CYBERSECURITY AND DATA PROTECTION - April 2024

Online Safety and Cybersecurity Risks in Online Gaming – Part 2

By Lau Kok Keng and Claire Mak (Rajah & Tann Singapore LLP)

I. Introduction

In the first part of this article, we had explored the various online safety risks that e-gamers may encounter, and how existing laws can deal with offences committed against the e-gaming community. In this second part, we will examine the common cybersecurity issues that arise from online gaming, and look at the forms of legal protection available against cybersecurity threats.

II. Cybersecurity issues in online gaming

Online gaming has captivated millions of players worldwide. However, amidst the immersive experiences and social interactions offered, the realm of online gaming harbours significant cybersecurity risks which are often overlooked by gamers engrossed in their gaming pursuits. Research conducted in 2021 revealed that a fifth of gamers had experienced or knew someone affected by gaming-related scams, but less than a third of them knew how to recognise such scams.[1] The research also revealed that on average, gamers devote about 14 hours per week to gaming.[2] Moreover, gamers now dedicate more time and money to their gaming interests compared to previous years. With an online environment where interactions with strangers are frequent, this presents an opportunity for exploitation by fraudsters and online criminals.

A. Risk of malware on free-to-download games

There are over 1 billion malware programs in existence, with 560,000 new pieces of malware being detected daily on average.[3] In the case of free-to-download games, infiltration of such malware could occur when games are acquired through pirated channels like torrents or unsafe distribution platforms, while certain games are crafted to function as malware right from their creation.[4] Malware often lurks behind enticing offers. Kaspersky Lab, a cybersecurity company, detected that from 1 July 2022 to 1 July 2023, there were 4,076,530 attempted downloads, targeting 30,684 distinct files masquerading as popular games, mods, cheats and other game-related software, impacting 192,456 individuals worldwide.[5] Notably, 89.70% of these files were unwanted software, which, while not inherently harmful, serve as conduits for downloading other programs, including malware, onto the user's device.[6]

Malware-infected games expose gamers' devices to a range of dangers, including keyloggers, ransomware and remote access trojans. This not only jeopardises the gaming experience, but also compromises gamers’ personal information and privacy. Hence, gamers should exercise caution when seeking cheaper or free alternatives to games, accessing cheat codes or obtaining items from third-party vendors. Conducting thorough research on games and avoiding unauthorised downloads can minimise risks of encountering malware.

B. Hacking into gaming accounts and e-wallets

A significant 55 percent of frequent gamers experienced instances of account compromise at some point.[7] In this regard, the gaming community is known for its substantial in-game expenditures, with the online microtransaction market expected to reach US$106.02 billion in 2026.[8] As more users link their payment methods to their accounts, gaming platforms become lucrative targets for hackers seeking to abscond with and utilise valuable banking data.[9] In the first seven months of 2022, as many as 34 Russian-speaking gangs distributing information-stealing malware stole no less than 50 million passwords, harvested 2.11 billion cookie files, 113,204 crypto wallets, and 103,150 payment cards.[10]

Scammers either exploit the stolen data themselves or market it within the cybercriminal underworld. One report has estimated a $1 billion annual revenue generated from the sale of stolen game accounts.[11] The targeting of the gaming industry persists unabated, with automation playing a pivotal role in the hacking process.[12] Hacking operations have increased in complexity, aided by the availability of specialised software on the dark web. This has streamlined the process, increasing accessibility to emerging hackers.[13]

Gamers should therefore prioritise security of their accounts with strong, unique passwords and enable security features like multi-factor authentication.

C. Phishing

Research has found that 91% of cyberattacks begins with a phishing email.[14] In the realm of online gaming, there exists a variation of the common phishing scam, a tactic employed to deceive users into revealing their account credentials. Fraudsters typically initiate the scam by sending deceptive emails or links through chats during online gaming sessions, urging gamers to verify their login details, or making fake promises of rewards, promotions, etc. Unsuspecting gamers, upon clicking the links, are then deceived into installing game malware or are redirected to a fake login page. The gamer’s account information is stolen once they enter their username and password, thereby placing their gaming assets and personal data at risk of exploitation.[15]

Gamers should therefore verify the authenticity of any suspicious links and/or messages and refrain from sharing personal information with strangers or within gaming forums.

