How to Recognize and Prevent Social Engineering Attacks in Gaming

When it comes to gaming, billions are at stake for players and developers. It’s no surprise why both are getting social engineered. How do these attacks work? What can be done to address these risks? Perry Carpenter, chief evangelist and security officer for KnowBe4, explains this lucrative criminal market and what gamers can do to avoid falling for scams.

The gaming industry is experiencing an alarming rise in social engineering attacks. Over the past few months alone, several incidents have been reported where threat actors used social engineering to infiltrate gaming companies, steal intellectual property or hack directly into gamers’ accounts with the intent of taking over their identities, stealing information or siphoning money. For example, attackers social engineered an employee of Riot Games and stole the source code of the popular online game League of Legends. And video game developer Electronic Arts experienced a series of account takeover attacks on its high-value accounts. Hackers also infiltrated Rockstar Games using social engineering and stole classified information on pre-released video games.

Why Do Cybercriminals Target Gamers and Gaming Companies?

A significant market value is attached to gamer accounts, such as payment and credit card information, geolocation, crypto addresses, and several other data points, such as gaming devices and the gaming activity of gamers. According to research, stolen gaming accounts can fetch millions of dollars on the dark web. Gaming accounts also hold billionsOpens a new window of value in the form of virtual currencies and in-game purchases.

The gaming industry is also booming. Businesses have had subsequent record-breaking years of deals and investments and are flush with cash. They work on cutting-edge technologies, which means their data or source code is highly valuable. As an example, in 2021, hackers stole game code from Electronic Arts and posted it for sale in underground forums at $500,000Opens a new window . Gaming businesses are also vulnerable to disruption. Attackers can take their games offline, players can lose their in-game progress, their in-game possessions and personal data, potentially causing a downstream impact on business revenues and reputation. What’s more, threat actors can leverage ransomware and related tactics to extort gaming companies for large sums of money.

Types of Social Engineering Attacks in The Gaming Industry

The gaming industry is ripe for social engineering. StudiesOpens a new window show the level of trust which online gamers place in strangers is pretty high, making them more susceptible to online fraud. And since gaming brings a lot of frenzied excitement, emotion, and urgency, gamers are seldom vigilant in monitoring for scams or practicing security awareness while forging online connections. This significantly reduces gamers’ ability to consider or evaluate the real identities and true intentions of their online counterparts.  

Social engineers use a variety of techniques to target gamers and gaming companies. These include:

1. Phishing

Phishing and credential stuffing are the most common tactics used by attackers to target gamers and gaming companies. For example, a hacker can obtain your contact information and deliver a spear phishing email that masquerades as a popular gaming company. Since fraudulent email is indistinguishable from the real thing, victims happily hand over sensitive information or account access to attackers, which can lead to more compromised accounts and systems. Last year attackers stole a whopping $625 millionOpens a new window from gaming company Axie Infinity by sending a fake Linkedin job offer to an employee. In February 2023, threat actors used SMS phishing on Activision employees and successfully exfiltrated some sensitive workplace documents. 

2. Baiting

Baiting is a technique used by attackers to lure users by taking advantage of their interest or curiosity. Attackers set up fake websites to entice users with trending games, fake cheat programs, bogus gaming add-ons, fraudulent marketplaces, virtual gifts and freebies. They then wait patiently for victims to take the bait and fall into their trap. For example, researchers recently stumbled upon a phishing website that sold an activation code for the gaming franchise “The Last of Us” on PlayStation. This activation code was bundled with a “free gift” (PlayStation 5 or a $100 gift card). Victims that availed the offer ended up losing their account access as well as their money. Phishers can also bait gamers through in-game chats. Scammers recently baited professional gamers on the Steam platform by sending them links to fake tournaments that asked them to sign-in using their Steam credentials. 

3. Pretexting

Pretexting is a method that scammers use to fabricate a scenario, gain trust and manipulate unsuspecting victims. For example, gaming companies have been facing a new advanced threat where a hacker, on the pretext of being a user who has problems logging into or registering for a service, contacts customer support agents and asks them to view their screenshots. These screenshots are laced with a backdoor called IceBreaker that enables attackers to gain remote access into the victim’s environment. Similarly, some high-profile accounts of Electronics Arts lost their FIFA points and coins because attackers persistently contacted customer support via live chat (using some undisclosed pretext) and demanded that some email address be updated. Eventually the support team gave in and changed the email address without verifying the requestor’s identity. 

See More: Six Social Engineering Techniques Popular with Scammers

How Can Gaming Businesses Mitigate Social Engineering Risks?

To reduce the risks associated with social engineering, gaming businesses must consider human-centric vulnerabilities and design security programs around end users.

• • Spread awareness in the gaming community: Gaming businesses must invest resources in making gamers aware of common social engineering scams and follow safety precautions such as not sharing too much personal information, downloading games only from official stores, not clicking links from unknown sources, staying clear of offers that sound too good to be true, etc.
  • Build secure behavior In their own teams: It is also important that employees of gaming organizations themselves develop muscle memory to recognize and report social engineering attacks. To build such secure behavior, organizations must regularly train employees using simulated phishing attacks to test awareness, run classroom training and do other hands-on exercises. 
  • Use phishing-resistant multi-factor authentication: It is important that organizations protect employee accounts as well as gamer accounts using phishing-resistant MFA. In case account credentials get compromised, phishing-resistant MFA helps prevent attackers from easily taking over accounts.  

No amount of technical defenses is going to save you from social engineering. Most gaming companies that are attacked and compromised already have some of the most technically secure infrastructure available on the market. This is why gamers and gaming businesses should develop human detection and response capabilities to educate, test, and run regular awareness training exercises. The goal is to instill in gamers and employees a sense of vigilance and an attitude of healthy skepticism when interacting with anything online.

What precautions are you taking to up your game against social engineering attacks? Share with us on FacebookOpens a new window , TwitterOpens a new window , and LinkedInOpens a new window .

Image Source: Shutterstock

MORE ON SOCIAL ENGINEERING

• Social Engineering — The Elephant in the Room
• We Do Not Talk Enough About Social Engineering and It’s Hurting Us
• What Is Social Engineering? Definition, Types, Techniques of Attacks, Impact, and Trends
• 6 Ways to Protect Your Company Against Social Engineering Attacks
• Hacked in 20 Minutes: Social Engineering Done RightOpens a new window