Over the last few months, there has been a recent wave of attacks on the maker of Call of Duty. It was reported that in early December, game maker Activision was hacked in a smishing attack. The company confirmed the December 2nd hack in February after research group vx-underground broke the news on Twitter.
According to reports, the attackers sent a malicious SMS message to several Activision employees, mimicking a two-factor authentication message. Although not all employees clicked on the link, one privileged user did, giving the threat actors access to internal documents, employee information, and unreleased game content. Insider Gaming reported that the schedule for four seasons of Call of Duty was leaked, as well as other upcoming content.
The malicious actors continued their attack on Activision’s internal Slack, using the employee’s internal account to phish other employees, finally revealing themselves by dropping a vulgar message on Slack.
According to Gizmodo, Activision didn’t disclose the breach to employees, despite employee information being exposed.
Concerns of Malicious Actors “Infesting” Black Ops Game
As news of the Activision hack spreads, the gaming community is also raising serious concerns about the company’s eight-year-old first person shooter in Black Ops III.
Gamers and streamers have reported vulnerabilities in the game that allow threat actors to remotely control other players’ computers, as long as they are in the same online match, reports TechCrunch. Streamers have declared the game to be “taken over” by malicious hackers, who they claim have a tool that reveals players’ IP addresses. Although the company told TechCrunch that they are continuing to support Black Ops III, gamers are starting to build their own patches to fix vulnerabilities in the game.
“The game has become infested with hackers. There are tons of security vulnerabilities which have a severe impact,” Maurice Heumann, the developer who is developing a fix for the game on his own, told TechCrunch. “You can get hacked just by playing the game. Your data can be stolen and so much more.”
Lessons Learned From Activision Attacks
It only takes one employee to click a malicious link: Education about phishing will unfortunately only get you so far when it comes to avoiding an attack. Most of the Activision staffers appeared to have spotted the scam and avoided it. That didn’t matter: the scammer only had to trick one person into clicking, and then they could use that person’s account to phish others.
Gamers’ PII and in-game assets are being stolen: Unpatched games are dangerous for players, who are unknowingly being targeted by the people they are playing against. These vulnerabilities could expose the personal identifiable information (PII) of adults and minors as well as their IP address, revealing a gamer’s location.
Bad actors are relentless when it comes to code compromise: The malicious actors in Black Ops III appear to be stealing source code and modifying it so they can cheat, steal, and, most worryingly, take over the devices of legitimate players.
How Zimperium Can Help
Billions of gamers are drawn to mobile gaming, and they’re responsible for half of all video game spending. In 2022, gamers spent $92.2 billion on mobile games alone. With so much money being spent on gaming, it’s no surprise that criminals are taking aim at companies like Activision.
Code tampering is a big part of this. Hackers steal code to cheat, bypass in-game purchases, and steal from other players. Protecting your code is a critical part of any defense strategy. Zimperium’s Mobile Application Protection Suite (MAPS) enables game developers to obfuscate code obfuscation and keep malicious actors from tampering with their games. By protecting code, you can reserve fair play and protect legitimate users’ private data.
On the other hand, securing mobile endpoints is essential to prevent SMS phishing disguised as two-factor authentication. Zimperium zIPS is an advanced mobile threat defense solution built to protect enterprises and employees by providing persistent, on-device protection for Android, iOS, and ChromeOS devices. Zimperium leverages a combination of machine learning and state-of-the-art technology to detect known and unknown phishing threats, including device, app, and network attacks. By securing an employee’s mobile device, phishing and mobile attacks can prevent access to corporate data before it becomes a bigger threat.
For more information on how to protect your gaming applications and enterprise from attackers, contact us today.