Security Experts:

Why Video Game Companies are Lucrative Targets for Hackers

Cyber-attackers have struck again, this time breaking into over 35,000 accounts on servers operated by video game maker Konami, the latest in a string of attacks that have compromised several video game companies.

There were 35,252 “unauthorized logins” between June 13 and July 7, according to a notice on the company's Website. Customer names, mailing addresses, birthdates, genders, phone numbers, and email addresses may have been accessed in the breach, according to the company. Konami warned its users to change their passwords immediately.

“No changes to customers' personal information, or unauthorized usage of paid services, have been detected,” Konami said.

Hackers Attack Video Game Firm Konami said the attackers had made 3,945,927 login attempts during the time period. The company was first alerted to something being wrong when “a large number of access errors were detected” on July 8, the company said.

It appears the passwords and user IDs used in the attacks were leaked from an external services provider, Konami said. Konami has taken steps to ensure that user IDs and passwords used during the login attempts can no longer be used. Affected customers were notified by email, the company said. It has also raised its monitoring level to detect other unauthorized login attempts.

Passwords used for online videogames “are often the same passwords used for things like web-mail and so on, allowing one compromise against a video game server to affect other services,” said Robert Hansen, technical evangelist at WhiteHat Security.

Konami's breach comes just a few days after Nintendo announced that attackers had successfully breached 23,926 Club Nintendo user accounts between June 9 and July 4. There were over 15.46 million login attempts over the same time period, Nintendo said.

While users should immediately change their passwords, especially if they had reused the same one elsewhere, the prospect of phishing attacks may be a bigger concern. User names, email addresses and a password are more than enough to help an attacker break into other online accounts or target a user for spear phishing, said Wade Williamson, a senior security analyst at Palo Alto Networks. Williamson said he hasn't seen such attacks yet, but it is a plausible way for the thieves to derive value from stolen data.

Videogamers are very susceptible to social engineering, said Tommy Chin, a technical support engineer at CORE Security. It’s simple to trick someone to provide personal information when the attacker can pretend to be someone’s gaming buddy who had already spent countless hours together in the virtual world. “These gaming buddies generally never meet in person which makes it so easy,” Chin said.

Game studio Ubisoft disclosed its second breach of 2013 earlier this month. It appears attackers compromised an account belonging to a customer or employee, and then exploited a vulnerability in the Web application to expose usernames, email addresses and encrypted passwords.

Credit card data aren't the only bits of information that can be sold in underground forums as personally identifiable information, home addresses, ages, and interests are just as lucrative, said Kevin O'Brien, enterprise solution architect at Cloudlock. The demographics of the average gamer—middle class males between 18-to-30 years old—is also attractive to criminals, O'Brien said.

Konami, Ubisoft, and Nintendo are not the only gaming companies caught in cyber-cross hairs recently. In 2011 alone, Steam, Sony, Sega, Codemasters, and EA's Bioware were hit by various online attacks. Hacktivist pranksters LulzSec grabbed user data from EA's Battlefield Heroes game as part of its swan song in June 2011.

The notion that gaming companies have no valuable assets is a “fallacy,” said Ken Pickering, director of engineering at CORE Security. Since many of these games have adopted micropayments and downloadable content (DLC), the accounts frequently have lucrative PCI data, Pickering said.

Accounts on popular games, such as World of Warcraft, can be sold for real money on underground forums, Chin noted. Hansen also pointed out that special in-game items can often be sold for real money on secondary markets.

The motivations behind the attacks vary wildly, even within the gaming industry, Williamson said. Sony was originally targeted by Anonymous and other hacktivists to protest Sony's prosecution of George Holtz. The earlier Ubisoft attack leaked a game that had yet to be released to the public.

“These are attacks that reflect the personal interests and opinions of the attackers themselves, and not necessarily a long-term financial pay-off,” Williamson said.

Another thing to think about—the attackers may be mining user data to try to identify individual users for other nefarious purposes. Terrorist organizations and criminals to identify gamers in hopes of finding “gaming avatars that can be used as an intelligence extraction point,” said Sean Bodmer, chief researcher in the counter-exploitation intelligence group at CounterTack. Criminal groups have approached him in MMORPGs in hopes he would hand over US intelligence, Bodmer said.

Fahmida Y. Rashid is a contributing writer for SecurityWeek. She has experience writing and reviewing security, core Internet infrastructure, open source, networking, and storage. Before setting out her journalism shingle, she spent nine years as a help-desk technician, software and Web application developer, network administrator, and technology consultant.