Game Over: Hackers targeting online gamers and taking over accounts to access financial information

Online chats act as one gateway for attacks against children 
Game Over: Cybercriminals target online gamers. Reporter Rachel DePompa and Photojournalist Daniel Heffner (InvestigateTV)
Published: Jul. 25, 2022 at 5:21 PM EDT

InvestigateTV –Video games offer users the opportunity to escape from reality and enter a virtual world where nearly anything is possible.

From mobile, to console to desktop, the multi-platform options are plentiful for the more than 215 million Americans playing video games, according to the Entertainment Software Association (ESA), an industry lobbying group.

And it’s not just children picking up controllers. That same ESA report showed that while 71 % of kids under 18 are gamers, nearly two-thirds of all video game players are adults.

The $60 billion gaming industry has increasingly come under attack from hackers. In a 2020 report, cybersecurity company Akamai tracked more than 246 million web attacks against the gaming industry, often through mobile or web-based games. Those numbers indicate an increase of 340% from 2019.

Cybersecurity expert Alex Nette, CEO of Hive Systems, said the direct cost to consumers is often difficult to identify.

“There’s not a lot of information about all of this and more importantly, how much it’s costing consumers at the end of the day,” Nette said.

Losing Control

Chris Stephens began gaming as a child and hasn’t stopped.

“I grew up in the age of where online gaming and computer gaming was just coming about,” Stephens said.

The 36 -year-old Stephens said his first game was “Super Mario Bros.” on the original Nintendo Entertainment System (NES). Stephens’ tastes evolved along with video game technology. Now, the 8-bit world of Mario is gone, and he’s a regular on the streaming gaming platform Twitch.

“It’s definitely gotten a lot more complex,” Stephens said.

Chris Stephens streams himself playing on Twitch. “I brought you your teammate! I brought you your teammate,” he says to another gamer over his headset.(Chris Stephens)

Stephens said he uses video games to connect with gamers across the country, but those same systems opened him up to something he said he never expected to happen while playing games – getting hacked.

In 2017 Stephens said he got an email from video game company Electronic Arts (EA) about a questionable login attempt. However, Stephens said the hackers had apparently changed his language preferences on his account, and the email was sent in Russian.

“I got an email, it was in complete Russian. Luckily Google Translate exists, so I was able to decode what it said,” Stephens said. “Essentially it said that my password had been reset and if I wasn’t the one who initiated it, I should reach out and refresh my password.”

Stephens said he had no idea how the hacker got access to his account. He said he was immediately concerned about what other information the hacker might have stolen.

“Once I got that first email in Russian and I’m looking through it and wondering what exactly happened here, you kind of stop and wonder what else has been compromised,” Stephens said.

The email in Russian shown on the left is what Electronic Arts sent notifying Stephens about some strange activity in his account. The email on the right shows the translation after Stephens ran it through an online translation service.(Daniela Molina, InvestigateTV)

The next attack came three years later. In 2020, Stephens said he was playing Fortnite, a popular online video game by Epic Games, when an intruder hacked his account and changed his username. He said he did some investigating and the IP address pinged someone in India.

Stephens said he was eventually able to recover his account, but he’s not alone when it comes to getting hacked.

Norton LifeLock, a software company that provides tools to prevent hacks, said in a 2021 report that almost half of users experienced some form of a cyberattack on their gaming account or device.

Hackers Attack

Alex Nette said most people fall victim to hackers without knowing until it’s too late. One of the main targets: usernames and passwords.

“Videogames are just like many other online accounts for kids and adults. There are passwords and usernames usually associated with those accounts,” Nette said. “So, for hackers and scammers, they may want access to those accounts, especially if for kids and adults who’ve spent a lot of time invested in those videogames that’s all their achievements in one place.”

Akamai’s “State of the Internet” report highlighted “credential stuffing” as a popular tactic used by hackers. Credential stuffing starts with a hacked account. Once that victim’s username and password is compromised, it’s then potentially sold on the black market. Because players often use recycled or easily guessed usernames and passwords, hackers could then gain access to multiple accounts with those same credentials.

This screenshot from Akamai’s reports shows examples of credential stuffing. Hackers use these postings to get access to people’s username and password to gain access to other devices using the same credentials.(Akamai)

In 2018, the BBC reported that hackers admitted to selling player accounts for as little as £25, which is the equivalent of $30 US. Nette said not only are video game accounts worth a lot of money because of in-game purchases and software, but the accounts are often linked to credit cards.

