Since February, a number of ne’er-do-well Apex Legends and Counter-Strike: Global Offensive players hoping to download cheats have in fact been infecting their computers with credential-stealing malware, security firm Sophos discovered.
First-person shooter fans hoping to get an edge over their opponents had their personal and financial information siphoned off and sold for months, according to a Sophos report published last week. The malware, named Baldr by its creator, efficiently extracted sensitive data from infected users: credit card information; login credentials for shopping services like Amazon and Paypal; credentials for Battle.net, Steam and Epic Game; or identity information. Its job, Sophos says, was “scrape and steal any credentials, cookies, or cached data of resellable value in a matter of seconds.” Baldr was buried inside of a bunch of cheats with names like “CSGO Aimbot+Wallhack” and “Apex Legends New Cheat 0.2.1,” the security firm researcher said.
Once they had acquired the data, Baldr operators could sell it on darkweb marketplaces. “What caught our eye was Baldr’s ability to quickly steal identities and seamlessly exfiltrate victims’ credentials. Baldr was incredibly effective at bursting in, grabbing everything and rushing out again,” said Sophos threat researcher Albert Zsigovits over e-mail.
Zsigovits says he’s been tracking 500 to 600 instances of the malware internationally, with the majority of cases located in Indonesia, Brazil, Russia and the United States. Advertisements for the malware-infected cheating software appeared primarily on YouTube in video descriptions advertising the cheats. Its proponents also advertised it in Twitch chats and on Discord servers.
The malware’s popularity peaked around May. But although it’s not getting sold as much on dark web forums, Zsigovits said, it “continues to wreak havoc. The cybercriminals who bought Baldr before it disappeared can still use the malware, and they are.”
Thompson ran the Twitter account “DerpTrolling”, and his case actually revolved around Daybreak Games, formerly Sony Online Entertainment, who he must pay the $95,000 to after it was determined that’s how much revenue the company lost between December 2013 and January 2014 during his attacks.
He got off relatively lightly; the maximum sentence he could have faced is a $250,000 fine and ten years in prison.
Game development hobbyist and self-described Xbox fan Voxel9 recently shared a YouTube video in which he boots up the XQEMU Xbox emulator on a Switch and manages to load and play some games, including the first Halo.
The video begins with the code for the emulator being compiled, followed by the intro animation for Microsoft’s 2001 debut console and a quick tour of the home menu. From there he locates Halo: Combat Evolved on the harddrive, creates a new save file, and starts up the game, getting through the beginning cinematic and briefly walking around the Pillar of Autumn spaceship. The emulation is far from smooth and the frame rate is low, but it doesn’t crash.
Voxel9 also shows off 2002’s JSRF: Jet Set Radio Future running on the Switch this way. It was a console exclusive and has never been ported. Even the Xbox One backwards compatibility program doesn’t include it. While the image looks crisps, it runs so slowly Voxel9 has the video play at four times speed to simulate what the frame rate should actually look like.
We didn’t get to test things for ourselves but the video shows the emulator running. Starting with it being compiled in the Linux command prompt up to showing the Xbox one dashboard and individual games. It also runs about as rough as you would expect the notoriously finicky Xbox emulation software to run on lower-end device like the Switch. We reached out to Voxel9 for more information but have not heard back yet.
In the description of the video, Voxel9 writes that the emulator was running on Linux, which he installed on his hacked Switch, rather than the device’s proprietary Horizon operating system to improve performance. You also don’t see his hands in the video because he’s operating the Switch using a PS4 controller rather than the Joy-Con since the emulator in its current form can’t detect them.
“So you’re playing Xbox games with a PlayStation controller on a portable Nintendo console?” wrote one person on Reddit. “What the actual fuck is this world?”
Ever since a hardware-based exploit discovered last year blew the Switch homebrew scene wide open, hackers have been working on getting all different types of programs up and running on the Nintendo device. Last October, the developers behind the front-end dashboard for various emulators, RetroArch, announced it was finally working on hacked Switches, bringing with it support for NES, SNES, Sega Genesis, and other retro gaming emulators.
