The $138 billion video game market has become a lightning rod for cybercriminals looking to make a quick buck. Game-related crime such as piracy is as old as the industry itself, but the rising prevalence of online connectivity has opened up a plethora of new avenues for fraud.
In-game purchases have grown increasingly common over the past decade, with a recent study by gaming research firm Newzoo finding that approximately half of all personal computer (PC) and console gamers spend money in game — a number that reaches more than 75 percent for mobile gamers. The same study discovered that as many as one in five gamers have been victims of payments fraud.
Developers want to enable seamless payments, allowing users to make purchases with a single click, but these simple processes are drawing fraudsters to gaming platforms. Online games store and centralize users’ payment information, making them prime targets for hackers who acquire data via account takeovers (ATOs).
Account takeovers: the ultimate boss fight
ATOs are arguably the most nefarious type of fraud. Bad actors acquire login information — either by purchasing it on the dark web or using phishing scams and malware — and use stored payment information to make illicit purchases.
Steam, a gaming platform with more than 125 million users around the world, has become a popular target for such attacks. Valve, Steam’s developer, stated that more than 77,000 ATOs occur on the platform every month, thousands of which are orchestrated by Steam Stealer, a malware program available on dark web marketplaces for as little as $3.
Hackers who gain access to accounts not only steal linked credit cards, but also valuable digital items like trading cards, which can be sold on Steam’s Community Market for hundreds of dollars.
A post on Steam’s blog noted, “Practically every active Steam account is now involved in the economy, via items or trading cards, with enough value to be worth a hacker’s time. Essentially all Steam accounts are now targets.”
ATOs have also become common in multiplayer strategy game League of Legends. Scammers who gain access to accounts message other players, offering them links to free character skins or in-game currency. The link leads victims to a classic phishing scam that prompts them to enter their usernames and passwords, leaving their accounts ripe for takeover.
Younger gamers are particularly vulnerable to this type of fraud. They are less likely to notice the warning signs of an account takeover and give hackers unfettered access to their or their parents’ credit cards. ATOs like this are especially prevalent in Fortnite, one of the most popular games in the world and a hit among children and teens. There were reportedly 4,770 fraudulent Fortnite websites and 1,390 related videos containing links to malware as of October, and bad actors were on track to make more than a million dollars off of these scams last year.
How developers and gamers fight fraud
Gamers are growing wise to the rising tide of cybercrime, with approximately 33 percent of players completely abstaining from in-game purchases to avoid being targeted. That’s obviously not something developers want, and they have instituted new measure to help protect users as a result.
One of Steam’s latest security efforts is two-factor authentication, enabling gamers to secure their accounts with codes sent to their phones. Users must input these codes before they can access their accounts. Steam also put a 15-day hold on traded items from its Community Market, giving consumers the chance to spot illicit transactions before they lose their money.
Gamers should adopt best security practices, such as strong passwords, and vigilantly monitor their in-game purchases and credit card histories. Fraudsters aren’t looking for challenging battles — if gamers can make themselves difficult targets, bad actors will move on to easier scams.