Patrick Garratt is a 15-year veteran of the gaming industry, having been behind the launches of major news sites such as Eurogamer and VG247. A published horror fiction writer, he says the spate of attacks against gaming sites and gamers this year (reported by We Live Security here and here) is inevitable – because in the world of downloads, not discs, even a veteran like himself can be tempted by a cleverly crafted scam.
I love zombie survival shooter Left 4 Dead 2, but my three kids and job keep me away from its cutting edge. I’m too busy being a parent to to read about its latest add-ons or downloadable maps, but, late last year, I thought I’d Google some for fun. “L4D2 Super Pack maps + Installer,” I read on a fan forum. I moused over the link to the 8Gb torrent as I scanned the comments below. It was a Trojan, a bad one. Obviously. And, despite the fact I’ve worked in the games industry for some 15 years, I nearly hit it.
After using PC games professionally since 1998, I understand why I’m a major malware target. I know this, but it doesn’t make me harder to fool.
It’s no surprise infectors target core PC gamers, those who play massively multiplayer online games (MMOs) or competitive shooters. This insatiable group not only consumes video game content as rapaciously as Oliver Twist devours gruel, but is so passionate about downloading new bits, add-ons, cheats and so on that it can be easily fooled. People will risk lifetime bans from their favourite game just to be able to catch fish 10% faster (true story, World of Warcraft). If I were a Trojan coder, looking for a gullible set of addicted computer enthusiasts – PC gamers would be target numero uno, no doubt about it.
PC gaming, in case you’ve never dabbled, isn’t the same as installing, say, Angry Birds on iPad, and waiting patiently for updates. You can tweak. You can fiddle. You can rewrite the things, if you fancy. Home-made ‘mods’ have been part of gaming for decades – spawning some of its biggest hits, as homebrew titles such as DOTA (a ‘mod’ for Warcraft 3, made by a fan, not a game studio) which became a global hit, made by a fan. Shooter Counter-Strike had roughly the same origins.
Worse trouble arose, though, when companies decided to plug into all this free, open-source creativity.
The problem isn’t gamers themselves, or the companies scraping a living from them – it’s the whole culture around PCs. It’s a mark of PC gaming manhood to build your rig yourself, fix it yourself, and frankly, if you don’t own a soldering iron and watchmaker’s tools, you’re no real gamer. PC gaming is the opposite of the smooth, “no user serviceable parts inside” experience of, say, a Mac, or an iPad – PC gamers are the under-the-bonnet-tinkerers of the computing world, tweaking performance endlessly, monitoring graphs and mutilating motherboards – not to mention switching off their AV software to squeeze that last ounce out of the processor (an ESET survey found a third of gamers do just that, every time).
Installing potentially hooky add-on software is totally normal – in World of Warcraft, for example, you can be kicked from groups of ‘adventuring friends’ without a word of warning for failing to run semi-legitimate add-ons such as Recount.
For Blizzard, when it launched World of Warcraft in 2004, the add-on market was something they actively encouraged, unlike rivals – and arguably one of the reasons for the game’s meteoric rise is the fact you can add anything from a ‘spy’ add-on that tells you how tough other players are to a sat-nav style arrow telling you where to go.. Any idea Blizzard REALLY likes tended to crop up in the next game update. A win all round, except, when infection spreads.
Naturally, this week, cybercriminals targeted this very system, creating an entire fake website for Curse, the main add-on store, which actually worked, and was artificially boosted up Google searches using darkside search-engine tricks – but every add-on on offer was poisoned, with data-stealing malware built to bypass Blizzard’s two-factor security app. Full marks for effort, at least, on the part of the criminals – although Blizzard claim the system works “99% of the time”. Full marks for effort, at least. In other games, black market add-ons are used routinely. If it gives you an edge, thousands will pile in. Including people who really should know better. Like me.
Other game companies, though, are guilty of exposing customers to attack for less salubrious reasons – take Ubisoft’s Uplay, a ‘security’ system which offered little except low-rent bonuses such as PC Wallpapers, in exchange for ensuring gamers couldn’t copy – or easily sell – their games. Gamers were ‘forced’ to sign up to use the games – even on console. The Uplay system requires users to log in with an email or password, and offers digital extras, but also works as a Digital Rights Management system (DRM) to prevent copying. When your data is put at risk just to ensure profits stay high, that can cause serious nerd rage. Naturally, Ubisoft, like Sony before them, got hacked. Passwords leaked. Gamers raged.
One gamer on Ubisoft’s official forums said, “For future reference, I will never buy nor play another Uplay enabled Ubisoft game on Xbox that requires me to make another account on here. You had one job, keep my account information safe!”
A recent Grand Theft Auto V scam highlights just how susceptible PC gamers are to malware if the criminals dangle the right carrot. Despite the fact Rockstar, the game’s publisher, has never mentioned the reality of a PC version, thousands of gamers torrented an 18Gb file claiming to be just that. The zip, obviously, wasn’t a game – it was Theft, yes, but only from the users themselves.
Logic doesn’t always apply in the world of PC gaming downloads. Heavily involved gamers are prepared to take serious risks, not only to play games that don’t exist, but also to grind a dishonest edge in competition. Endless cheat hacks exist for titles such as leading MMO World of Warcraft (WoW) and first-person shooter Counter-Strike, but a huge number of them carry malware – according to We Live Security’s guide here, the figure can be as high as nine out of ten downloads. Transparent walls makes hostage situations easier to resolve, but really?
Sony’s PlayStation Network, famously, fell victim to legendarily vast attack in which credit card details, email addresses and more were accessed. Whereas even only a few years previously this would have had no affect on personal PC security, online gaming services are now multi-platform, spanning console, PC and mobile: get hacked on your PlayStation and you could get hacked everywhere.
PC gamers are some of the most passionate, gullible digital consumers in the world. I know because I’m one of them. I’ve hacked my WoW UI to add maps and trackers, and I’ve installed mods to drag the older games I love up to scratch graphically. I was relatively sure of the unverified software being safe, but just because a guy on a forum says it’s clean doesn’t necessarily make it so. The truth is I didn’t really care. I wanted to do it because I’m a hardcore hobbyist and I love computer games. As long as people like us exist, there will always be a Trojan aimed at our hard drives.
Author Guest Writer, ESET