TT RND

Hacktivism is evolving – and that could be bad news for organizations everywhere

Source: ESET WeLiveSecurity

Written by: Phil Muncaster

Hacktivism is nothing new, but the increasingly fuzzy lines between traditional hacktivism and state-backed operations make it a more potent threat.bookingcom-scams

Hacktivism surged back into mainstream consciousness with Russia’s invasion of Ukraine in February 2022. Less than two years later, politically-motivated groups and individuals were out in force again, this time ostensibly to make their point amid the Israel-Hamas conflict. Worryingly, hacktivists have been spotted using increasingly sophisticated and aggressive tactics to bring their agendas to public attention.

Perhaps even more disconcerting is the likelihood that many groups are, in fact, either backed by, or even consist of, nation-state actors. Indeed, the lines between state-sponsored cyber operations and traditional hacktivism have become fuzzy. In a world increasingly characterized by geopolitical instability and an erosion of the old rules-based order, organizations, especially those operating in critical infrastructure, should consider building the hacktivist threat into their risk modelling.

 

What’s new in hacktivism?

At its most basic, hacktivism is the act of launching cyberattacks for political or social reasons. As an indication of the seriousness with which it is now viewed, the Red Cross last year issued eight rules for “civilian hackers” operating during wartime, all while noting that hacktivists are increasingly causing disruption to non-military targets such as hospitals, pharmacies and banks.

READ ALSO: ESET APT Activity Report Q4 2023–Q1 2024

Predictably, there’s been little sign of hacktivists adhering to the guidelines issued by the Red Cross. Indeed, with attribution still difficult online, the pros of engaging in hacktivist activity still largely outweigh the cons – especially if attacks are secretly backed by nation states.

 

The old and the new

The current Israel-Hamas conflict has drawn unprecedented numbers of activists onto streets around the world. And, in lockstep, it has led to a surge in online activity. Much of this is similar to the tactics we’ve seen in previous hacktivist campaigns, including:

  • DDoS attacks: According to some sources, hacktivist-driven DDoS activity last year peaked in October at “record levels, following the conflict between Israel and Hamas.” This made Israel the country most targeted by hacktivists; with 1,480 DDoS attacks recorded in 2023, including some big-name organizations.
  • Web defacement: Over 100 hacktivists launched over 500 web defacement attacks on Israeli websites in the week following the October 7 raids, according to Cambridge University researchers. Similar low-level web defacements continue to this day.
  • Stolen data: Some groups claimed to have stolen and published data from Israel and allied organizations. In other words, hacktivists can infiltrate corporate systems to pilfer sensitive information before releasing it publicly to embarrass or harm the target.

However, there are also signs that hacktivism is becoming more targeted and sophisticated:

  • One report suggested hacktivist group AnonGhost exploited an API vulnerability in the “Red Alert” app, which provides real-time missile alerts for Israeli citizens. The group “successfully intercepted requests, exposed vulnerable servers and APIs, and employed Python scripts to send spam messages to some users of the app,” it noted. The group even managed to send fake messages to civilians about a nuclear bomb.
  • Other reports noted that hacktivist had posted screenshots indicating they had access to Israeli water systems’ SCADA devices. The researchers were unable to verify these claims, but suggested that hacktivists may have been conducting reconnaissance operations targeting the sector.

 

When nation states get involved

Hacktivists with more advanced technical know-how and/or access to tools and knowledge on the cybercrime underground may have been behind the latter attacks. However, nation state backing can’t be ruled out. Many countries have geopolitical and ideological reasons to attack other countries and their allies under the camouflage of hacktivism.

RELATED READING: State-sponsored or financially motivated: Is there any difference anymore?

