Andrew Whaley, senior technical director at Promon, explains the most common attacks against games, and how to protect against them.
This article was originally posted by InfoSecurity magazine. The original article can be found here.
The gaming sector is under siege. The number of gaming-related cyber-attacks is growing at an alarming rate, and the online boom of the early 2000s brought hackers to the gate. In two decades, an industry worth tens of billions was transformed into one worth hundreds of billions in revenue – $221.4bn in 2023. Unsurprisingly, this growth and the opportunities it provides cyber-criminals did not go unnoticed. With such a lucrative target, hackers have long plagued the sector.
Moreover, the popularity of gaming has also been steadily increasing for years, with the total number of gamers soon to reach 3.32 billion in 2024. An increase in gamers has led to an abundance of targetable accounts storing all sorts of sensitive data. However, cyber-criminals aren’t just after gamers’ passwords and card details.
In-game digital assets, either through trickery or brute force, can be stolen or fabricated. Just last year, the most expensive CS:GO inventory, worth £2m, was stolen by hackers. And finally, let us not forget the bad actors who hack simply to gain a personal advantage over their fellow players.
What Impact Does This Have on the Gaming Industry?
From a developer or publisher standpoint, gaming-related cybercrime is detrimental to business. The inability to provide a safe and secure experience for players erodes consumer trust, undermines in-game economies and ultimately decreases game and microtransaction sales.
Just look at the bad PR that Fortnite has received recently. Admittedly, in this instance, a gaming behemoth like Epic Games will keep chugging along. But for smaller, less developed titles, such attacks can cause significant reputational damage. Consistently poor security practices will lead to diminishing player bases, either due to players giving up on the game or simply being unable to log in and play. For example, The Division is a game which experienced a player exodus largely due to rampant hacking. Despite the title’s financial success on release, The Division soon became known for its glitches, exploits and hacks that undermined the game’s long-term future.
The most successful games are those that can maintain loyal player bases and a constant revenue stream from downloadable content (DLC) and microtransactions. Look at GTA Online, for example. The title generates roughly $800m annually from players purchasing in-game cash.
Essentially, what’s mainly important to a game’s success is long-term engagement; the key drivers of this being the most die-hard fans. Yet, the most targeted accounts often belong to those with the most playtime due to their abundance of gear, money or other in-game assets that can be stolen. If a developer cannot protect their most valuable and loyal customers, this will have serious ramifications for the health and longevity of their game.
What Are the Common Techniques Used by Malicious Actors?
The most common approach is distributed denial-of-service (DDoS) attacks, made possible by the industry’s expansion into cloud gaming. This technique relies on multiple attack sources where devices bombard a target by overwhelming the network with unwanted traffic. This type of attack has been particularly effective at disrupting competitive games such as Apex Legends.
Another popular attack vector is structured query language (SQL) injection and credential stuffing. This method involves threat actors exploiting vulnerabilities within a game to inject hostile code to spoof identities and tamper with or disclose the existing data on the game’s system. Using this approach, hackers can obtain login credentials, card details or access players’ accounts and inventories.
Finally, man-in-the-middle (MITM) attacks also effectively exploit insecure gaming applications. Here, the attacker secretly alters the communications between the game and the server by inserting themselves between the two parties. By intercepting the data packets being sent from the computer to the game’s servers, bad actors can alter a game’s rules, allowing for an unfair advantage. For instance, manipulating the collision detection logic within shooter titles to avoid or guarantee hits. Cheaters may also alter the transparency of model assets to allow a player to see through and even travel through walls or manipulate the network client to allow unwon points to be allocated.
How Protecting Endpoints and Runtime Environment is Key
Although measures can be taken in-house due to a prevalent crunch culture dominating the industry, there is a clear and growing dependence on cybersecurity firms to design and maintain games’ security protocols.
Security experts employ a vast array of anti-cheat and monitoring methods, but at the core of this, there should be a focus on protecting the endpoints and the game’s runtime environment. Games are typically very rich clients containing 3D rendering engines, assets (3D models, textures, sounds etc.), game logic, collision detection logic and a low latency network client so the endpoint can participate in a cloud or server-hosted virtual environment.
As the client has to be distributed to players, it therefore provides rich pickings for manipulation. To protect these components, it’s commonplace to have integrity checks around game assets or game libraries; however, these can often be easily found and patched out.
To fully protect gaming apps and, by extension, the end users, thorough endpoint protection and obfuscation embedded into the game’s logic itself are essential. Only when a game has many overlapping and interlocking checks does the puzzle become difficult to overcome. This strong base can then extend to app attestation to the network API, effectively allowing only a strongly verified client to connect to the server endpoint.
Overall, although there are many cyber-threats facing the gaming industry, if a malicious actor can modify a game’s executable code whilst it is running, that truly is game over.