FakeBat Scenario: Gaming Cafe Network Infection

FakeBat Scenario: Gaming Cafe Network Infection

LevelUp Gaming Lounge: Gaming cafe, 40 stations, 200+ regular members

Social Engineering • FakeBat

STAKES

Customer account safety + Payment trust + Tournament operations + Community reputation

HOOK

LevelUp Gaming Lounge is preparing for a weekend esports tournament when dozens of gaming stations begin opening unexpected browser tabs, showing persistent pop-up ads, and redirecting players to fake driver-download pages. Staff observe repeated installation prompts for ‘performance tools,’ and customers report account anomalies after using shared stations.

PRESSURE

• Tournament operations begin Saturday at 9:00 AM
• Compromised stations threaten customer account security and sponsor confidence

FRONT • 120 minutes • Intermediate

LevelUp Gaming Lounge: Gaming cafe, 40 stations, 200+ regular members

Social Engineering • FakeBat

NPCs

• Danny Ochoa (Owner): Accountable for tournament continuity, $5,000 event readiness, and $2,000 sponsor commitments
• Mia Chen (Shift Manager): Directing triage across 40 compromised stations and managing customer queue flow
• Tyler Brooks (Community Admin): Monitoring player reports and gaming-forum escalation

SECRETS

• Staff identified fake performance installers on public stations but delayed full shutdown to avoid canceling qualifiers
• Shared local admin workflows accelerated spread once one station was compromised
• Several browser profiles on shared stations retained saved payment tokens from repeat customers

FakeBat Scenario: Gaming Cafe Network Infection

PixelHouse Gaming: Gaming cafe, 35 stations, 180+ regular members

Social Engineering • FakeBat

STAKES

Customer account safety + Payment trust + Tournament operations + Community reputation

HOOK

PixelHouse Gaming is preparing for a weekend esports tournament when dozens of gaming stations begin opening unexpected browser tabs, showing persistent pop-up ads, and redirecting players to fake driver-download pages. Staff observe repeated installation prompts for ‘performance tools,’ and customers report account anomalies after using shared stations.

PRESSURE

• Tournament operations begin Saturday at 09:00
• Compromised stations threaten customer account security and sponsor confidence

FRONT • 120 minutes • Intermediate

PixelHouse Gaming: Gaming cafe, 35 stations, 180+ regular members

Social Engineering • FakeBat

NPCs

• Callum Reed (Owner): Accountable for tournament continuity, £4,000 event readiness, and £1,600 sponsor commitments
• Aisha Khan (Shift Manager): Directing triage across 35 compromised stations and managing customer queue flow
• Ben Griffiths (Community Admin): Monitoring player reports and gaming-forum escalation

SECRETS

• Staff identified fake performance installers on public stations but delayed full shutdown to avoid canceling qualifiers
• Shared local admin workflows accelerated spread once one station was compromised
• Several browser profiles on shared stations retained saved payment tokens from repeat customers

Planning Resources

Tip📋 Comprehensive Facilitation Guide Available

For detailed session preparation support, including game configuration templates, investigation timelines, response options matrix, and round-by-round facilitation guidance, see:

FakeBat Gaming Cafe Planning Document

Planning documents provide 30-minute structured preparation for first-time IMs, or quick-reference support for experienced facilitators.

Note🎬 Interactive Scenario Slides

Ready-to-present RevealJS slides with player-safe mode, session tracking, and IM facilitation notes:

FakeBat Gaming Cafe Scenario Slides

Press ‘P’ to toggle player-safe mode • Built-in session state tracking • Dark/light theme support

Scenario Details for IMs

Hook

“It’s Thursday evening at LevelUp Gaming Lounge. Players preparing for the weekend event report lag spikes, random redirects, and pop-ups interrupting matches. Staff notice repeated prompts to install ‘optimization’ tools, and multiple stations show identical browser changes that return after each reboot.”

