Playing for Keeps: Fraudsters Targeting Virtual Worlds and Online Gaming

Posted September 5, 2017

Playing for Keeps: Fraudsters Targeting Virtual Worlds and Online Gaming

The gaming sector’s good fortunes are making it a prime target for the kind of sophisticated cyberattacks once reserved for online banks and retailers.

Propelled by advances in mobile and virtual reality, the burgeoning world of first-person shooters and massively multiplayer online awesomeness will score more than $100 billion in revenue this year.

But it also finds itself struggling with a whole new level of fraud that could sink individual properties—as well as the publishers behind them.

Hacking for Fun and Profit

In what’s quickly becoming the summer of cyberattacks, ransomware from WannaCry to NotPetya are generating the lion’s share of global headlines.

So perhaps it shouldn’t be surprising that attacks in the virtual worlds of gaming get overlooked, despite the fact they threaten an otherwise booming industry.

Today, more than 700 million people play online games. In most cases, publishers use a freemium model that generates revenue through in-game purchases for items that enhance gameplay. And that adds up to irresistible opportunity for cybercriminals.

The objective: steal user credentials as well as in-game items, cheats and currencies, and then sell them to others online.

Of course, to pull that off means fraudulently accessing and manipulating games right from under publishers’ noses—a situation one of our engineers, Caleb Moore, knows all too well.

Power Play

Before coming to ThreatMetrix, Moore developed games for the Chinese market, where he discovered that determining whether a player was really a legitimate user was one of his most frustrating challenges.

“Unfortunately, non-real, non-unique users are extremely common, diverse—and destructive,” he said.

According to Moore and others in the industry, key online attack modalities include:

  • Phantom registrations: A form of ad fraud where publishers pay for leads, only to discover fraudsters have created accounts that will never generate revenue
  • Sock puppets: Hijacked game or forum accounts used to harass players through threats or rumors
  • Fraudulent malvertising and phishing attacks: Old standbys used to lure players into entering their user credentials
  • Remote Access Trojans (RATs): Malware for grabbing credentials and in-game items while the player is logged in
  • “Gold farming”: Specialized bots that repeatedly perform in-game actions to earn currency or exploit in-game promotions to win prizes
  • “Sybils”: The act of assuming multiple fake identities by simulating presence in different geographic locations in order to engage in gold farming and other malicious activities
  • “Glitching”: Creating a seeming glitch within a game to fool players into buying the same item over and over

The more popular and competitive the game, the more of a target it becomes.

Survival Mode

Still, why does any of this matter?

While exact numbers are hard to come by, it’s been estimated that for every legitimate virtual item sold and downloaded within games, there are 7.5 lost to fraud. In China, it’s as high 273 fraudulent virtual items for every legitimate one.

With average spending on in-game items pegged at $50 per user per game, that could represent publisher losses starting at $260 million in potential revenue per year—with the real figure likely many multiples more.

With that kind of money in play, it’s no wonder there are now 5,000 new types of malware targeting online games every day, and 50,000 instances of phishing-based redirects pointing to imposter game sites, according to Gamasutra.

In all, this has enormous implications for publishers, including:

  • Lost revenue opportunity from fraudulent sales of in-game items and currencies
  • Costly credit card chargebacks and other fees resulting from purchases made with stolen credit cards—which represents 70 percent of attacks.
  • Increased churn as players lose trust in transaction security and grow increasingly irked by bot activity that can ruin gameplay
  • Reduced shareholder confidence and investment

It also means increased costs for customer support and fraud prevention.

And, since more than half of an average game app’s users do not open their app again after the first day, if it takes you one week to respond to a security threat, your mobile game is already past its prime. Developers must have security figured out on day zero or risk losing advertising residuals.

Identity is the Key

Stopping this kind of fraud requires user authentication that goes far beyond login credentials that can be faked or stolen. But as Moore pointed out, solutions can’t create user friction, either.

“With customer acquisition costs going up across the industry, even a small attenuation in new users can lead to huge real-world costs,” he said.

In fact, these challenges are exactly why he was inspired to come work at ThreatMetrix.

Through our Digital Identity Network, the ThreatMetrix solution collects and analyzes hundreds of different data elements and correlates them with anonymized, global threat intelligence to provide a confidence score for each user in real time, without violating privacy.

Legitimate users simply breeze by, without even knowing this level of security is in place. And friction can be reserved for instances when extra precaution is needed.

“I realized that this was the product I most needed from the moment we first started accepting player registrations,” said Moore. “Today, I work to make it even better, in hopes that no one will have to face the same challenges I did.”

In other words: Game on.

Andreas Baumhof

Andreas Baumhof

Chief Technology Officer, ThreatMetrix

close btn