Security: Blocking the path that leads from gaming cheats to malware
It’s an environment where having the slightest edge over an opponent can be the difference between winning and losing, which means cheating is often an unfortunate part of many sports.
And the rise of online gaming means that the underhand behaviour that so often has undermined real-world sporting competitions has been extended into the digital world, too.
There’s now enough demand for cheats that there is a lucrative marketplace dedicated to helping gamers gain an unfair edge.
SEE: 10 tips for new cybersecurity pros (free PDF)
“This is a multi-million dollar industry. Many of these websites sell a subscription model and it ranges from $10 to $100 and some can cost over $500 for an elite cheat,” says Santiago Pontiroli, security researcher at Kaspersky Lab, who started investigating malware-like cheats in video games after getting fed up with hackers in online matches.
The ‘as-a-service’ model for cheats might sound familiar, because it’s a common business model for selling malware on dark web underground forums; subscription services keep the money rolling in for the malware authors, while also providing updates and new services to users.
That isn’t the only similarity between gaming cheats and malware – because at their core, they’re almost the same thing.
The developers of cheats need to be proficient at coding, and being able to protect and pack code, while also being able to design their software in such a way that it isn’t detected as malicious by security defences.
“People create software to be able to install it in the game without being detected, so it’s similar to a virus; you want to attack without being detected, while other things are going on in the background for the user,” says Mayra Rosario, senior threat researcher at Trend Micro.
Some cheat developers even check their products against VirusTotal – a legitimate service used to analyse potentially suspicious files – to see if the code is flagged as malicious. If it is, they’ll go back and edit the code so it can fly under the radar and remain undetected.
“They also check their cheats against VirusTotal because cheats exhibit the same behaviour as malware sometimes; they need to scan memory, they need to modify code, so a lot of anti-virus might flag cheats because of the behaviour because they’re trying to do something they’re not meant to,” Pontiroli adds.
For many, an interest in developing cheats for games comes out of one of two things; either a desire to be top of the scoreboard, or an interest in how the code of the game works behind the scenes. However, those who become especially skilled in this area can be led towards more serious hacking.
It’s also worth remembering that cheats are against the user agreement of many popular games to modify the code of the game in order to gain an advantage and game developers are going to frown upon those to develop cheats. Because of this, developing and distributing cheats can be against the law.
“Offenders begin to participate in gaming cheat websites and ‘modding’ forums and progress to criminal hacking forums without considering consequences,” notes a National Crime Agency report about pathways into cybercrime, which details examples of teenagers who became interested in cheats, then progressed into cybercrime – before getting arrested and charged.
“In many cases, creating gaming cheats is a stepping stone for getting into malware development, since the knowledge and skills required to develop cheats translate easily to the development of malware,” says Albert Zsigovits, threat researcher at Sophos Labs.
In some cases, this also translates into not only selling cheats, but selling stolen account credentials of online gaming accounts, stolen in-game items, as well as access to other services such as VPNs. Of course, an interest in cheats isn’t a gateway into cybercrime for the majority, but for those with the skills, it can be a dangerous next step.
“It’s like a gateway drug; you might start with a cheat, then you learn around underground forums and start learning programming but with a different approach,” says Kaspersky’s Pontiroli.
Cheats can have serious negative consequences for games developers.
“When you’re playing a game, you get rewards. So if you have a cheater playing, that gets you worked up and you end up quitting the game, you’ll cancel your subscription, you’ll stop buying the games, you’ll leave a bad review: this could damage the reputation of the company and it could cost a lot of jobs,” says Pontiroli.
“Either we tackle this problem now or it’s going to reach a point where it’s snowballed and we can’t go back,” he adds.
However, the similarity in the code of gaming cheats and malware means that cybersecurity researchers could play an important role in fighting against the cheat developers – and thus potentially stopping some of those behind these schemes getting confident enough to switch their focus to malware.
Major online games have anti-cheat systems, but it’s perhaps time to augment these with some lessons from the broader security industry. Many organisations run bug bounty schemes, encouraging white-hat hackers to find vulnerabilities in their software in return for a financial reward.
In order to help protect against cheats, the games industry might consider ramping up their bug bounty programmes because if good guys can close off bugs that cheaters are going to look to exploit, it will cause much less damage in the long run; even if it can’t cut out the bad actors completely.
“There’s always going to be people looking to cheat the system because there’s always going to be business for it,” says Rosario.
“Maybe there should be lessons learned over how the security industry has bug bounties and maybe some of these anti-cheat systems should get something similar in place,” she adds.
Ultimately, it could even be advantageous for the cybersecurity industry and the games industry to work together as one to fight the problems, given how interlinked they can potentially be.
“I think both parties can learn from each other by sharing research work and publishing new discoveries. Anti-cheat companies might see more sophisticated cheat programs due to their position in the market, while anti-virus products also cover a lot of known techniques that are exploited for cheating,” says Zsigovits.