How Cyber-Criminals are Following the Money to Video Games

The global video game market just topped $100bn in value, and cyber-criminals want a piece of it. Danny Bradbury finds out how they operate
The video game has come a long way since the home hobbyist days of the BBC Micro and the ZX Spectrum. Eight-bit follies developed in the bedroom have given way to 32-bit masterpieces – and the games themselves aren’t the only thing to have evolved. Criminal activity in the video game market has grown, and changed.
What was a cottage industry is now a global one. Gartner puts the size of the global video game market at $101.6bn in 2014, up from $79bn in 2012. By 2015, it will top $111bn, the analyst firm says. But where revenues are high, cybercrime will surely follow.

Pirates Drop Anchor

Piracy is often mentioned by those exploring cybercrime in the games industry, because it has been a traditional problem. In the early days of computing, video games were almost entirely distributed on magnetic or optical media that was then cracked by pirate groups.
These cracker teams evolved from pre-internet BBS hobby groups, who would disassemble game code to remove software copy protection, before uploading it to ‘elite’ back-room sections of piracy BBSs and web chat rooms, or distributing it physically.
One of the earliest cracker groups was Razor 1911, which is still cracking games today. These days, cracked games are distributed mostly via peer-to-peer networks.
Game piracy is still a healthy criminal industry online, although less so than some industry groups would have us believe, according to researchers at MIT. They surveyed networks using the BitTorrent protocol, and found that 12.6 million unique networked peers from 250 geographical areas were sharing games.
There is a heavy concentration of titles and geography. Just over 40% of piracy focused on ten titles, and three quarters of piracy came from just 20 countries.
This game code often gets stolen from the source, rather than cracked after release. In July 2014, Dell SecureWorks identified TG–3279, a Chinese group that it said has been infiltrating videogame development companies since 2009.
TG–3279 used traditionally well-understood penetration techniques, including the use of network scanning to profile its targets, and the installation of remote access tools (RATs) to gain access to specific machines. SecureWorks said that the group could be stealing the source code for several reasons, including piracy, or in order to use the source code in competing products

DDoS Attack Powered by 25,000 CCTV Cameras

Security researchers have revealed a unique new DDoS attack launched against a small business, which was powered entirely by thousands of compromised CCTV units.
Sucuri founder Daniel Cid explained in a blog post that 25,513 IP addresses were spotted, with a plurality in Taiwan (24%), the US (12%) and Indonesia (9%) – although they spread out over 105 countries in total.
By far the largest number of devices themselves (46%) were H.264 DVR units, with Cid suspecting they may have been compromised via a recently disclosed RCE bug in CCTV-DVR.
“It was a layer 7 attack (HTTP Flood) generating close to 35,000 HTTP requests per second (RPS) which was more than their web servers could handle,” Cid explained of the attack.
“After the site came back up, the attacks increased their intensity, peaking to almost 50,000 HTTP requests per second. It continued for hours, which turned into days.”
The victim was a small high street jewelry shop, and although Cid claimed he couldn’t reveal the reason for the attack, he explained that most such incidents come down to a competitor or a disgruntled customer or employee.
“Unfortunately, as website owners, there is not much you can do to get those 25,000+ CCTVs fixed and protected. You also can’t do much to fix the millions of vulnerable devices on the internet that can be used as botnets and DDoS amplification methods,” he concluded.
“However, you can do your part. If you are an online camera user or vendor, please make sure it is fully patched and isolated from the internet. Actually, not just your online camera, but any device that has internet access (from DNS resolvers, to NTP servers, and so on).”
Cid claimed Sucuri is in the process of contacting the networks running these compromised CCTV cameras, but admitted that even if these are patched, the black hats won’t have to go far to find some more vulnerable devices to add to their botnets.