Emulation for many more modern consoles is still a work in progress, especially on a less powerful device like the Switch. RetroArch is still working on support for N64 emulators for the Switch, for example. Meanwhile Xbox emulators are far from optimized, even when running on standard PCs, due in part to the complexity of how the original hardware was designed and laid out. It’s impressive to see Xbox games running on the Switch at all.
For months, an unspecified number of users trying to register an account with Epic Games have found that their e-mail addresses were somehow already linked to accounts. Today, Epic Games told Kotaku that the culprit is an ongoing cyber attack and that the company is working to delete those accounts, though they would not say how many people were affected.
“I recently went to create an Epic Games account,” a tipster named Ed wrote in an e-mail last week. “And I found that I already had an account. I never made an account.” Ed went on to detail how an account using his e-mail address was registered in Thailand. It was the same e-mail he had used on his Xbox account. After going online, Ed noticed that dozens of other users had complained of this on the Epic Games forums and on Reddit. It had happened to one of his friends, too. In a screenshot Ed shared, his friend’s username appeared as tNpPldH7g—total nonsense.
Epic Games notes in an “account linking” FAQ that an e-mail address can only be associated with one Epic account. On the Epic Games forum, one concerned parent wrote last June that their son wanted to link his PlayStation Network account to his Epic Games account so he can play Fortnite on his PS4, however, when they tried, they received the error message “Failed to link account. Already associated with a different account.” Commenters with the same problem went on to note that that they had difficulty receiving a straight answer from Epic about what was going on.
Over e-mail today, Epic Games explained. “We recently discovered an ongoing attack which is creating Epic accounts using known email addresses via a botnet spanning over 500,000 machines,” a spokesperson said. “We are in the process of deleting those accounts and are adding further verification steps to account creation.”
It’s not clear why these cyber-attackers would want to create Epic accounts based on other people’s email addresses. Kotaku reached out to two former Fortnite account hackers to ask why somebody would create Epic accounts in this way. Neither could explain.
Today, news broke on Reddit that some details for about 600 Epic Games accounts were leaked online as plain text. When Kotaku asked whether Epic Games’ account linking issue was associated with this leak, a spokesperson pointed us to Epic’s response to the initial Reddit thread, from an Epic engineer: “The account system powering Epic Games store and Fortnite have not been compromised. Specific individual accounts have been compromised as a result of numerous automated attempts by hackers to try to log in to Epic Games accounts using email/password combinations leaked through security breaches on other web sites.” The incidents do not appear to be linked.
A 24 year-old man from England has pleaded guilty to charges of hacking into both Microsoft and Nintendo’s servers, causing an estimated $3-4 million damages.
As The Verge report, Zammis Clark—a former security researcher at Malwarebytes—went before a court in London this week accused of accessing servers at both companies, stealing user information, accessing files related to unreleased products and illegally sharing login details.
He was arrested in June 2017 for his actions against Microsoft, which included hacking into servers that contained “confidential copies of pre-release versions of Windows”.
Yet after this arrest his online access went unrestricted, and in early 2018 Clark used a VPN to get access to Nintendo’s servers, including those used for “highly confidential game development”, and which held “development code for unreleased games”.
Despite his repeat offences, and the severity of them, Clark won’t be facing prison, at least in the near term. Because he is both autistic and has “face blindness”, the judge deemed that prison would pose a risk to Clark’s safety, and taken in light of his parent’s work in attempting to care and rehabilitate him, decided to issue a suspended 15-month sentence.
According to five creators and sellers of aimbots and hacks who spoke with Kotaku, Apex Legends has become big business for cheat-makers.
Just a week after Apex Legends’ explosive release, a cascade of cheating allegations flooded player forums and every corner of the internet where the survival shooter’s players lurk. On esports newswires, articles over the past few weeks have accused Twitch streamers and pros like ElmZero, Mobados and Mengiez of using illicit hacks like removing recoil or aimlocking to gain an advantage over opponents. Cheats for Apex Legends are being sold blatantly through YouTube, Discord, and a slew of hacking forums across the web. Earlier this week, developer Respawn revealed that it has banned 355,000 of the game’s 50 million players for cheating.
One cheat-maker, who would only go by the name “Dev,” was working on what he called “Fortnite stuff” before Apex Legends hit the market. “Suspicious Fortnite stuff,” he clarified over a Discord voice call. Over time, he explained, advances in Fortnite’s security software made cheating very difficult and easily detectable. Fortnite’s developer also began sueing cheat-makers, which scared a lot of them off. He says that’s why he, and several other cheat-makers, moved onto Apex Legends, which he says is much easier and more lucrative to develop cheats for.
Dev’s cheat-making operation opened just four days ago and, over the course of those four days, he has made about $5,000, screenshots provided to Kotaku corroborate. In one video advertising his software, Dev’s business partner Tom gets 30 kills in just one game. Tom’s account, Dev says, is still up.
“In terms of cheats, what’s really in demand right now is Apex Legends,” another cheat-seller, whom we’ll call Adam, said. In just one week, Adam says he’s made $400 in profit selling Apex Legends cheats. (Since many cheats are paid for on a subscription basis, that number is likely to grow.) In a video advertising his hack, Adam’s Apex Legends’character’s gun easily follows and kills an opponent obscured completely by smoke.
As a free game, Apex Legends doesn’t need to be repurchased if a player is banned for cheating. There aren’t huge repercussions for getting found out. “If you get banned you can just create a new account and change your hardware IDs,” said Dev, which he added is possible with a piece of free software.
Cheat-makers and sellers even have their favorite characters to cheat with. Tom said that Bangalore is exceptionally fun to cheat with because, after giving herself a smoke cover, his hack lets her see through walls and shoot opponents who don’t know where she is. Another cheat-seller, Timothy, explained that, for him, it’s Bloodhound, “due to the fact that, if I was trying to hide my advantages, I could just say I saw footsteps and we are going to follow them,” he said. “As for who is the easiest [to cheat with], I would say Wraith, because if you get too confident you can also use an ability to get out of the situation quickly.”
While people making money off cheating may be pleased with Apex Legends’ popularity, players who want to play a clean, fair game may feel differently. /r/ApexLegends moderator Emily remembers the first post she saw about a cheater. “It was February 12, 8 days after release,” she told Kotaku over Reddit. “The subreddit has been flooded with posts about hackers and cheaters since that first one. We have been removing cheating/hacking related posts because they are so frequent and it overwhelms the other content on the sub.”
As complaints of cheating reached critical mass, Emily says she reached out to Apex Legends’ developer to ask how to help the community report cheaters. Later on, in Apex Legends forums, Respawn’s community liaisons would link players to a “Report A Cheat” page on Easy Anti-Cheat, the program Apex Legends uses to detect cheating. Still, Apex Legends does not have an in-game reporting function.
Apex Legends developer Respawn Games posted on the game’s subreddit five days ago to say that it is working on improvements to identify and remove cheating in the future, but they they “have to be pretty secretive” about their plans. Respawn did say that they’re working on integrating a “Report” function into the game’s PC version.
When asked what the lifespan is for this explosion in Apex Legends cheat sales, Tom told Kotaku, “Right now I feel as though it’s booming and strongly increasing.” Then, citing the severe, and often short arcs for battle royale games’ popularity, he continued, “Eventually the game will die and other games will overtake it.”
Leaky security, hardware exploits, crashes, broken features—every piece of hardware or software is prone to bugs and vulnerabilities, and it’s likely you’ve had the misfortune of dealing with them at some point in your tech life. While most people grin, bear it, and wait for the problem to fix itself, you can also take a more active approach to bugs and other security disasters by reporting your findings.
The problem? You might not know how or where to submit a bug report when you encounter an issue. To make this process easier, we’ve taken a look at the most commonly used apps, services, and hardware manufacturers, and consolidated their bug reporting tools into one big list.
Some tips on bug reporting
Though our list explains how to submit bug reports for frequently used apps and services, it’s not exhaustive. If you don’t find what you’re looking for, here are some quick bug reporting tips and best practices:
Some apps and programs will allow you to send a crash/bug report directly. If you’re experiencing frequent crashes, and this option is available, take advantage of it. Often times these auto-reports will include information you’d otherwise have to manually include, making the process much easier.
Write down (or take screenshots of) any pop-up boxes or error codes, if possible. Be detailed about what and how the bug, error, or crash happened, and make sure to include your hardware/software specifications where applicable. These detail swill be helpful to include in your bug report (and might be required in some cases).