In fact, suspected Russia-affiliated groups seem to have a long history of doing so, including under the Anonymous Sudan moniker, which has taken down many targets in the West. The group claimed the attack on The Jerusalem Post and several others targeting industrial control systems (ICS), including the Israeli Global Navigational Satellite Systems, Building Automation and Control Networks and Modbus ICS. Another pro-Russian group, Killnet, claimed to have taken down an Israeli government website and the website of security agency Shin Bet.

While these attacks are notably high profile, there are hints of more insidious state-backed efforts masquerading as hacktivism. Disinformation efforts include the use of AI-generated images purporting to show missile strikes, tanks rolling through ruined neighborhoods, or families combing through rubble for survivors.

The focus here is to generate images that create a strong emotional reaction – such as one of a baby crying amidst bomb wreckage, which went viral late last year. Fake social media and Telegram accounts amplify the disinformation. In one case, X owner Elon Musk apparently promoted a post from a faked account that was viewed 11 million times before deleting it.

Security researchers have observed suspiciously coordinated activity following the Hamas attack – possibly suggesting state involvement. One study claimed at least 30 hacktivist groups immediately pivoted activity to the conflict within 48 hours.

 

How organizations can manage hacktivist risks

In many ways, whether the hacktivist threat comes from genuine groups, those aligned with state interests or covert nation state operatives themselves, the threat remains the same. Such groups are increasingly targeting private sector organizations with the audacity to speak out on political sensitive issues. In some cases, they may do so simply if there is a perception that the organization is aligned to one side or another. Or as a smokescreen for more shadowy nation state goals.

Whatever the rationale, organizations can follow these basic high-level steps to mitigate the hacktivist risk:

  • Ask the right questions: Are we a target? What assets are at risk? What is the extent of our attack surface? Are existing measures enough to mitigate hacktivist risk? This is where a thorough cyber-risk assessment of externally facing infrastructure can help.
  • Plug any gaps revealed by such an assessment, including vulnerabilities or misconfigurations – ideally this should be done in a continuous and automated manner.
  • Ensure assets are protected from threats at an email, endpoint, network and hybrid cloud layer and continuously monitor for threats with XDR/MDR tools.
  • Use threat intelligence to gather, analyze, and act on information about current and emerging threats.
  • Apply robust encryption, both at rest and in transit, to protect sensitive data from being read or modified by unauthorized parties.
  • Enhance identity and access management with zero trust architecture and multi-factor authentication (MFA) and and keep an eye out for suspicious data access patterns.
  • Run continuous employee education and awareness training programs.
  • Partner with a trusted third-party for DDoS mitigation.
  • Build and test a comprehensive incident response plan.

Hacktivism is nothing new. But the increasingly blurred lines between ideologically/politically motivated groups and government interests makes it a more potent threat. It may be time to rethink your risk management planning.

 

No room for error: Don’t get stung by these common Booking.com scams

Source: ESET WeLiveSecurity

Written by: Christian Ali Bravo

From sending phishing emails to posting fake listings, here’s how fraudsters hunt for victims while you’re booking your well-earned vacationbookingcom-scams

Booking.com has become one of the main go-to platforms for travelers looking for holiday accommodation deals, but also for services like car rentals and airline tickets. In fact, it is the most visited travel and tourism website worldwide, having processed more than a billion bookings in 2023, double the number recorded in 2016.

Obviously the site’s popularity hasn’t escaped the attention of cybercriminals, who invariably flock to online services with high traffic and exploit it as lucrative hunting ground for victims.

Booking.com itself has acknowledgement the magnitude of the problem and said that it has seen a staggering “500 to 900% increase” in travel scams in the past 18 months – and that this increase is largely driven by cybercriminals’ misuse of tools such as ChatGPT since November 2022.

With vacation season in full swing, let’s review some of the most common scams exploiting Booking.com and what to look out for when using this platform.

 

Phishing

Phishing emails, texts and social media messages are a staple in fraudsters’ arsenals. In these scams, they impersonate a reputable platform or organization to trick the victim into believing they are in contact with the site’s official representative.

