We all know how much you enjoy playing – socially, professionally or casually – video games, which is why we want to take this opportunity to share more information about safe online gaming.
Previously we have discussed how to protect yourself while playing, with professional online gamers offering advice based on their knowledge and experience as users; and we have also talked about why security is important in every instance of game development.
Today we will talk specifically about some of the biggest threats online gamers face and, of course, how you can protect yourself. Below you will find the top five threats, in no particular order of importance.
We already know the destructive capabilities of ransomware – a type of malicious software that locks access to files or the system itself until a ransom is paid.
Within this malware category, Teslacrypt stands out because it was designed to encrypt game-play data for dozens of video games, prompting the user to pay a ransom to decrypt those files. Targeting some well-known games including Call of Duty and Minecraft, Teslacrypt blocks access to saved game files, configuration files or game items.
If we take a look at the chart below, which shows the number of TeslaCrypt detections by ESET security products during 2016, we see that most observed activity was in March, reaching over half a million cases:
However, there are two key points to mention. First, TeslaCrypt is no longer operational – its developers have shut down their file recovery service. Nonetheless, since the ransomware is still spreading and infecting systems, it remains a threat for online gamers. The good news is that the cybercriminals have released the master decryption key, and that ESET has released a decryption tool for TeslaCrypt that you can download if your system has been compromised.
Secondly, the ransomware that attacks video games is not that effective, since current games are often designed to save games and settings on the cloud servers of each developer, making it possible for the user to recover his files should they get lost. Therefore, the games that do not store files in the cloud are more likely to be affected by this ransomware.
#2 Password Stealers
Just as there are types of spyware called keyloggers, which capture keyboard events and try to steal access credentials, there are also pieces of malicious code that attempt to steal access credentials for online games or platforms, such as Steam or Origin.
This type of malware is heavily based on social engineering or deceit in order to infect its victims. One of the most popular scams is when a player – the victim – receives a chat message from another player offering him to join his team. This unknown player is usually very friendly and praises the victim for his gaming skills, telling him that he should join this team of great players.
Where is the deceit?
At some point, the victim is prompted to download and install an application – for example, a voice communication program. The attacker will be very insistent on the fact that the victim cannot become part of the team if he does not have that application. And of course, the downloaded executable is not really a chat client, but a malicious software capable of stealing account credentials.
The picture above shows a fragment of a chat exchange with an attacker. ESET’s products detect and block a large number of variants. One of them is Win32/PSW.OnLineGames.NNU; in this case, apart from its credential stealing and keylogging capabilities, the malware looks for specific data of some well-known games like World of Warcraft. Another variant is Win32/PSW.OnLineGames.OUM, which receives and executes malicious commands from a remote server and attempts to neutralize the antivirus products present in the system.
So far, in 2016, the number of detections of the Win32/PSW.OnLineGames threats has reached over a quarter million:
There are also other threats worth mentioning, which specifically target the Steam platform: MSIL/Stimilik.H, a malicious code written in .NET that allows an attacker to remotely control the affected machine, and Win32/PSW.Steam.NBC, of similar characteristics. The case of Steamlocker is particularly interesting – a piece of malware that appeared in 2016 trying to follow the ransomware trend, that blocks access to the Steam service and then requests the payment of a ransom to retrieve it.
#3 Fake Game Cracks
This is another social engineering technique, regardless of the kind of threat installed in the end. The deceit in this case has to do with the fact that the victim thinks he is only installing a crack, when in fact, the file contains malware and sometimes it is not even capable of bypassing the game protections, as it claims to do.
To give you a concrete example, last month I found an alleged FIFA 16 crack online on the EA servers. It was offered via a Mediafire download link. Once downloaded, we noticed the file name, fifa16crack (SHA1: 39fb3bdd0a4424eb8bb0489309f6d42d79cee1ce), and the icon used to fool players:
Although the alleged crack fulfills its function to play the game without a license, it also installs malware on the system. We can see that the file is really a self-extracting SFX that executes .bat files with specific commands to install a coin miner. The main problem is that the victim will notice a drop in the system performance, since system resources are being used by the cybercriminal to mine virtual currencies.
The picture above shows one of the miner’s configuration files. This particular case is a multipool that mines different types of coins, including other configuration files that are also able to mine the Monero cryptocurrency.
We should remember that because the crack is functional, this does not mean it will be free of malware. It is therefore essential to have an antivirus solution and not turn it off whenever those cracks request it so. Even today, we still see that some 10-year-old infected applications are still active, such as the modified versions of Aimbot or Wallhack Counter Strike, for example.
#4 Fake Apps
Nowadays, we not only play on consoles or PCs, but also on our smartphones or tablets. Therefore, we must be careful and pay special attention to those fake apps masquerading as official games, updates, tricks, etc.
Since 2015, there have been various malicious mobile applications masquerading as well-known games, which perform different types of attacks on the infected devices. Perhaps one of the most important cases has to do with an Android Trojan hidden among the games at Google Play, which allowed attackers to control devices remotely, thanks to its backdoor capabilities. By imitating games like Plants vs. Zombies 2 or Subway Surfers, it was mainly used to display ads on the compromised device.
Another prominent case is the one of fake Minecraft apps that install scareware, which were downloaded by more than 600,000 Android users. After showing the victims signs of fake viruses or threats on their devices, it then tried to convince users to subscribe to a premium SMS service in order to remove the fake threats.
Finally, I would like to mention the first lockscreen that tries to take advantage of the Pokémon GO fever. In this case, the false application blocks access to the system, which needs to be booted to keep on working. After reboot, however, the malicious application continues to run, silently clicking on porn ads on the background.
As professional FIFA player Patán told us, and as I mentioned myself after attending conferences on malware and the gaming industry, one of the most common attacks (and easiest to carry out) has to do with stealing access credentials through fake websites, or simply through users asking for the login information. To do this, cybercriminals register websites with a slight variation on the original domain name, for instance, by changing only one letter.
We can mention two of the best-known examples that affected Steam users: the fake Steam screensaver, which was in fact a password stealer phishing, and the fake Steam games that spread malware.
The aim of this article is not to scare you so that you stop playing games online. On the contrary, it is to raise awareness about the existing risks, which can be complemented by the following recommendations:
- The same “old” story – never use old versions of games or applications. Since the updates fix vulnerabilities, it is absolutely necessary to update software as soon as possible.
- Always have your antivirus software enabled on your computers – you should be suspicious of those applications that request you to disable your antivirus protection before installation. Also, if you are concerned about FPS and system performance, remember that, for example, ESET Smart Security has a Gamer mode that optimizes the performance of the antivirus solution so that you can enjoy your game without interruptions.
- Ignore unknown chats requesting information: remember that game developers will never ask for your passwords. Activate two-factor authentication whenever it is available – thus, even if your password is lost or stolen, no one will be able to access your account without having the second verification factor. More information at:
- Steam Guard / Steam Mobile Authenticator
- Login verification for Origin
- Blizzard/Battle.NET Authenticator
- Change passwords regularly; use passphrases; and never use the same one for different accounts or services – sometimes the passwords and account data can be leaked (just remember the 6 biggest attacks on online games of the last few years). It is therefore a good idea not to use the same login data for different services.
Further reading – 8 security tips for gamers: go play with no worries!
by Matias Porolli, ESET We Live Security