“For those hackers and scammers, that makes kids and adults alike a really great target for them,” he said. “Whether you’re on a PC, or a console like a PlayStation or an Xbox, you’re at the same amount of risk.”

Nette said another popular method of access for hackers is in-game chat features, especially when it comes to targeting children.

Games will offer methods to communicate via text chat or mics while playing online. He said anyone could be on the other end of that conversation.

“For kids and adults alike, be aware of who you’re talking to,” Nette said. “Understand and expect what they might be chatting about and keep an eye out for those links that might look malicious or dangerous.”

The Entertainment Software Association (ESA) lobbies on behalf of some of the largest gaming companies, provides guidance to manufacturers and encourages regulation to protect gamers across the country.

In 1994, the ESA created a self-regulatory body, the Entertainment Software Rating Board (ESRB). The group provides guidance to consumers – especially parents – on safety concerns. The ESRB also developed a rating system to identify a game’s age appropriateness.

The Entertainment Software Rating Board has 7 ratings to categorize the level of concern and interest parents might have on a game. This ranges from sexually-explicit content, language, and violence. https://www.esrb.org/ratings-guide/(ESRB)

The ESA and other agencies like the Federal Trade Commission (FTC) have pushed to create codes that protect children’s privacy and information.

The FTC stated on its site, “The Children’s Online Privacy Protection Act (COPPA) gives parents control over what information websites can collect from their kids. The COPPA Rule puts additional protections in place and streamlines other procedures that companies covered by the rule need to follow.”

In the ESA’s trust and safety policy, the agency said that “the video game industry has a strong commitment to online safety, especially when it comes to children.” The ESA also has a walkthrough on how to navigate the settings and restrict communications in its Parental Controls section.

Getting Involved

Marcy Thornhill is a mom and a youth advocate for Kollege and Kareer for Youth, a nonprofit based in Richmond, VA designed to help young people prepare for college and choose a career.

Thornhill raised two daughters who, while not avid gamers, grew up playing video games. Her kids never got into online gaming, but in her current role Thornhill teaches safe gaming practices to parents and kids. “I hear a lot of concern from parents about gaming and just the need for young people to feel plugged in,” Thornhill said.

During her work at the nonprofit, she said she noticed kids playing video games more often, especially during the summer months.

“For so many, youth gaming is a huge part of their lives and just their desire and drive every day,” Thornhill said. “The game is the motivation for so many youths in our communities.”

Like Nette, she cautioned against who could be on the other side of online communications.

“As we continue in this new age of Zoom and videogames and apps, we have to continue as parents, as educators, as community leaders to be diligent in ensuring the safety of our children and our family,” Thornhill said.

She said she recognizes videogames are part of the bond between children in the classroom, in their personal life and at home, but she said parents need to take an active role.

Thornhill suggested a few things parents can do:

  • Watch the games that kids are playing – check their ratings to see if they are in the proper age group to play it
  • Walk through the process and security controls with them, and talk to them about why it’s important.
  • Turn on all security protocols on their devices

“It is our responsibility to ensure [children] are well informed and not make assumptions because they know how to turn it on and operate it,” Thornhill said.

Chris Stephens, the gamer, also encouraged parents to talk with their kids about protocols and safety measures while playing online games, especially if money is involved.

Stephens said his own nephew plays online games and uses his Christmas gifts of virtual currency to buy skins (add-ons of attire for characters) for his online games.

“Without having those conversations, those accounts can be lost and potentially lost completely,” Stephens said.

As for his own accounts, Stephens said he’s learned from his experiences.

“I knew that there was a security risk there, but I really didn’t think that anybody would do anything,” Stephens said. “And lo and behold, both of my accounts got broken into. I’ve gotten better about it over time. But it’s one of those things where you don’t think it will happen to you until it does.”

Stephens said he now turns on two-factor authentication on his gaming devices to avoid getting hacked.

Experts and victims tell InvestigateTV there are other ways to protect yourself before it’s “Game Over”:

  • If you’ve attached a credit card to you or your child’s account, regularly monitor purchases made from that account.
  • Check to see if the gaming companies offer “scrubbing” for the chat function. It allows companies to censor certain language and prevents links from being posted.
  • Report any strange activity to the company, especially if you know something seems like a scam.

To get more access to ways parents can protect their children on specific devices, ESRB has provided additional tips in its blog post.