“It’s Thursday evening at PixelHouse Gaming. Players preparing for the weekend event report lag spikes, random redirects, and pop-ups interrupting matches. Staff notice repeated prompts to install ‘optimization’ tools, and multiple stations show identical browser changes that return after each reboot.”

Initial Symptoms to Present:

Warning🚨 Initial User Reports

• “Players report browser redirects to fake utility and driver-download pages.”
• “Multiple stations show recurring pop-up ads that reappear after restart.”
• “Staff find unknown browser extensions requesting broad permissions on shared machines.”
• “Two customers report unusual purchases on accounts used from cafe stations.”
• “Payment flow is intermittent at peak check-in times.”

Key Discovery Paths:

Detective Investigation Leads:

Note🔍 Detective Investigation Path

• Installer artifacts show coordinated downloads of fake performance packages.
• Browser timelines reveal repeated redirect chains from ad clicks to spoofed download portals.
• Persistence traces indicate extension and scheduled-task relaunch behavior after reboot.

Protector System Analysis:

Note🛡️ Protector System Analysis

• Endpoint scans confirm multi-station browser hijacking with credential-theft capability.
• Security controls are inconsistent across shared public machines.
• Payment terminal segmentation exists but has weak operational guardrails.

Tracker Network Investigation:

Note🌐 Tracker Network Investigation

• DNS and proxy logs show burst traffic to recently registered gaming-themed domains.
• Outbound encrypted sessions from shared stations align with suspicious process start times.
• Forum scraping shows identical indicators reported at other esports venues.

Communicator Stakeholder Interviews:

Note🗣️ Communicator Stakeholder Interviews

• Players describe installing “must-have” tools to improve frame rates before qualifiers.
• Staff confirm policy exceptions for customer-installed software during tournament weeks.
• Sponsors request assurance that the event environment is safe for participants.

Mid-Scenario Pressure Points:

• Hour 2: Tournament pre-registration opens while station reliability is declining.
• Hour 3: Sponsors request a written security assurance update.
• Hour 4: Community posts amplify rumors about compromised stations.

Evolution Triggers:

• If containment is delayed, additional shared stations begin showing identical hijacking behavior.
• If customer communications are unclear, player dropouts accelerate ahead of bracket lock.
• If payment safeguards are deferred, fraud reports begin appearing after event check-in.

Resolution Pathways:

Technical Success Indicators:

• Team identifies the fake-software delivery chain and blocks reinfection paths.
• Shared-station controls are hardened without breaking core tournament workflows.
• Credential and payment-risk exposure is scoped with evidence-backed confidence.

Business Success Indicators:

• Tournament operations continue under a controlled and transparent risk posture.
• Sponsor and player communications stay consistent, timely, and credible.
• Cleanup and recovery actions are prioritized to protect the highest-value operations first.

Learning Success Indicators:

• Team demonstrates why public gaming venues have distinct endpoint-risk dynamics.
• Participants connect social engineering behavior to operational security outcomes.
• Group balances technical rigor with player experience and business continuity.

Common IM Facilitation Challenges:

If Team Over-Optimizes for Forensics:

“Your forensic timeline is strong. What decision do you make in the next ten minutes to keep tournament operations credible?”

If Team Ignores Communication Risk:

“Players are posting screenshots of redirects now. What is your public update in one sentence?”

If Regulatory and Reporting Is Minimized:

“For the United States variation, counsel flags State privacy laws and FTC consumer protection expectations, recommends early coordination with state Attorney General offices, and advises immediate evidence sharing with FBI Cyber Division and CISA before public statements.”

“For the United Kingdom variation, counsel flags UK GDPR and Data Protection Act 2018, recommends early coordination with the ICO, and advises immediate evidence sharing with NCSC and the NCA before public statements.”

Success Metrics for Session:

• Team identifies fake-utility delivery, browser persistence, and credential-risk mechanisms.
• Public-station risk controls are improved without collapsing tournament operations.
• