The game industry has long been a target for cybercriminals, and so it was no surprise in the past couple weeks to see the discovery of ransomware that attacks the accounts of Fortnite players.
Cybersecurity firm Cyren found a free game hack tool, Syrk, that players download as a way to cheat in the game. But they discover it disables malware defenses and then deletes batches of the users’ files and encrypts them. To un-encrypt them, the player has to pay to receive a password.
Akamai also noted that there is a big rise in credential stuffing attacks, where criminals use stolen identities in automated attacks that use brute force to break into accounts. From November 2017 to March 31, 2019, Akamai found 55 billion credential stuffing attacks. Gaming sites saw 12 billion of those attacks. No organization or gamer is immune.
Gaming is a target because that’s where the money is today. I recently spoke about this with Nelson Rodriguez, global director of media industry strategy at Akamai.
Here’s an edited transcript of our interview.
GamesBeat: Can you tell me more about what you’re doing?
Nelson Rodriguez: Talking about the Fortnite scams, I think the key for us to talk about this is that we see it as very much a hygiene story. It’s a security hygiene story. It’s not like there’s much that Epic can do directly about it, or much that Akamai would be doing to prevent it from the perspective of a game, someone installing the wrong kind of software in their computer. I do think, though, that for us this raises the broader issue of what the popularity of games is creating in terms of security risk.
You might remember from 10 or 15 years ago, the way folks got access to your computer was often through things like fake security scares or fake security software. Now games are such a rich way in. Players have such an incentive to try to maximize their experience with a game. Really, free-to-play is driving it more than anything. When it was a premium game, premium games didn’t have the mechanics that would encourage you to install some external piece of software to maximize your experience. But for free-to-play games, the way they’re built and designed, they lend themselves to manipulation, or at least the desire for players to have some kind of advantage.
That’s relevant to us, what the popularity of games is doing to drive those kinds of threats. We think there is technology that all consumers and all companies should have in place on their computers, to prevent bad software from being installed, and to monitor the way your software is operating and behaving. Data exfiltration, that’s something that is relevant for us. But more than anything, game companies need to look at these trends to see — sure, it wasn’t your game that created this problem, but the popularity of your game is creating this dynamic where players want to go out and gain advantage outside of the game. It’s something everyone has to pay attention to.
GamesBeat: Did Akamai take a look at some data here as well, related to the Fortnite ransomware scams?
Rodriguez: Our security team took a look to see what the nature of this threat is. We recognized it had nothing to do with the game. It looks a lot like typical ransomware. We look at it not from a statistics point of view, but a technology point of view. There is a stat angle, where game companies are the most attacked companies in the world, more attacked than defense contractors or financial services companies. Gaming companies are a really rich attack surface. That we know from a statistics point of view.
From a technology point of view, we recognize that this particular exploit looks a lot like any other data exfiltration exploit. If you can get someone — think of it as a classic phishing scam. If somebody can get you to click on something because you think it’s going to do one thing and it ends up on your machine and does something else, we understand that technology.
It’s preventable, particularly in a proper network environment where the network is monitoring — let me step back a second. A lot of what we think about security is outside in. Building a wall — this gets to the concept of zero trust. The historical model is, you build a wall and you make sure nobody can get inside the wall. The trick to that technique is, as soon as somebody gets inside the wall, they have full access to everything.
One of the steps to having a zero trust approach to security — first of all, don’t assume the wall is going to protect everyone. Get away from this model of a wall. There is no such thing as a wall. Yes, you have access controls, but don’t assume that those controls will be foolproof. The next thing you have to do is evaluate inside out. Not just what’s trying to get in, but what’s trying to get out. That’s where a lot of these kinds of scams get revealed — if you monitor what is asking for access outside your computer that you didn’t drive, that wasn’t driven by the user. Not just what’s trying to get in, but what’s trying to get out.
It’s like those classic horror movies. The killer is inside the house. That’s the thing. It’s not just what’s trying to break in from the outside, but what’s already inside your machine that’s trying to exfiltrate data. From a technical point of view, that’s what’s most interesting about this. Also, it just highlights the fact that having any trust in a login or authentication system is just old-fashioned. Nowadays you have to assume that no machine is safe. You have to be managing security at a machine level with a perspective toward — assume that if someone is logged in, they might already be infected. What are they pulling out? What’s leaving the machine or leaving the network?
GamesBeat: Just on the basics, what did we have happen here? We had Fortnite accounts where players invested a lot of money being held hostage for some specific amount of money? They had to pay or lose the account.
Rodriguez: Yeah, but the way it was happening is folks were trying to gain advantage. They gave over access to their accounts. It was classic ransomware.
GamesBeat: I remember there was one ransomware outbreak when bitcoin was starting to happen. Hospitals were getting attacked because they couldn’t back up their data anywhere else, and bitcoin payments were untraceable, especially in eastern Europe. I guess they’re just building on this style of attack that’s worked elsewhere?
Rodriguez: For sure. There are a couple of ways to think of it. You can think of it as a classic con, a classic scam. First, is there some kind of weakness? Is there something somebody wants that they can’t get legitimately? If so, the scammer has the opportunity to offer that. That’s one facet of it. The next facet, is there an untraceable method or an ambiguity that allows the scammer to gain value without having to reveal who they are? That’s the blockchain component here. Being able to do it because you have an untraceable currency is part of what powers that kind of scam.
GamesBeat: What are you telling people they should do? Just don’t click on it?
Rodriguez: [laughs] One thing is, make sure that you are in a secure network environment. If it’s from work, does your workplace have the right protections in place at the computer level, at the login level, at the network level? That’s one thing to always have in mind. The other is very old-school, but if it seems too good to be true and it’s not being offered by the game publisher, then it’s not something that’s going to work out for you.
I know there are secondary markets for all sorts of goods and services in gaming, but the fact is, if it’s not coming from the publisher, you’re opening yourself up to risk. I remember working at Xbox 13 years ago. We had to tell people, “Don’t share your Xbox Live account with anyone.” You can’t share it with your friends. If somebody sends you a message saying they can help you level up in a game, that never ends well.
That’s the other thing you have to constantly remind people around. There’s no reason to do it, because in fact a lot of games now are designed well enough so that you can get a lot of value out of it within the game itself. There are all sorts of mechanics beyond just paying that allow you to unlock things. There’s no way to get that done illegitimately in a safe way.
GamesBeat: As far as Akamai itself, where are you contributing most here?
Rodriguez: We’re now one of the world’s largest cloud security companies, which is funny if you think about us historically as a CDN. A lot of people think of us as a CDN, and yet we’re one of the largest security providers now. It’s one of our fastest-growing business segments. That means we’ve strongly adopted a zero trust stance, a zero trust philosophy, to our security. We encourage every company to make sure that there are multiple layers of security. You don’t ever make any assumptions that an authenticated or logged-in user is necessarily a safe user who has full access and whose machine or account hasn’t been compromised.
We offer products in that category, but we also take a strong stance that there should be multiple layers of authentication, and even once someone is authenticated, that doesn’t mean they should have free access to every aspect of the network or of a given account. There have to be many layers. That’s our position as a security company that serves a lot of big gaming companies. We see ourselves as a consultant in the space. We have a strong opinion around it. It’s part of what we do with the products that we build.