Video games are a part of nearly every kid’s life, and distributed work is increasingly a part of every adult’s. According to experts, it’s a recipe for small-time gaming scams to turn into larger-scale business compromises.
Hackers will leverage anything popular or good in this world, and video games are no exception. As described in a March 1 blog post from Kaspersky, financially motivated attackers are targeting children, in particular, with open-faced scams aimed at stealing in-game items, account credentials, and bank details.
The story doesn’t necessarily end there, though. Even a primitive phishing attack against a kid playing Fortnite could, theoretically, turn into a wider attack not just against the parent but also the parent’s workplace.
An attack that targets a business, through an employee or through an employee’s child, may seem like a step too much work when phishing and business email compromise are so much simpler. But, to state the obvious: Children are easy marks, and nearly all of them play video games. That, combined with the proliferation of remote work and bring-your-own-device (BYOD) policies, makes this vector a long-tailed but fruitful one for attackers.
How Games Get Hacked
Last year, researchers for Avanan uncovered a surge of Trojans hidden in cheat codes for the ultrapopular online game Roblox. “The file would be downloaded by the child,” explains Jeremy Fuchs, cybersecurity researcher/analyst at Avanan, “and then, most likely, mistakenly uploaded to a corporate OneDrive folder. This file installs library files (DLL) into the Windows system folder. The malicious code can be perpetually referenced by Windows and remains running.”
This is just one of many forms that gaming scams can take. For example, “we’ve seen multiple cases in which a BYOD device was compromised via a gaming-related phishing site, which led to the compromise of the connected corporate network,” says Jordan LaRose, practice director for infrastructure security at NCC Group. “Another gaming-related vector we’ve seen in the wild are direct exploits through users playing games. This is most common on mobile devices but can affect desktop gaming as well. Attackers will either embed an exploit directly in an attractive mobile game that users download and thereby compromise their mobile device, or target a user playing a game with a remote code execution (RCE) vulnerability to compromise the computer running it.”
Mere weeks ago, such a vulnerability was being exploited in the mega-hit Grand Theft Auto V.
The potential damage caused by such a compromise is clear. “Trojans like this can break applications, corrupt or remove data, and send information to the hacker,” Fuchs says.
What’s less obvious but more worrisome is how this damage could extend beyond the device or even the home in question.
How Gaming Hacks Spread to Businesses
Fuchs puts it bluntly: “The perimeter no longer exists.”
“We can access work documents on home computers and vice versa,” he says, “but it also relates to game usage.”
Young children, especially, often play games from their parents’ PCs and mobile phones or, if nothing else, their home Wi-Fi. Parents then take their PCs and phones to work, or work remotely from their home network.
Fuchs theorizes that kids “could be playing on their parents’ computer and accidentally upload it. This is an easy way for compromises and malicious files to easily infect your corporate cloud.” But in most cases, a child need not go that far — attackers can make the jump from home to office on their own.
“In the era of BYOD and remote working,” LaRose explains, “attackers often just need to compromise a user’s personal computer to get a foothold on a corporate network. Once an attacker has a foothold on a personal device, they can often steal a VPN session or browser session, or simply find a user’s corporate credentials stored in their computer.”
How Businesses Can Stop the Spread
In their blog post, Kaspersky researchers recommended that gamers practice diligent cyber hygiene: strong passwords, two-factor authentication, antivirus, and the like. They also highlighted the utility of virtual bank cards that only fill to meet the exact amount of a particular purchase.
“By entering the numbers from your bank card,” Kaspersky explained, “you risk losing all the funds you have there. And remember that a bundle of licensed games selling for a song is a reason to be wary.”
LaRose stresses that “gaming is not innately any more insecure an activity than normal Web browsing.” Still, because gaming can be just as insecure, “businesses should do everything they can to separate a user’s presence in the corporate environment and the personal one.”
He recommends implementing endpoint/extended detection and response (EDR/XDR) and a security operations center (SOC) that can help respond in case of a breach.
The most important defenses of all, though, are the policies and procedures businesses that implement to address remote work and BYOD.
“If BYOD is absolutely necessary for a business to function,” LaRose says, “they should limit the policy to mobile phones only and ensure they use a strong mobile device management (MDM) solution that separates work and personal data on the phone. This is an imperfect solution with some workarounds for attackers but will at the very least serve as a deterrent and give the business more visibility into any potential exposures.”