If you’re submitting a bug on a forum or message board, make sure to read any posting guidelines, which usually require you to run a preliminary search to see if your specific bug has already been reported. While repeat reports help a bug get fixed faster, some bug report forums have strict requirements for how to submit reports for the same bug or error.
If you’re looking for a company’s bug bounty program or how to submit a security-related vulnerability, these links can usually be found on Bugcrowd or Hackerone. Remember, these programs are more geared for high-level issues and major bugs, not your average performance hiccups, and therefore have strict guidelines for submission.
Technical bugs related to PlayStation services and hardware can be submitted to PlayStation’s support team in several ways, including online, on Twitter, through email, chat, over the phone, and more. Check this page to find the method most relevant to you.
If you play video games, you are an ideal target to get wrecked by hackers.
Sure, you’re tech savvy—you know what a hard drive is and have seen an HDMI cable or two in your day. Still, there are some unassailable, totally exploitable truths about gamers: They are very online. They log in to a lot of stuff. They have some money. They want to be better than other gamers. And they like to use the password “Dragon.”
This post originally appeared 5/1/18.
In 2018, hackers broke into thousands of Fortnite players’ accounts and siphoned hundreds of dollars at a time. How? Those players had used their username and password combinations somewhere else on the world wide web. And somehow, they got leaked. Now, they’re begging for big refunds and scurrying to protect themselves from further financial harm. It was a preventable disaster. And we’re here to teach you how to prevent it.
Here some some tips on how to stay safe while gaming.
What matters when it comes to security?
Everything matters. That sucks to hear, I know. Security is like a balloon. If there’s even one hole, it’s not a balloon anymore. When it comes to your gaming apps, if you have unique passwords on your Blizzard and Epic Games accounts, but not on your five favorite gaming forums’ accounts—and if you use those same passwords on PayPal, e-mail or Facebook—then you’re vulnerable to hacking.
Password leaks happen all the time on all sorts of sites. Hackers can input your niche Everquest forum password into, say, your banking site if you use the same password for both. And then you get screwed. It’s that simple.
Think about everything you have an account for. Your PlayStation Network account, your Microsoft account, your Battle.Net account, your Steam account, your Reddit account… when you add it up, that’s a lot of stuff! And each of these accounts contains at least a little personal information, whether it’s your first and last name or your credit card number.
It can seem really intimidating to stay vigilant about so many accounts, but with good habits in place, keeping everything in check can become second nature.
Where do I start?
Start with your passwords. We all know “Password123” is easy to guess. But so is “Dragon.” “StarWars,” “monkey” and “football” are extremely common for the same reason—turns out a lot of people like popular stuff. It’s also likely that your unique, fun password you’ve kept since the fourth grade—“Pikachu,” maybe—is just as easy to figure out.
You need to have crazy passwords for everything. According to our sister site Lifehacker, passwords that are long and include numbers, capital letters and symbols are great. Don’t use common phrases or words. BiRdSaNdBeEs_123 isn’t as great a password as bVWx633HVN7Z.a!=.
Changing your passwords is totally tedious, but on the back end of a security breach, extremely worth it. Spend a few days recording which websites and apps you use regularly. Likely, it includes some combination of Facebook, Gmail, Twitter, Reddit, YouTube, Discord and Amazon. For gamers, that list might include Battle.net, Steam or Xbox Live. Write all of it down. Then…..
Download a password manager
You simply cannot remember 20 very strong passwords. If you can, your passwords probably aren’t strong. You need a password manager. And a lot of password managers can even help you come up with secure passwords.
Since browser-based password managers like the one in Opera have been hacked before, I recommend downloading a password manager onto your phone. I use LastPass. Other people like 1Password. That way, you’ll only have to remember the password to your password manager (or you can just use your fingerprint).
Enable two-factor authentication
Two-factor authentication is a fancy way of saying, “the app asks you to verify yourself.” All it means is that, when you log in to something, you’ll receive a text message or an e-mail with an additional code. You can also get a special app that generates this code on your phone. No one will be able to log into your account unless they enter that code into the client.
Opting in to two-factor authentication can mean the difference between someone else logging into your MMORPG account and stealing all your hard-earned gold and, well, that not happening. Getting a two-factor authentication code when you’re not trying to log into something is also a great way to know someone’s trying to hack you!
