are grabbing credentials from data breaches.
A final suggestion comes from Chris Anley, chief scientist at NCC Group: “It’s important to ensure that devices are secure and corporate data is segregated.”
This type of network segregation is good practice for any organisation but becomes even more pressing considering the proliferation of gaming threats. When games are on mobiles, computers, or, in some offices, networked-connected consoles, it’s vital to protect and secure sensitive data. On this latter point of consoles, Anley emphasised the importance of “keeping gaming software up-to-date and maintaining vigilance via network and device monitoring.”
Over the past 20 years, gaming has transformed from a sideshow into the main event, and this isn’t going to change anytime soon. While the cybersecurity industry seems aware of the dangers, the sector’s explosive growth poses a peril it’s not currently focused on dealing with.
As Faria says, “While the cybersecurity industry is generally aware of the threats posed by gaming, it’s often under-prioritised in comparison to other attack vectors like phishing, ransomware, and insider threats.”
There’s also a cultural element to this danger. Most people would think twice about opening an email with a strange attachment, but fewer would view playing an inoffensive mobile game they downloaded on their work phone as a real risk.
Combatting this threat requires two main approaches. The first is ensuring that staff are adequately educated about the dangers of treating work devices like their own. The second is keeping the organisation’s cybersecurity hygiene up to scratch, meaning any breaches through gaming can be dealt with quickly and without fuss.
Gaming isn’t going anywhere, and the sooner the cybersecurity sector treats it with the seriousness its size demands, the better.