Obviously Booking.com isn’t immune to these scams, and fraudsters continue to churn out campaigns where they pose as the platform or representatives of the hotel or another service that the targets have booked via the site.

They often come up with a plausible story where they drum up a sense of urgency and seek to dupe the victim into clicking on a malicious link, under the guise of a new payment that should fix a purported error – or else face the prospect of losing their reservation.

bookingcom-scams-01

Figure 1. Scam attempt (Source: Reddit)

The easy availability of generative AI tools has opened the floodgates to waves of more convincing and effective scams. By generating phishing emails that are grammatically correct, contextually appropriate, and free of typical red flags that might alert the recipient, they can easily trick people and businesses into downloading info-stealing malware on their devices or into divulging sensitive information or transferring money.

 

Hijacked chats

Some scammers may go a little further than sending out random phishing messages. There have been a number of reports of attackers finding a way to dupe their victims via the platform’s messaging system.

After finding their way into the accounts of the hotels where holiday-makers made their reservations, they have contacted large numbers of people directly via the in-app chat and urged them to make a payment to confirm the booking.

The ruse involved an alleged error with the previous payment, requiring them to pay again and avoid missing out on their holiday. In other variations of this ploy, the fraudsters requested credit card or passenger data to verify or confirm the booking.

While this didn’t occur as a result of a breach of the platform’s backend systems or infrastructure, you’re well advised to look out for any communications that request your personal or payment data.

 

Non-existent accommodation

Many holiday properties appear to be straight out of a fairy tale. Indeed, some of them are, quite literally, unreal. Over the years, many holiday-makers have fallen victim to fake listing scams where cybercriminals advertise a luxury holiday home that can be rented at an irresistible price and instruct people to pay, even via Booking.com. Upon arriving, you’ll find that the accommodation doesn’t exist or the property is not for rent.

In fact, soon enough, the platform’s own systems kick in – the fake listings are discovered and removed. However, your vacation may be ruined by then, so you’re better off doing your diligence before booking.

Look for reviews and ratings for the place, check if the price is roughly similar to those for “competing” houses or apartments, and reverse-search the image to see what comes up – it is likely a free stock image or it was stolen from other websites. The bottom line is, if something looks too good to be true, it usually is.

 

Fake job offers

The text or social media message is straightforward enough: “We need someone to evaluate hotel bookings. We pay between $200 and $1,000. All you need to do is rate or like the hotel on (a fake Booking.com link).” This is how the message offering an irresistible side hustle, supposedly from Booking.com, begins. It’s also a variation on popular work-from-home scams.

bookingcom-scams-02

Figure 2: Bogus job offer (Source: Reddit)

You’re then asked to pay an advance fee to secure their jobs and/or to send their personal information like Social Security numbers or other details, which can be used to commit identity theft. In some cases, the scammers may be after your bitcoin or other crypto.

How to stay safe? Booking.com doesn’t hire people to review hotels, and they don’t hire people via unsolicited text messages. Hiring as such takes place through Booking Careers, and there is no job vacancy on the platform requiring people to review hotels.

 

12 tips for avoiding Booking.com and other travel scams

These tips will go a long way towards helping you stay safe while using Booking.com.:

  1. Whenever you’re contacted by someone who represents Booking.com or a hotel where you’ve booked your stay, watch out for the typical signs of a phishing email, such as requests for urgent action.
  2. Always verify that emails came from their official domain and be wary of slight misspellings or variations. A number of trusted email addresses are also listed on the site itself.
  3. If you receive any suspicious communication, go directly to the website and log into your account to verify any claims.
  4. Booking.com never asks for information like your full credit card details, social security number, or passwords via email or chat.
  5. Avoid clicking on links in unsolicited emails or messages.
  6. Make payments through the official Booking.com platform. Avoid transferring money directly to the accommodation provider.
  7. Check reviews and ratings of the accommodation on Booking.com and look for reviews that are authentic and detailed. Inspect and cross-check the accommodation details and images on other travel websites or review platforms.
  8. Ensure your devices have up-to-date security software to protect against malware and phishing attempts.
  9. Keep your operating system and other software updated to protect against security vulnerabilities.
  10. Protect your online accounts with strong and unique passwords or passphrases and two-factor authentication.
  11. If you encounter any suspicious activity, report the issue to the platform’s customer service.
  12. If you suspect that your payment information has been compromised, inform your bank or credit card provider immediately.

Bon voyage!

BEFORE YOU GO: Going on vacation soon? Stay one step ahead of travel scams

Virtual kidnapping: How to see through this terrifying scam

Source: ESET WeLiveSecurity

Written by: Phil Muncaster

Phone fraud takes a frightening twist as fraudsters can tap into AI to cause serious emotional and financial damage to the victims

WLS_virtual_kidnapping

It’s every parent’s worst nightmare. You get a call from an unknown number and on the other end of the line hear your child crying out for help. Then their ‘kidnapper’ comes on the line demanding a ransom or you will never see your son or daughter again. Unfortunately, this is not an imagined scenario from a Hollywood film.

Instead, it’s a terrifying example of the lengths that scammers can now go to in order extort money from their victims, co-opting new technology for nefarious purposes. It also shows the quality of AI voice cloning technology that is now convincing enough to trick even close family members. Fortunately, the more people know about these schemes and what to look out for, the less likely phone-based fraudsters are to make any money.

How virtual kidnapping works

There are several key stages to a typical virtual kidnapping scam. Broadly speaking they are as follows:

  1. The scammers research potential victims they can call up and try to extort money from. This stage could also be optimized with the use of AI tools (more of this later).
  2. The scammers identify a ‘kidnapping’ victim – most likely the child of the person they identified in stage 1. They could do this by trawling through their social media or other publicly facing information.
  3. The group then creates an imagined scenario, being sure to make it as harrowing as possible for the person they’re about to call. The more scared you are, the less likely you’ll be to make rational decisions. Like any good social engineering attempt, the scammers want to rush the victim’s decision making for this reason.
  4. The fraudsters might then perform some more open source research to calculate when the best time to call would be. They may scour social media or other sources to work this out. The idea is to contact you at a time when your loved one is elsewhere, ideally on holiday, like the daughter of Jennifer DeStefano.
  5. Now it’s time to create the audio deepfakes and put in the call. Using readily available software, the scammers will create audio with the victim’s ‘voice’ and use it to try and convince you that they have kidnapped a relative. They may use other information gleaned from social media to make the scam sound more convincing, for example by mentioning details about the ‘kidnappee’ that a stranger might not know.
  6. If you fall for the scam, you will most likely be asked to pay in non-traceable way, like cryptocurrency.

Supercharging virtual kidnapping

There are variations on this theme. Most concerning is the potential for ChatGPT and other AI tools to supercharge virtual kidnapping by making it easier for fraudsters to find the ideal victims. Advertisers and marketers have for years been using “propensity modelling” techniques to get the right messages to the right people at the right time.

Generative AI (GenAI) could help scammers to do the same, by searching for those individuals most likely to pay up if exposed to a virtual kidnapping scam. They could also search for people within a specific geographical area, with public social media profiles and of a specific socio-economic background.

RELATED READING: Your voice is my password

A second option would be to use a SIM swapping attack on the ‘kidnappee’ to hijack their phone number ahead of the scam. This would add an unnerving legitimacy to the kidnapping phone call. Whereas DeStefano was eventually able to ascertain that her daughter was safe and well, and therefore hang up on her extortionists, this would be much harder to do if the victim’s relative is uncontactable.

What the future holds for voice cloning

Unfortunately, voice cloning technology is already worryingly convincing, as also our recent experiment proves. And it is increasingly accessible to scammers. An intelligence report from May warned of legitimate text-to-speech tools which could be abused, and a growing interest on the cybercrime underground in voice cloning-as-a-service (VCaaS). If the latter takes off it could democratize the ability to launch such attacks across the cybercrime economy, especially if used in combination with GenAI tools.

In fact, beside disinformation, deepfake technology is also being used for business email compromise (as tested by our own Jake Moore) and sextortion We are only at the start of a long journey.

How to stay safe

The good news is that a little knowledge can go a long way to diffusing the threat of deepfakes in general and virtual kidnapping in particular. There are things you can do today to minimize the chances of being selected as a victim and of falling for a scam call if one does occur.

Consider these high-level tips:

  • Don’t overshare personal information on social media. This is absolutely critical. Avoid posting details such as addresses and phone numbers. If possible, don’t even share photos or video/audio recordings of your family, and certainly not details of loved ones’ holiday plans.
  • Keep your social media profiles private in order to minimize the chances of threat actors finding you online.
  • Be on the lookout for phishing messages that could be designed to trick you into handing over sensitive personal information, or logins to social media accounts.
  • Get children and close family to download geolocation trackers such as Find My iPhone.
  • If you receive a call, keep the ‘kidnappers’ talking. At the same time try to call the alleged kidnappee from another line, or get someone close by to.
  • Stay calm, don’t share any personal info, and if possible get them to answer a question only the kidnappee would know and request to speak to them.
  • Notify the local police as soon as possible.

Virtual kidnapping is just the start. But stay up to date with the latest scams and you stand a good chance of nipping attacks in the bud before they cause serious emotional distress.

Better safe than sorry: 10 tips to build an effective business backup strategy

Source: welivesecurity by ESET

Author: Phil Muncaster

How backup best practices can help drive resilience and improve cyber-hygiene in your company

data-backups-businesses

Could your company survive if its most critical data stores were suddenly encrypted or wiped out by cybercriminals? This is the worst-case scenario many organizations have been plunged into as a result of ransomware. But there are also many other scenarios that could create serious business risk for companies.

To mark Cybersecurity Awareness Month (CSAM), we looked at how both individuals and companies that fail to prepare are preparing to fail. Today, we’ll dive a little deeper into one particular aspect of how companies can help drive resilience and improve cyber-hygiene.

Having a backed-up copy of that data ready to restore is a safety net that many fail to consider until it’s too late. And even those with backups may manage them in a way that continues to expose the organization to risk. Indeed, backups can be a target too.

Why do you need backups?

Ransomware has perhaps done more for awareness about data backups than any other cyberthreat. The prospect of malware designed to encrypt all corporate data – including connected backups – has driven companies to invest in mitigations en masse. And it appears to be working. According to one estimate, the share of victims who pay their extorters dropped from 85% in Q1 2019 to just 35% in Q4 2022. Given that ransomware remains disproportionally a problem for SMBs, the threat from external hackers remains a major driver for backups.

READ: ESET SMB Digital Security Sentiment Report: The damaging effects of a breach

However, it’s not the only one. Consider the following risks, which backups can help to mitigate:

  • Destructive data extortion attacks, partly driven by the cybercrime-as-a-service ecosystem, in which data is exfiltrated and encrypted drives before a ransom is demanded. ESET’s Threat Report for September to December 2022 found the use of increasingly destructive tactics, such as deploying wipers that mimic ransomware and encrypt the victim’s data with no intention of providing the decryption key.
  • Accidental data deletion by employees is still a challenge, especially when sensitive data is saved to personal devices which don’t back it up. These devices could also be lost or stolen.
  • Physical threats: floods, fires and other natural disasters can knock out offices and data centers, making it doubly important to store a separate copy of sensitive data in another geographical location.
  • Compliance and auditing requirements are becoming ever more onerous. Failure to produce the information required of your business could lead to fines and other punitive action.