D. Data theft

Online gaming platforms contain vast amounts of user data, making them prime targets for cybercriminals seeking to steal sensitive information. Some recent data breaches include:

In 2019, the Zynga data breach impacted more than 172 million accounts.[16] The stolen data included gamers’ email addresses and phone numbers.[17]
In July 2022, Roblox suffered the theft of 4GB of gamer data, while the Neopets breach led to 69 million of its member registrations and source codes listed for sale for 4BTC.[18]
In January 2023, hackers stole the source code of Riot Games’ game software and its legacy anti-cheat system.[19] In July 2023, hackers alleged the theft of Razer Gold’s data, including its source codes, encryption keys, backend access logins, and databases.[20] Beyond their intrinsic value as intellectual property, source codes can be analysed to identify vulnerabilities and plan further cyberattacks.
In October 2023, Shadow, a game streaming giant, announced a data breach impacting over 500,000 users.[21] The attack originated from an employee inadvertently downloading malware disguised as a game.[22]
In December 2023, stolen information of Insomniac was released, comprising over 1.3 million files, including spoilers from unreleased games, personal information of employees, and reports detailing internal strategies. Such internal details would invariably be of interest to competitors. Leaked documents further confirmed rumours of impending layoffs that had been circulating among employees. In the aftermath, staff found themselves facing the possibility of both identity and job loss.[23]

Data breaches highlight the vulnerability of gaming companies to cyberattacks. Organisations should adopt robust cybersecurity measures, such as safeguarding their software development environments and collecting only required data.

E. Spyware

Gamers may be targeted by spyware, especially when interacting with unreliable online gaming platforms. Spyware operates covertly, tracking individuals' online activities without their knowledge or consent. Once collected, this data can be exchanged with third parties. One study found that 87% of free games and 65% of paid ones had at least one spyware.[24] However, even in paid games, users are not immune to tracking activities. Ad trackers gather user data for target advertising, while analytics spyware shows how the gamer uses the application. Free games typically incorporate both forms of trackers, while paid games mostly integrate analytics spyware for monitoring purposes.[25]

Globally, video game companies are implementing surveillance and control systems. For example, last year, Tencent announced its compliance with China’s mandate to incorporate facial recognition technology into its games.[26] This decision aligned with China’s strict gaming regulations, which seek to limit minors’ gaming time to prevent addiction. Whilst it is crucial to endorse measures aimed at creating a safer gaming environment, it is nonetheless possible that such features are primarily for the corporation’s own commercial gain rather than the gamers' benefit. Games provide vast information on gamers' psychologies and cognitive patterns. By leveraging this data, developers can discern gamers' preferences, tailoring experiences to evoke desired responses. This then becomes a continuous cycle: gaming corporations utilise surveillance to develop enticing content, subsequently marketing this same spyware under the guise of managing the very addiction it instigated.

F. Ransomware

Ransomware is a form of malicious software utilised by cybercriminals to extort money from their victims. In ransomware attacks, perpetrators infiltrate computer networks and block access to data and devices until victims comply with their payment demands. While these attacks frequently target large businesses (where attackers anticipate substantial financial gains), owners of individual devices can also fall prey to ransomware, resulting in being subject to restricted access to data or device until the demanded ransom is met.

Phishing emails represent a primary method through which computers become infected with ransomware. Additionally, individuals may inadvertently download ransomware through drive-by downloading, where visiting an infected website leads to the automatic download of ransomware. Ransomware can also be inadvertently accessed through social media platforms and web-based messaging applications,[27] posing risks to users who interact with infected content without realising the potential dangers.

