Virtual environment awash with cash present their own unique set of security challenges

The evolution of video gaming into a professional spectator sport has surprised a few observers.

But with Coca-Cola-level sponsorship, professional leagues, sold-out arenas, and a projected global revenue of $1.7 billion by 2021, all the ingredients for Olympic prime-time television are there.

As the industry has grown, however, so has the attack surface for cybercrime, which a new report from Trend Micro predicts is only going to grow as a valuable target.

Cybercriminals and politically-motivated hackers will inevitably “follow the money”, according to Jon Clay, director of global threat communications for Trend Micro, commenting on the findings of ‘Cheats, Hacks and Cyberattacks: Threats to the Esports Industry in 2019 and Beyond’.

Chris Boyd, lead malware intelligence analyst at Malwarebytes, told The Daily Swig: “Targeting gamers is not new.

“People were offering hacktools, cheats, and DDoS services back in 2009 from some of the same sites currently being discussed in terms of esports attacks.”

Esports entities can expect the same array of attack methods, said Clay, “but on a much larger scale, with financially motivated actors getting involved for monetary and geo-political reasons”.

Read more gaming security news from The Daily Swig

Paul Jackson of Akamai, which recorded a quarter of credential stuffing attacks coming from the esports industry, told The Daily Swig in June that gaming’s “amorphous and international” nature made it an attractive, difficult-to-police, target for cybercriminals.

TeslaCrypt ransomware variants, meanwhile, have locked game data and mods for titles like Minecraft, Call of Duty, and Resident Evil.

But Boyd doesn’t believe esports has an especially soft underbelly.

Gamers may “have to tie their gaming accounts (Steam, Xbox) to a pro-gaming platform account such as ESL… would-be account thieves are dealing with multiple layers of cheat scanning and 2FA.”

Less “watertight” than banking security, esports nevertheless presents “considerable hoops to jump [through]” to achieve, in most cases, “very little”, Boyd said.

Esports presents its own unique set of security challengesEVO 2019 Evolution Championship Series, Las Vegas

Digital doping

Motivated by enormous rewards – top players can earn millions in prize money – players are nevertheless heavily incentivised to cheat.

Cheats are on sale for as little as $20, as well as through subscriptions, on underground gaming and esports forums, Trend Micro’s report observed.

But such small outlays can prove a false economy, with Trend Micro saying more expensive custom-made hacks are trickier to detect.

Trend Micro expects growing numbers of players caught cheating to circumvent bans with stolen accounts with clean gaming histories.

RELATED Hack and slash: Cloud-based video games model opens up fresh security risks

Underground esports forums are “flooded” with hacks and stolen accounts, said the cybersecurity company.

Hardware-related cheats, such as the programmable mouse that disqualified a Dota 2 team, disproportionately affect smaller tournaments, Boyd added.

“Generally, the biggest [tournaments] insist on gamers using their own hardware — and personal mice and keyboards are usually checked after well-known incidents… involving programmed macros,” he said.

“Dedicated LANs further reduce risk.”

The risk of cheating is also greater where a gamer is playing from an internet cafe or their own home, Boyd said.

Milliseconds count

Environments outside tournament halls are also more vulnerable to distributed denial-of-service (DDoS) attempts, said Boyd.

“Depending on location of gamer versus game server, milliseconds can already be the difference between winning and losing.”

Trend Micro believes panicked esports entities will be sorely tempted to pay ransoms, in turn, incentivising further extortion attempts.

Its researchers have seen DDoS-for-hire services on sale on gaming forums from $10 a month.

They also discovered nearly 220,000 gaming assets on IoT search engine Shodan – ripe for reconnaissance by attackers.

Walter Wang, head of operations for US-based esports outfit TSM, told The Daily Swig that measures were in place to deal with the aftermath of a DDoS attack.

“We are working heavily with our ISP, Spectrum, [to implement] proper counter-measures for our new training facility [while] redundant fiber lines [mean they] can switch to other IP addresses seamlessly,” he said.

APTs and the Olympics

Esports was a demonstration sport in the Jakarta Palembang 2018 Asia Games, the world’s second-largest multi-sport event.

Citing the disruption caused by advanced persistent threat groups at previous Olympic Games, Trend Micro expects any future esports participation to attract unwanted attention.

However, Chris Boyd of Malwarebytes believes cheating would be difficult to achieve.

Only “somewhat niche” games would likely be permitted – “not your typical first-person shooter” – which “probably” nullifying most attacks and cheat tools – especially if games “are custom-built for the event”.

Moreover, he added, “cheat detection tools would almost certainly be custom-built and closed source.”

Trend Micro also anticipates malware and phishing attacks on popular esports-related YouTube and Twitch accounts.

RELATED Esports gaming skills pave the way for cybersecurity careers