It’s difficult to put a price on it, but failing to backup in line with best practices could be a costly mistake. The average ransomware payment in Q4 2022 was over $400,000. But there are many other direct and indirect costs to consider, both financial and reputational.

How do I get there?

Best-practice backup strategy doesn’t need to be a black box. Consider the following 10 ways to achieve success:

  1. Develop a strategy
    It sounds obvious, but it pays to plan carefully to ensure any backup strategy meets the requirements of the organization. Consider this as part of your disaster recovery/business continuity planning. You’ll need to consider things like the risk and impact of data loss events, and objectives for data restoration.
  2. Identify the data you need to backup
    Data discovery and classification are a vital first step in the process. You can’t backup what you can’t see. Not all data may be deemed business critical enough to warrant backing up. It should be classified according to the potential impact on the business if made unavailable, which in turn will be informed by your corporate risk appetite.
  3. Follow the 3-2-1 rule
    This posits that you make three copies of the data, on two different media, with one copy stored offsite and offline. The last bit is particularly important, as ransomware often hunts out backed-up data and encrypts that too, if it is on the same network.
  4. Encrypt and protect your backups
    Given that threat actors also seek out backed-up copies of data for extortion, it pays to keep them encrypted, so they can’t monetize the data stored within. This will add an extra layer of defence beyond the 3-2-1 mechanism (at least 3 copies, 2 different storage types, 1 copy offsite) if you use it.
  5. Don’t forget cloud (SaaS) data
    A great deal of corporate data now resides in software-as-a-service (SaaS) applications. That can provide a false sense of security that it is safe and sound. In reality, it pays to add an extra layer of protection by backing this up too.
  6. Test your backups regularly
    It’s pointless having a backed-up copy of your company data if it won’t restore properly when called upon. This is why you should test them regularly to ensure the data is being backed up correctly and can be retrieved as intended.
  7. Run backups at regular intervals
    Equally, a backup is of limited use if it restores to a point in time too long ago. Exactly how regularly you should run backups will depend on the time of business you have. A busy online store will require almost continuous backing up, but a small legal practice can get away with something less frequent. Either way, consistency is key.
  8. Choose your technology partner carefully
    No two businesses are the same. But there are certain features which are useful to look out for. Compatibility with existing systems, ease of use, flexible scheduling and predictable costs all rank highly. Depending on the size and growth trajectory of your business, scalability may also be important.
  9. Don’t forget the endpoint
    Backing up network drives and cloud stores is one thing. But don’t forget the wealth of data that may reside on user devices like laptops and smartphones. All should be included in a corporate backup policy/strategy.
  10. Look beyond backups
    Don’t forget, backups are only one piece of the puzzle. You should be complementing them with security tools at the endpoint, network and server/cloud layer, extended detection and response tooling, and more. Also follow other cyber-hygiene best practices like continuous patching, password management and incident response.

Data is your most important asset. Don’t wait until it’s too late to formulate a corporate backup strategy.

FURTHER READING: Small and medium-sized businesses: Big targets for ransomware attacks

 

Time is Money, and Online Game Scammers have lots of it

Source: ESET WeLiveSecurity

Written by: Márk Szabó

time_is_money

*Gamers and cybersecurity professionals have something in common – the ever-terrible presence of hacking, scams, and data theft – but how and why would anyone want to target gamers?*

One of the more worrying trends of the past few years within the gaming sphere has been the introduction of microtransactions, which ask you to provide your money in case you want to fast-track an in-game event or buy better equipment, or additional skins for your character, for example. Nowadays, this can ring true both for multiplayer and single-player games; hence there are many more opportunities for malicious actors to take advantage of you.

The ubiquity of scams within online gaming enables a degree of interaction between players through in-game chat or voice services. Most often, these places represent the first contact points between scammers and their victims, which can impact not only adults but also kids due to the nature of these games.

