Gamers beware: hackers offering free virtual trinkets don’t care about your passwords or personal data, but your employer’s most closely guarded secrets.
An employee at a Japanese high-tech company learned this the hard way, duped by a fake giveaway for 300 magic stones for the smartphone game Puzzle & Dragons. “Congratulations,” began the email promoting free in-game currency for the first 100 lucky takers: “Click here!” That initiated a drive-by download that surreptitiously installed remote access software.
Cyber criminals are stepping up these kind of schemes to break into corporate networks in Japan, according to FireEye Inc., a security software provider. While exact figures aren’t available, hundreds of businesses are compromised each month and the numbers are rising, the Milpitas, California-based company said. Although such spear phishing attacks aren’t new, hackers are discovering that mimicking game-industry promotions can be very effective. Case in point: Puzzle & Dragons has been downloaded more than 45 million times.
“What makes Japan unique is that the gaming community spans demographics and age groups,” said Wias Issa, senior director at FireEye, who was in charge of operations in the country until April. “You’re not going to get the same ‘kill rate’ in other countries.”
To understand why targeting gamers is such a enticing vector of attack, look no further than the closing ceremony of the Rio de Janeiro Olympic Games, when Prime Minister Shinzo Abe donned a Super Mario outfit to promote Japan’s hosting of the 2020 games. The national agency in charge of cyber security chose as its mascot a character from Sword Art Online, a popular anime set in a virtual-reality game.
GungHo Online Entertainment Inc., the maker of Puzzle & Dragons, Colopl Inc. and other Japanese game makers have also become very good at making money from free-to-play smartphone titles. Japanese spend on average $30 a month on smartphone games, more than double their counterparts in the U.S. and triple the U.K., according to market researcher App Annie. The most profitable title of 2016 worldwide wasn’t Pokemon Go or Clash of Clans, but Monster Strike, a popular Japanese game.
“These attackers will follow an economic trail, because they know the gaming companies have identified specific patterns of user behavior,” Issa said. “They’ll take their time doing homework about what games are popular and what types of promotions are going on right now.”
Japanese publishers combine psychology, art and big data to get players to return as often as possible and eventually pay for digital extras like weapons or skills. GungHo constantly plies its users with promotions, offering new levels and playable monster characters. It also conditions players to respond to time pressure, with some events lasting just a few hours.
“The game’s large user base may be the reason why it attracts scams” and GungHo has an internal team to deal with particularly egregious cases, said Haruka Sudo, a spokeswoman
for the Tokyo-based company. GungHo never gives away its virtual trinkets for free, she said.
While the magic-stone breach came from an unclassified threat group, many can be traced to state-based actors in China and North Korea, according to FireEye. They target specific enterprises in energy, chemical engineering and construction, the security firm said.
Japan enacted the Basic Act on Cybersecurity in November 2014 and established the National Center for Incident Readiness and Strategy for Cybersecurity the following year, but still doesn’t have laws requiring companies to disclose breaches unless they involve loss of personal data.
“Japan is just beginning to put this important infrastructure in place, so it’s not yet ready for cyber attacks,” said Daisuke Tatsuno, a partner covering intellectual property and information technology matters at Baker & McKenzie’s Tokyo office. “Private companies have a general awareness that such attacks are possible, but few are taking concrete steps to prepare.”