Patrick Garratt is a 15-year veteran of the gaming industry, having been behind the launches of major news sites such as Eurogamer and VG247.
A published horror fiction writer, he says the spate of attacks against
gaming sites and gamers this year
is inevitable – because in the world of downloads, not discs, even a
veteran like himself can be tempted by a cleverly crafted scam.
I love zombie survival shooter Left 4 Dead 2, but my three kids and
job keep me away from its cutting edge. I’m too busy being a parent to
to read about its latest add-ons or downloadable maps, but, late last
year, I thought I’d Google some for fun. “L4D2 Super Pack maps +
Installer,” I read on a fan forum. I moused over the link to the 8Gb
torrent as I scanned the comments below. It was a Trojan, a bad one.
Obviously. And, despite the fact I’ve worked in the games industry for
some 15 years, I nearly hit it.
After using PC games professionally since 1998, I understand why I’m a
major malware target. I know this, but it doesn’t make me harder to
fool.
It’s no surprise infectors target core PC gamers, those who play
massively multiplayer online games (MMOs) or competitive shooters. This
insatiable group not only consumes video game content as rapaciously as
Oliver Twist devours gruel, but is so passionate about downloading new
bits, add-ons, cheats and so on that it can be easily fooled. People
will risk lifetime bans from their favourite game just to be able to
catch fish 10% faster (true story, World of Warcraft). If I were a
Trojan coder, looking for a gullible set of addicted computer
enthusiasts – PC gamers would be target numero uno, no doubt about it.
PC gaming, in case you’ve never dabbled, isn’t the same as
installing, say, Angry Birds on iPad, and waiting patiently for updates.
You can tweak. You can fiddle. You can rewrite the things, if you
fancy. Home-made ‘mods’ have been part of gaming for decades – spawning
some of its biggest hits, as homebrew titles such as DOTA (a ‘mod’ for
Warcraft 3, made by a fan, not a game studio) which became a global hit,
made by a fan. Shooter Counter-Strike had roughly the same origins.
Worse trouble arose, though, when companies decided to plug into all this free, open-source creativity.
The problem isn’t gamers themselves, or the companies scraping a
living from them – it’s the whole culture around PCs. It’s a mark of PC
gaming manhood to build your rig yourself, fix it yourself, and frankly,
if you don’t own a soldering iron and watchmaker’s tools, you’re no
real gamer. PC gaming is the opposite of the smooth, “no user
serviceable parts inside” experience of, say, a Mac, or an iPad – PC
gamers are the under-the-bonnet-tinkerers of the computing world,
tweaking performance endlessly, monitoring graphs and mutilating
motherboards – not to mention switching off their AV software to squeeze
that last ounce out of the processor (an ESET survey found a third of
gamers do just that, every time).
Installing potentially hooky add-on software is totally normal – in
World of Warcraft, for example, you can be kicked from groups of
‘adventuring friends’ without a word of warning for failing to run
semi-legitimate add-ons such as Recount.
For Blizzard, when it launched World of Warcraft in 2004, the add-on
market was something they actively encouraged, unlike rivals – and
arguably one of the reasons for the game’s meteoric rise is the fact you
can add anything from a ‘spy’ add-on that tells you how tough other
players are to a sat-nav style arrow telling you where to go.. Any idea
Blizzard REALLY likes tended to crop up in the next game update. A win
all round, except, when infection spreads.
Naturally, this week, cybercriminals targeted this very system,
creating an entire fake website for Curse, the main add-on store, which
actually worked, and was artificially boosted up Google searches using
darkside search-engine tricks – but every add-on on offer was poisoned,
with data-stealing malware built to bypass Blizzard’s two-factor
security app. Full marks for effort, at least, on the part of the
criminals – although Blizzard claim the system works “99% of the time”.
Full marks for effort, at least. In other games, black market add-ons
are used routinely. If it gives you an edge, thousands will pile in.
Including people who really should know better. Like me.
Other game companies, though, are guilty of exposing customers to
attack for less salubrious reasons – take Ubisoft’s Uplay, a ‘security’
system which offered little except low-rent bonuses such as PC
Wallpapers, in exchange for ensuring gamers couldn’t copy – or easily
sell – their games. Gamers were ‘forced’ to sign up to use the games –
even on console. The Uplay system requires users to log in with an
email or password, and offers digital extras, but also works as a
Digital Rights Management system (DRM) to prevent copying. When your
data is put at risk just to ensure profits stay high, that can cause
serious nerd rage. Naturally, Ubisoft, like Sony before them, got
hacked. Passwords leaked. Gamers raged.
One gamer on Ubisoft’s official forums said, “For future reference, I
will never buy nor play another Uplay enabled Ubisoft game on Xbox that
requires me to make another account on here. You had one job, keep my
account information safe!”
A recent Grand Theft Auto V scam
highlights just how susceptible PC gamers are to malware if the
criminals dangle the right carrot. Despite the fact Rockstar, the game’s
publisher, has never mentioned the reality of a PC version, thousands
of gamers torrented an 18Gb file claiming to be just that. The zip,
obviously, wasn’t a game – it was Theft, yes, but only from the users
themselves.
Logic doesn’t always apply in the world of PC gaming downloads.
Heavily involved gamers are prepared to take serious risks, not only to
play games that don’t exist, but also to grind a dishonest edge in
competition. Endless cheat hacks exist for titles such as leading MMO
World of Warcraft (WoW) and first-person shooter Counter-Strike, but a
huge number of them carry malware.
Sony’s PlayStation Network, famously, fell victim to legendarily vast
attack in which credit card details, email addresses and more were
accessed. Whereas even only a few years previously this would have had
no affect on personal PC security, online gaming services are now
multi-platform, spanning console, PC and mobile: get hacked on your
PlayStation and you could get hacked everywhere.
PC gamers are some of the most passionate, gullible digital consumers
in the world. I know because I’m one of them. I’ve hacked my WoW UI to
add maps and trackers, and I’ve installed mods to drag the older games I
love up to scratch graphically. I was relatively sure of the unverified
software being safe, but just because a guy on a forum says it’s clean
doesn’t necessarily make it so. The truth is I didn’t really care. I
wanted to do it because I’m a hardcore hobbyist and I love computer
games. As long as people like us exist, there will always be a Trojan
aimed at our hard drives.