Pokemon Go, the augmented reality game that has become an overnight sensation, experienced sluggish performance over the weekend, possibly from a hacker attack on its login servers.
Shortly after Pokemon Go devs tweeted that the game was rolling out to 26 additional countries, this tweet appeared:
Trainers! We have been working to fix the #PokemonGO server issues. Thank you for your patience. We'll post an update soon.
— Pokémon GO (@PokemonGoApp) July 16, 2016
The next day the Pokemon Go team announced that the issues causing the server problem had been fixed and that players once again could search for Pokemon in the real world.
In the interim, though, two hacker groups — OurMine and PoodleCorp — claimed they had crippled the servers with Distributed Denial of Service attacks.
Hacker groups often try to build their Net cred with this kind of attack, observed Stephen Gee, senior product manager for security at Barracuda.
“They wanted to build a name for themselves by taking down this server,” he told TechNewsWorld.
One of the groups claiming responsibility for the slowdown, OurMine, recently gained some notoriety by hacking into the Twitter accounts of high-profile people like Google CEO Sundar Pichai, Spotify CEO Daniel Ek, Amazon CTO Werner Vogels and Twitter CEO Jack Dorsey.
If the hackers disrupted Pokemon Go, it’s something the system architects should have been prepared for, maintained Stephen Gates, chief research intelligence analyst for NSFocus.
“Organizations that provide this type of online gaming experience must expect to come under the crosshairs of DDoS attackers at some point,” he told TechNewsWorld.
“In the world of online gaming, the motivations for DDoS attacks come in several flavors,” Gates said. “Notoriety is always at the top of the list, and DDoS for ransom is a likely second.”
Availability Is Milk of Gaming
Availability is the foundation of the online gaming experience, noted Gates.
“Take away availability, and so much for the experience. That is why a comprehensive plan to defeat DDoS attacks should be implemented before going live as hybrid cloud and on-premises defenses can easily defeat these attacks,” he explained.
“Often, when unexpected outages or latency occurs to an online game making the game unenjoyable, people will either complain quite loudly or stop playing the game altogether,” Gates added. “In this case, the Pokemon team needs to shore up their DDoS defenses or potentially lose many of their followers.”
For hackers less concerned with notoriety and more concerned with dollar signs, the Pokemon Go servers could be a gold mine of information.
“Pokemon Go has millions of users registered,” explained Jaime Blasco, chief scientist at AlienVault.
“If a hacker is able to access the servers, it might be possible to steal passwords — depending on how well those are secured — and email addresses,” he told TechNewsWorld. “These credentials can later be used to access other services where people might be reusing the same password, or they could even sell the credentials on the black market.”
Although the Pokemon Go team quickly ironed out initial privacy problems, the way the game shares data may raise concerns among some players, Blasco warned. For example, any information collected by the game may be shared with third parties unknown to a player.
“If you don’t like the sound of that,” Blasco said, “I recommend creating a special email account to play these games, and never use your real name or personal data. That way the location data cannot be linked to your real name at any point.”
Fake Pokemon Go
A common tactic deployed by Net bandits when a game gains popularity is to release fake versions of the game and distribute them outside the mainstream app stores. Fake versions of Pokemon Go already have been spotted in the wild.
“These fake apps usually come bundled with malware or other malicious pieces of software that get installed in your phone at the same time,” Blasco explained. “People downloading the Pokemon app and any other apps should always use the official Google and Apple stores and double-check that the app is the official one.”