The growing threat of video game hackers

After the release of the game for smartphones in augmented reality Pokémon Go in July last year, it became an international phenomenon. The game motivated the players to leave the house and walk the streets in search of monsters. During the week after the release, the number of Pokémon Go users in 24 hours was more than the active Twitter users.

However, not everyone could have started the game: the wild popularity of Pokémon Go attracted more players to it than the servers of the Niantic application developer could withstand. "Probably, the demand for the game was too great," - suggested one of the sources , talking about hangs and problems with the entrance to the server from players around the world.
')
However, the truth was a little different.

Almost after the launch of the game, hackers began to create armies of bots — digital golems that played instead of users, farming Pokemon and besieging pokestop to win the competition. A young French hacker Maxim Griot tells: “We discovered hidden variables that controlled the“ perfection level ”of a pokemon. Therefore, our bots could catch the most advanced versions of all Pokemon ".

Armed with this information, hackers were able to use strategies for a faster set of experiences than live players. “We could reach levels that were theoretically impossible for the average user,” says Griot.

The fearless hackers of Pokémon Go soon found a way to deceive not only probabilities, but also geography. Ordinary players to hunt "endemic" monsters had to physically visit the appropriate places. Hacker bots could move to any point on the map where they caught rare creatures.

While mainstream and specialized gaming media repeat the story of server overload due to the incredible popularity of players, Griot, now working as an anti-cheat engineer at Bethesda Softworks , knows the truth: Pokémon Go servers were overwhelmed by waves of robots, not people. In late August, Niantic began quietly threatening the creators of publicly available bots with legal prosecution .

In recent years, using cheat bots has become the curse of many online video games. Basically, this type of cheating is common in MMO, for example, in World of Warcraft . Lack of time or bored players use bots for the grind of monsters - automatic farming of experience points to increase the level of their character.

Live players are already accustomed to sharing virtual worlds with bots that automatically and monotonously pursue their goals. However, after exceeding a certain number of bots, the game ecosystem may crash.

“Overtaking live players in the collection of all available resources, bots can make the world unplayable,” explains Griot. “It can kill a game. Playing a lot of bots is more destructive for a publishing company than almost any form of hacker attack. ”

Bots are just one of the ways that hackers can upset the game’s balance to gain advantage. Often, hackers are able to give players in FPS superhuman advantages, they create and sell cheats that allow unprincipled users to automatically get into the head or see and shoot through objects.



An experienced hacker can be incredibly easy to insert into the executable game the necessary code, giving them (or the people to whom they sold the cheat) an unfair advantage over other players. Often the network traffic during the game is not encrypted, so as not to reduce its speed. Without encryption, an attacker can change the network traffic transferred between the game and the server. If on the server side additional checks are not performed, then the cheat has keys to the entire virtual world.

“One of the most popular vectors for hacker attacks is reverse engineering,” says Griot, who learned how to program at the age of fourteen. After moving from France to Los Angeles, he began hacking online games to run on private servers without paying a monthly subscription.

While he was a student, he even earned the early release of popular games on private servers, asking for voluntary donations for it. “The easiest way to trick the game is to understand how the client works and how the server responds,” he says. “Having dealt with the data, hackers elementary simply write bots or bypass the defense mechanism on the client side.”

Ian Reynolds is one of the leading UK online security consultants. In the past, he performed security tests on the royal network of Buckingham Palace. In his opinion, hacker threats for game developers are much more significant than just epidemics of bots or cheaters. “Many modern games are capable of processing financial information for the purchase of additional content. Such information is the main target for criminal communities, ”he says.

For example, in 2011, Sony suffered the largest cyber attack at the time. Approximately 77 million people from different parts of the world were stolen from PSN, names, addresses, dates of birth, email addresses and registration information.

“If an attacker is able to modify the source code of a game, he will be able to inject a malicious code into the game, which, when making a payment, will redirect the user to a fake page to enter credit card information.”

In 2016, most of the attacks were carried out for financial reasons. The most frequent were DDoS-attacks, disabling the server down stream of artificial traffic. Often, such attacks were made during the school holidays, when the so-called “script kiddies” were bored and wanted to hang up a little on the net. But increasingly, DDoS attacks are being used as a way to extort ransom organizations for disabled servers.

“For revenues from companies like Sony or Microsoft, these types of attacks have a disastrous effect,” Reindolds says. “Many games use a subscription model or purchased content. Therefore, disabling servers very quickly can create a huge deficit of profits, because players will not be able to make purchases. Significant losses are also incurred by developers when returning funds to users' credit cards: players take the opportunity to get their money back, because they cannot access the services for which they paid. ”

Not so long ago, a more personal type of malicious attacks on game developers appeared. In 2014, Phil Fish, the founder of Polytron and the creator of Fez, became a target for hackers and pursuers. His personal data was published, and the company's servers were hacked. Hackers stole and published emails, passwords, banking information and other information about Fisch, forcing the Canadian developer to change their place of residence.

“Developers should be encouraged to hide social network accounts and online forums so that as little as possible of their personal information is publicly available,” Reynolds says. "The less information is disclosed to the public about a particular person, the less likely it is that the collection of information from open sources will give the attacker useful information for continuing doxing attacks." For the safety of game developers, two-factor authentication and the use of different passwords in different accounts are critical, especially if they suspect that they can be targeted.

The attack on Fish was supposed to be a threat and scare him. Other developers, like Valve , are then hacked to get exclusive information about future projects. “One of the biggest threats to organizations today is client side exploits,” says Reynolds, who often self-tests the security of company offices.

For example, sometimes he penetrated through the smoking rooms of organizations, dressed in the form of a courier and carrying a large box. The calculation was based on the fact that someone would open the door for him, allowing him to bypass the security system. Once in the building, Reynolds began to search for an empty conference room to gain access to the network in order to attack the Windows domain or the surrounding infrastructure.

“The most popular way to attack is still malicious links or files in e-mail, allowing you to break through the security perimeter of the company and gain access to the internal network,” he says.

“I worked in several studios in which an unsuspecting employee clicked on a malicious link in an email, which led to the compromise of his workstation. The attacker had full access to the code repository used by the development team. ”

Attacks of this magnitude greatly influence software development companies. Work of several months can be lost in a matter of seconds if the source code is stolen and published online. There is also a possibility that the attacker will insert malicious code into the sources of the game, which will directly affect the end user.

“In most cases, antiviruses and sometimes the operating system itself blocks the malicious code on the end-user machine. But code inserted into the game may leak important information. “Man-in-the-middle” attacks collect valuable data for criminal communities. ”

Despite the fact that more and more companies are aware of the risks posed by organized hackers to video games and their creators, Griot, who has been on both sides of the front, believes that cheaters and thieves have an advantage. “Hackers are winning the battle now,” he says.

“Gaming companies are refusing to invest in protection technology. It is possible to avoid a situation where millions of dollars in game costs are wasted due to a cheap bot or hack. The creators of online games should take care of security in advance, not for a couple of months before the game is released. ”