III. Legal Protection against Cybersecurity issues

Various countries have enacted cybersecurity and data protection legislation affecting various industries, including the gaming sector. Examples include the Computer Misuse Act and Data Protection Act in the United Kingdom, the Computer Fraud and Abuse Act and data protection laws in the United States, and the Criminal Code Act in Australia. Organisations and individuals impacted by cybersecurity incidents in online gaming such as data breaches may be able to seek legal recourse through civil lawsuits or criminal prosecution.

This section considers the legal protection available against cybersecurity threats in online gaming in Singapore, as well as explores the potential adoption of a global approach.

A. Legislation in Singapore

Singapore manages issues of cybersecurity, data protection and computer misuse largely through the Cybersecurity Act (“CA”), the Personal Data Protection Act (“PDPA”), and the Computer Misuse Act (“CMA”) respectively:

The PDPA, administered by the Personal Data Protection Committee, regulates the collection, use, and disclosure of personal data in Singapore. The gaming industry, like any other sector, must comply with PDPA requirements when handling personal data of users, ensuring that data is collected and managed securely to prevent unauthorised access or breaches.
The CA establishes a legal framework for the oversight and maintenance of national cybersecurity in Singapore. It empowers the Cyber Security Agency of Singapore (“CSA”) to, amongst others, prevent, detect and respond to cybersecurity threats and regulate owners of critical information infrastructure (“CII”). A CII is a computer or computer system located wholly or partly in Singapore which is necessary for the continuous delivery of an essential service, the loss or compromise of which computer or computer system will have a debilitating effect on the availability of the essential service in Singapore.[28] The CA defines “essential service” to mean any service essential to the national security, defence, foreign relations, economy, public health, public safety or public order of Singapore, and specified in the First Schedule.[29] Whilst gaming services are not currently specified, the CSA does not preclude gazetting new essential services in the future.[30]
The CMA criminalises unauthorised access to computer systems and data and activities such as hacking and malware distribution. Gaming companies can leverage this legislation to take legal action against cybercriminals who attempt to breach their systems or compromise user data.

B. Additional cybersecurity bodies and resources in Singapore

The Singapore Cyber Emergency Response Team (“SingCERT”) facilitates the detection, resolution and prevention of cybersecurity related incidents on the Internet.[31] SingCERT encourages the reporting of cybersecurity incidents to allow it to issue alerts or advisories on relevant threats and to assist a broader range of individuals and organisations.

Moreover, the Singapore Police Force has collaborated with the CSA to develop a ransomware portal. Soft launched on 6 September 2023, the portal allows victims to easily report ransomware incidents, offers recovery support, and includes ransomware advisories, trends and prevention measures that can be adopted to avoid falling victim to ransomware attacks.[32]

C. Adopting a global approach

Due to the global nature of online gaming and cyber threats, it is imperative to foster international cooperation and collaboration among governments, law enforcement agencies, and industry stakeholders. Initiatives such as sharing information, conducting joint investigations, and coordinating responses play a pivotal role in effectively combating cybercrimes in online gaming on a global level. Some international initiatives include the following: -

The Budapest Convention on Cybercrime is the first international treaty on crimes committed via the Internet and other computer networks. Its objective is to pursue a common criminal policy aimed at protecting the society against cybercrime, including by adopting appropriate legislation and fostering international co-operation.[33] The Convention is open for accession by any state prepared to implement it and engage in cooperation.[34]
The International Telecommunication Union (“ITU”), a specialised agency of the United Nation, has been involved in initiatives such as developing guidelines and best practices relating to information and communication technologies. For example, ITU developed its first set of Child Online Protection Guidelines in 2009.[35] These guidelines have since been updated periodically, with the 2020 guidelines recognising that “keeping young users safe online has emerged as an increasingly urgent issue for every country”.[36]
The International Organisation for Standardisation (“ISO”) develops and publishes international standards, including for the gaming industry. With ever-present cyber threats, the ISO has developed the ISO/IEC 27001 standard, enabling organisations to establish an information security management system and to apply appropriate risk management processes adapted to their size and needs.[37] Compliance with this standard therefore enables gaming companies to fortify their defences against cyber-attacks.
The Internet Governance Forum is a global multistakeholder platform that facilitates the discussion of public policy issues pertaining to the Internet.[38] Issues relating to online gaming have been discussed in various years, for example in 2019[39] and 2020.[40]