Lots of gaming apps let you enable two-factor authentication. Here’s a list from TwoFactorAuth.org plus links to instructions on how to enable it:
If you just scrolled through this and wondered, “Where’s League of Legends?” or some other service not listed, then I have some advice for you: E-mail them! Make sure they know you want this security feature. Basic two-factor is something worth demanding.
Here’s a fun fact: Random Call of Duty players you add as friends on your PlayStation might be able to see your first and last name! Maybe that’s cool with you. Maybe it’s not. Either way, you should know whether you’re leaking personal information you don’t want leaked.
Your PlayStation, Xbox, Steam account, etc. all have privacy settings. The Switch has very limited customization options here, but that’s because Nintendo’s online service doesn’t show friends your real name, anyway. You should familiarize yourself with the privacy and security settings for all your gaming accounts and modulate them to your liking. The PlayStation Network’s settings, for example, ask whether you’d like people on your friends list to see your real name. Microsoft blocks Xbox users’ real names by default, although there was once a bug that temporarily revealed people’s names. Now on Steam, you can even hide how few hours you’ve actually played of PlayerUnknown’s Battlegrounds.
Wow, free Fortnite V-Bucks! Booyah! All I need to do is enter my social security number into the website f0rtn1te.net!
Nothing cool is free in online gaming. Even if all your passwords are perfect and you have two-factor enabled on everything, that won’t stop you from falling for hackers’ tricks.
Any sites or people offering free video game skins, currency, etc. are shady, and especially if a stranger messages links to you through an online game. If you receive an e-mail from a strange address telling you that your Elder Scrolls Online account has been compromised, and that you need to give them your username and password, type that address into Google to make sure it’s legit.
Sometimes, hackers will copy the look and feel of sites you frequent to make their scam see legitimate. If a website starts with http:// and not https://, that can be a red flag. If the website is http://www.ep1cgames.com, and not https://www.epicgames.com, that’s a big red flag.If the website is asking you to download something before proceeding, and that something is not Adobe Flash Player, Google what it is before just automatically downloading it. Most computers these days come with decent antivirus software that will let you know whether you’re downloading insidious malware, but it doesn’t hurt to double up. Here are some good options.
Don’t put your personal information out there
A decade ago, your parents probably warned you about the “strangers” and “dangerous people” haunting AOL chatrooms. Maybe they said that telling MMO buddies your first name could mean inviting some 50-year-old mouthbreather to stand outside your window all night. We’ve been on the internet long enough to know that, for the most part, people who play games online are not going to stalk you because you told them what city you live in. That said, it’s hard to vet how safe online friends are. And it’s easy to leverage even the tiniest bits of personal information against someone.
Somtetimes, even just knowing your mom’s maiden name can be the key to your goods. Other times, someone can impersonate you to your cell phone provider’s customer service rep using your birthday and the last four digits of your social security number. It might not even take that much. People voluntarily overshare on Twitter and Facebook all the time.
If you are playing video games online—or streaming yourself playing video games—here’s a handy list of topics to avoid to protect yourself from potential harm:
Your full name
The full names of the people closest to you
Your exact birthday
Your address or a picture of your home
Your phone number
Your social security number
Any banking information
Where embarrassing photos of you live
Physical places you frequent (i.e. schools, restaurants, stores)
Any combination of this information can spell out exactly who you are, where you live and how to find you. You will need to rely on your own judgment when it comes to trusting strangers. Suffice to say, there isn’t any reason to give out any of the above information to anyone you’re gaming with. (Bonus: You can get a gaming-specific VPN—or, a private network that masks where you are—to really protect yourself from getting tracked.)
Listen, if you’re trolling darkweb marketplaces for high-ranked League of Legends accounts, you’re inherently putting your security at risk. Games’ Terms of Service exist to protect developers, yes, but also, to protect gamers. If you’re doing something that flagrantly breaks a game’s Terms of Service, like purchasing in-game currency or installing cheat software, you could be giving an opening to hackers.
The sad, solemn truth is that it is impossible to account for everything. It really is. Good hacks happen to good, vigilant people. However, with these tips, you can exercise a little more control over the chaos that is the internet.