 

Fishing for money

Cybercriminals exploit online games as a means of earning income, either by stealing and selling user data or by tricking them into giving up their bank account information. With that, ransomware, viruses, and trojans are also used to target players and try to siphon money from them.

The most significant opportunity in this regard is virtual currencies, skins, weapons, and similar, as many game developers sell these for various amounts of money, with some skins costing hundreds of dollars or more due to their rarity.

A scammer can easily create an account for an online game and then use stolen credit card details to purchase said things, and once the account is fully stocked, it can be sold off for tidy sums. Some accounts can sell for thousands, exchanging virtual objects for real-world currency.

 

Sanctuary under attack

Of course, online games do employ various levels of protection to secure the users’ accounts; however, account hijacks still happen, as the data within these accounts can have tremendous value, either because of the player’s accumulated in-game wealth or the various licenses they might own on online game stores, as well as their personally identifiable information, like phone numbers, address, emails, and financial information.

All it takes is one weak password, and your account might fall out of your hands entirely, especially when people tend to still use the same weak passwords as always, instead of opting for stronger ones or, even better, use a secure password managers.

An added problem also is that many game services lack additional authentication methods, or the provider could suffer a data breach exposing passwords. In a way, it is like the various wars between the Horde and the Alliance in Warcraft; one gains, the other loses, but the end results could also become permanent.

 

Friendly fraud

One of the perhaps lesser-known scams within the online world is Friendly Fraud.  Despite that, it is monumental, as just in the United States, eCommerce merchants report as much as $11.8 billion in losses. This has become an increasing issue due to microtransactions. How it happens is that a child could overcharge their parents’ credit cards by making in-app purchases to get some special skin/in-game currency, for example. A parent might not know about this and dispute the charges on their bank account with their bank or the game company.

While maybe unintended, these disputes can still overwhelm the bank and gaming company or make the parents look like scammers. Why? Well, intentional Friendly Fraud also exists, in which case gamers, or people pretending to be gamers, purchase a game/currency and then dispute the charges on their credit card bill to receive a refund. It’s like buying a shirt, wearing it for a day or two, and then returning it to the store to get your money back.

 

Summoner’s fault (mostly)

Apart from the previously mentioned tricks, malicious actors also like to extract credentials through fake promotional material, like free exclusive items and game-time promotions on social media, leading you to a fake login website to extract your personal information and maybe even provide you with malware for free! How exciting, right?

Even in-game trade can be dangerous, as the transactions can happen outside the game’s limits through PayPal, for example, after which the fraudster disputes the payments, leaving you without the desired item and a monetary loss. Notice how many of these scams rely on user error, which is just the reality, as human error is still the leading cybersecurity issue.

 

What can a gamer do to protect themselves?

Thankfully, there are certain security tips a gamer can utilize to protect their precious accounts and game-time from malicious actors. Here’s a few:

  • Use a strong password – This advice sadly needs to be repeated. Try to stay away from simple word + number combinations and mix it up with special characters, capital letters, or try passphrases, which are more complex and yet a more memorable alternative.
  • Use multi-factor authentication – An additional authentication method, best done by using a one-time code generating app like Microsoft Authenticator or Authy is a must when properly securing any account.
  • Try to purchase game content in-house –Try to make your purchases inside the game’s own store, or through an official reseller, not providing your financial details to scammers.
  • Don’t fall for giveaways – Some games can have free giveaways of in-game content, but there can be cases when those asking for your account details are fraudulent – always verify whether the giveaway is done by an officially approved source.
  • Never provide account info to others – This advice gets often repeated in World of Warcraft especially – a game admin or developer would never ask for your credit card number or bank details, especially not inside an online game.

 And in case your account got hacked for one reason or another, on Steam, for example, there are ways you can deal with it to reach a successful recovery. This does not mean that gamers should not stay vigilant. As the lucrative world of gaming will always be under the threat of shady moneymakers and hackers. Stay safe and watch out for any dangers lurking in the shadows.