TORONTO — As next-generation gaming consoles go online, some of the same problems that have faced consumer and enterprise IT networks are surfacing.
At a session during the SecTor security conference, Chris Boyd, director of research at Facetime security labs, detailed the myriad methods by which gamers — and in particular, Microsoft (NASDAQ: MSFT) Xbox 360 users — are under attack by cyber criminals.
“Though the Xbox doesn’t have the number one market share, it is the top target for hackers,” Boyd said. “Xbox Live has 17 million plus subscribers and that service requires payment.”
Xbox Live provides a number of online products and services to gamers. According to Boyd, Xbox Live gamer accounts are now an established commodity on the black market.
One way that attackers enumerate their targets is by way of information that is easily publicly accessible. Xbox users gain points during gameplay, which leads to a gamerscore metric. The higher the gamerscore, the more valuable the gamer account. Boyd noted there is no easy way to keep a gamerscore private.
“If you go into the Xbox privacy settings, you can’t block the gamerscore,” Boyd said. “All you can do is hide your list of most recently played games.”
Boyd added that sites like Mygamercard.net promote users’ gamerscores, in effect painting a big target for attackers.
Once the attackers have identified their target, there are multiple methods they use to try and gain control of a user’s account. One method that Boyd described is by way of social engineering, a tactic that has plagued regular consumer and enterprise users for years.
In one scenario, Boyd noted that the attackers actually call Microsoft support claiming to be the Xbox Live account holder and then use the publicly available information to support the claim.
Another attack scenario comes by way of phishing messages sent by way of the Xbox messaging service. The messages claim to be from Microsoft and offer users a reward of some kind if they enter their username and password.
Phishing messages to users’ Windows Live or e-mail accounts are also a common tactic that plenty of users fall for, according to Boyd. In some cases, those messages lead to phishing Web pages with submission forms that include a username and password. The Web pages also tend to offer some kind of point reward or bonus to users who submit the form.
There are also numerous attacks that act as Denial of Service (DoS) attacks on Xbox users. One such attack is a repeated friend request over Xbox Live. Boyd noted that users can set their status to ‘away’ in order to block the requests, but it does’t always work.
According to Boyd, the friend request DoS has been minimized in recent months as a result of Microsoft actions. Microsoft has now limited the number of friend requests a user can send, so there is now a time delay that mitigates the DoS risk.
Other traditional network-based attacks are also finding a home on the Xbox. Using a botnet, attackers are hitting particular gamers in order to induce network lag, which can affect gameplay.
“It’s not malicious, but it is annoying,” Boyd said.
Boyd said that for many of the network-based attacks, there is little that Microsoft can do, as much of the traffic is peer-to-peer (p2p) between users.
There are, however, a few things Boyd said users can do to protect themselves.
One solution to help mitigate risk is to remove credit card information from the Xbox Live profile information. Boyd said that without that information, the account is not as valuable to attackers.
“It used to take time to try and get a credit card off a profile, but now Microsoft has an option,” Boyd said. “That is so long as you don’t have an automatic Xbox Live subscription renewal.”
Boyd also suggested that Xbox Live users put fake information into their profiles to further reduce risk.
“You don’t need to put in real information,” Boyd said. “Your account will work, you can buy things with the pre-paid card and you don’t need to expose yourself.”