With such international initiatives, stakeholders can better identify and address cybersecurity risks, ultimately enhancing the safety and security of online gaming environments worldwide. In Singapore, the CSA actively pursues bilateral partnerships, engages in multinational discussions to shape the norms of responsible state conduct in cyberspace, and drives regional cybersecurity capacity building initiatives.[41]

IV. Conclusion

While legislation seek to protect the online safety of organisations and individuals, a safer cyberspace can only be achieved when everyone plays their part. Indeed, in many countries, there are various resources to help organisations and gamers elevate their cybersecurity knowledge. For example, guidance relating to online gaming may be found from the websites of the National Cyber Security Centre[42] and the Australian Signals Directorate[43] for the UK and Australia respectively. In Japan, the National Center of Incident Readiness and Strategy for Cybersecurity promotes and coordinates cybersecurity policies between the public and private sectors to create a “free, fair and secure cyberspace”.[44]

Ultimately, prevention is key to falling victim to cyber incidents. Organisations should practise good cybersecurity practices, including tight access control and data protection mechanisms. Individually, gamers should not only protect themselves but also seek to educate and influence their peers, who are often of young age. By actively engaging in forums, social media groups, and gaming communities, well-informed gamers can share their knowledge, resources, and encourage others to adopt safe practices. Utilising these platforms for cybersecurity awareness can create a ripple effect that can help safeguard entire gaming communities against potential cyber threats.

AUTHOR INFORMATION:

Lau Kok Keng is a Partner and Head of the Intellectual Property, Sports and Gaming Practice at Rajah & Tann Singapore LLP.
Email: kok.keng.lau@rajahtann.com

Claire Mak is a Senior Legal Executive and soon to be Associate in the Intellectual Property, Sports and Gaming Practice at Rajah & Tann Singapore LLP.
Email: claire.mak@rajahtann.com

REFERENCES

[1] https://www.theguardian.com/money/2021/oct/17/from-fortnite-to-fifa-online-video-game-players-warned-of-rise-in

[2] https://www.theguardian.com/money/2021/oct/17/from-fortnite-to-fifa-online-video-game-players-warned-of-rise-in

[3] https://www.getastra.com/blog/security-audit/malware-statistics/#:~:text=560%2C000%20new%20pieces%20of%20malware,of%20%244.54%20million%20per%20incident

[4] https://heimdalsecurity.com/blog/cybersecurity-for-gamers-101-malware-risks/

[5] https://securelist.com/game-related-threat-report-2023/110960/#:~:text=The%20most%20common%20threat%20was,and%20PlayerUnknown's%20Battlegrounds%20(2.85%25); https://securityintelligence.com/news/cyberattacks-against-gamers-increase-167-percent/.

[6] https://securelist.com/game-related-threat-report-2023/110960/#:~:text=The%20most%20common%20threat%20was,and%20PlayerUnknown's%20Battlegrounds%20(2.85%25); https://securityintelligence.com/news/cyberattacks-against-gamers-increase-167-percent/

[7] https://www.computerweekly.com/news/252489465/Video-gamers-barraged-with-cyber-attacks

[8] https://www.thebusinessresearchcompany.com/press-release/online-microtransaction-market-2022

[9] https://securityintelligence.com/news/cyberattacks-against-gamers-increase-167-percent/

[10] https://thehackernews.com/2022/11/34-russian-hacker-groups-stole-over-50.html

[11] https://www.straitstimes.com/tech/hackers-may-be-after-your-highly-ranked-video-game-account