Security of online gaming business: reasons to care

Online games these days are products of years of development with budgets approaching those in Hollywood, and with similar marketing support. And if we speak of massively multiuser online games

Online games these days are products of years of development with budgets approaching those in Hollywood, and with similar marketing support. And if we speak of massively multiuser online games (MMOG), in most cases these are created to provide end-users with continuous entertainment, while the game creators – with a source of continuous income. In other words, each MMOG is a business enterprise on its own. As such, these games and associated services (distribution platforms, specifically) have certain common traits with online banking/payment, social networks (they are social networks of sorts, after all), and other web services. Online games operators do process personal and payment data, have to work with the players’ community, attract new clients and keep the older ones loyal. Similar are the problems online games face: reliability of hardware and software under the high load conditions, cyberattacks and the security of personal and payment data.

Actually it’s all about the satisfactory users’ experience that would be heavily affected by any kind of incident and security failures.

Technical issues and reliability

Every game, online multiplayer or single-player is a software package, firsthand. A large and rather complex one, with high demand for system resources: a high-class entertainment costs.

The software framework – so-called game engine – typically provides such features as renderer for graphics, a physics engine, “artificial intelligence”, networking, memory management, etc. Occasionally some vendors write game engines as commercial packages to be licensed to other developers, and not just as a technical base for a specific game. For instance, there are two dozen games based on id Software’s id tech 3 engine (on which id’s own Quake III is based), although much fewer games have been built of the later engines – id Tech 4 (Doom III, Quake IV) and id Tech 5 (Rage). Epic Games (of Unreal and Unreal Tournament fame) license their Unreal Engine left, right and center, recently changing their license terms so that it becomes accessible for next to anyone. A relative newcomer – Unity Technologies – created their Unity product as an all-purpose game engine specifically for licensing to third parties.

With overwhelming complexity of these products, it would be naive to expect they lack bugs. Actually, bugs are always present, but regarding the games they are mostly assumed to affect the game itself, not the framework it’s being run within, whether it is a local machine or a server.

However, last year researchers have found quite a few zero-day vulnerabilities some of which put servers and the gamers who use them at risk. A number of very popular (albeit not always exactly new) engines such as Unreal Engine 3 and id Tech 4 (both available since 2004) as well as CryEngine 3 (available since 2009) were reported as flawed.

Some game engines are used by US military and FBI in their simulator training systems, and there’s no need in the wildest imagination to figure out the possible consequences of malicious exploitation of these systems’ flaws.

Battlefield 4 screenshot

And even away from that, a successful attack on central servers of an online multiuser game means a grand amount of discontent, complaints, bad publicity and other displeasing things that may be pretty harmful for business.

Especially when we speak about MMORPGs such as World of Warcraft, the current “ruler supreme” of MMOG market – the game with especially large audience.

Social service

WoW used to have ~15 million active subscriptions in the past, down to current 10 million, which is still can be compared to population of a major city. And all these people pay for playing time (and occasionally for some in-game objects bought from the official shop), and expect their experience to be smooth and consistent. Little they care about the complexity of the software and hardware framework, amount of servers in the data centers processing all those hundreds of thousands simultaneous connections, etc. But if something happens they get extremely disgruntled quickly, always ready to vent their anger both in and outside of the game.

As said before, MMOGs are similar to social networks in their nature, and as any other socially-oriented services with, they largely face similar problems – those with security of users’ sensitive data included.

Out-of-game loot to take

It’s not surprising that pay-to-play MMOGs attract financially-minded miscreants of various sorts – there is a loot to take. Years ago a steady black market formed, where the in-game items (fancy armor, weapons, artifacts, etc.) and, above all, in-game currency are sold for the real-world money. While seemingly not illegal on its own, this brisk trade sometimes is frowned upon by the game developers. World of Warcraft EULA, for instance, forbids this “gold trade” in no uncertain terms, and still for years in-game currency is sold in troves for a moderate amount of dollars or euro.

World of Warcraft screenshot

World of Warcraft screenshot

What does it have to do with security? The gold trade on its own doesn’t. The issue lies with the ways that in-game gold and other items are being acquired. In a nutshell, the accounts hacking with intention to rob the players’ characters of their in-game property is a very common problem for various MMOGs. It is mostly done by “serving” the user with some keylogging malware by whatever means possible – drive-by attacks, phishing, etc.

Actually, years ago author of this blogpost had been hit by the account-stealers: apparently a keylogger dropped itself into C:Temp folder and reported all my logging-ins as well as the later attempts to change password. It ended up like some sort of tug-of-war between me and the bad guy who had hijacked my account. I used some freeware antivirus at that time, and it failed to discover the keylogger.

Purging the C:Temp folder resolved the issue. Later on “Game Masters” reimbursed my lost items and following the growing amount of such incidents Blizzard improved their users’ account security dramatically, introducing multifactor authorization, among other things.

DDoS-attacks is also a recurring problem for MMOGs as well as game distribution platforms and networks. Earlier this year Valve’s Steam and EA’s Origin gaming platform were hit by DDoS. Apparently the attackers were acting out of simple mischief.

And as of recent the hacking groups such as Lizard Squad presumably associated with so-called Islamic State, has been targeting gaming services – Microsoft Xbox Live and Sony PlayStation Network, among others – bringing them down earlier this year.

Fresh-out, World of Warcraft’s new expansion Warlords of Draenor had been hit with a mighty DDoS attack upon its launch in US in mid-November. Giving the number of people affected, this is clearly a “mild” form of cyberterrorism. And the real victims are the game service providers, because, whatever happens, users point fingers on them expecting total satisfaction for their money.

Gaming industry under attack

Last year Kaspersky Lab reported on Winnti APT group, that has been attacking companies in the online video game industry since 2009. The group’s objectives were stealing digital certificates signed by legitimate software vendors in addition to intellectual property theft, including the source code of online game projects. This clearly shows that online gaming industry may have some huge value for the criminals, even if only as a leverage for attacks on some other industries.

We can also recall an attack on Sony Playstation Network in 2011 that resulted in a record-breaking leak of the service’s user data (which was stored, to say the least, not very securely) as well as an extremely long outage of the service.

Every industry which deals with sensitive users’ data on any scale finds itself in the crosshairs of those who would like to claim it. Gaming industry is not an exception.