Massive multiplayer online (MMO) games are targeting children for malware distribution. The gaming industry is ill-prepared to stop the problem.
The most recent example is the popular MMO, Roblox. The game focuses on children under 12 and has been the target of multiple breaches over the past few years. The most recent was revealed in May. Private information of a third of the users was exfiltrated and offered for sale on the dark web and social media like Instagram. Some hackers are using the weakness to create pornography models and insert them into accounts of children.
Roblox officially downplays the weaknesses but offers little substantive explanation on how they are trying to prevent the hacks.
Young boy victimized
Cyber Protection Magazine learned of the reach of the security holes when a parent contacted us about how one of the porn models, known by the term “condo game”, was inserted into their nine-year-old child’s account. Roblox took quick action to ameliorate the problem by permanently deactivating the child’s account. A Roblox spokesperson provided multiple points about how aggressively the company shuts down this type of malware. However, we were able to access the condo game on another account a month after the deactivation.
In Roblox’s defence, stopping this kind of hacking, which is not illegal in the US, has been a near impossibility for the MMO gaming industry. Detailed instructions on how to do it are abundant on social media, YouTube in particular, and are updated regularly as the gaming companies put up after-the-fact defences. Code insertion tools, that Roblox says violate their terms of use, are also widely available, many are freely provided by hostile nation-states like North Korea. These tools are designed to mask malicious code and lurk within devices until they find security holes in corporate and government services
Gaming industry vulnerable
Roblox security is not an isolated problem. Security weaknesses in MMO game platforms offer cybercriminals to backdoor WFH and corporate servers unless users maintain vigilance. This month reports said Chinese-government-sponsored hacking groups have infiltrated the Ragnarok MMO distributed by the South Korean gaming company Gravity.
But this is nothing new. Cisco Talos researchers said multiple campaigns use “several small tools looking like game patches, tweaks or modding tools” backdoored with obfuscated malware.
These types of attacks are a return to form for classic virus campaigns — video game players are no strangers to trying to avoid malicious downloads while trying to change the game they’re playing,” the researchers said.
The threat actors use a complex VisualBasic-based decryptor and shellcode to hinder analysis and detection and hide the final payload deployed in their attacks.
“With the work from home trend not likely to end any time soon, there’s a highly increased use of private PC equipment to connect into company networks — this is a serious threat to enterprise networks,” the report concluded.
Tools exist, but use is spotty
Tools exist that mitigate the danger posed by hackers lurking in gaming platforms. However, in researching this article we found few of the tool providers are working with gaming companies.
“It is the absolute responsibility of the gaming company to make sure that their system and their users are protected, said Raj Dodhiawala, CEO of Remediant, a company whose tools can mitigate the type of lateral attack posed by a game platform incursion.
A Roblox spokesperson explained all the steps they take to avoid these problems. They said they “review every single image, audio file, and video before it is published, with a combination of human moderation and state-of-the-art automated machine learning technology.”
Deflection
Roblox blamed a hacking tool, Synapse X, for account hacks. “Using third-party services to circumvent specific systems is against our Terms of Service. Roblox maintains many systems to keep our users safe and secure. We prohibit attempts to bypass these systems or otherwise violate our platform requirements.”
And yet, the nine-year-old boy still lost his account from the hack and the mod is still available. Synapse X is still available with training on YouTube.
Ultimately, the spokesperson put the onus on the user for maintaining security.
“As with any site, it is very important for users to keep their passwords and cookies private. We recommend users leverage the tools and information we provide to protect their accounts from malicious actors, including multifactor authentication (MFA).”
Weakest link
In truth, the child’s account in the above example was not protected by MFA. The username and password were also leaked onto the dark web. But Dodhiawala disagreed with Roblox.
“A weak password can get compromised. Somebody can use it to get into a Roblox account. And we all know that multi-factor authentication (MFA) is unreliable,” he explained. “So it is up to developers, designers, the owners of these games to protect users and systems from attacks.”
Moreover, while research companies say the use of MFA is increasing, it is still only at 79 per cent of users. And according to Microsoft, only 22 per cent of consumer-facing businesses offer MFA protection.
It’s not getting better
Recent European Union regulations stop Google and Apple from controlling access to games, essentially breaking up their duopoly. That gatekeeper activity, obviously monopolistic, also served to limit the access of hackers to products offered on their game services. Without that protection malware in online games is going to increase, possibly by orders of magnitude.
What you can do
Since it falls on users, here are some recommendations for keeping your child and workplace safe:
- Use MFA whenever possible
- Use a password manager and don’t reuse passwords
- Don’t play games on devices you might take to work
- If at all possible, have a separate desktop computer air-gapped from your home network to prevent lateral incursions
- Teach your children to embrace zero trust. Don’t talk with strangers or download anything from them
- Look for news of breaches in gaming platforms regularly.
Lou Covey is the Chief Editor for Cyber Protection Magazine. In 50 years as a journalist he covered American politics, education, religious history, women’s fashion, music, marketing technology, renewable energy, semiconductors, avionics. He is currently focused on cybersecurity and artificial intelligence. He published a book on renewable energy policy in 2020 and is writing a second one on technology aptitude. He hosts the Crucial Tech podcast.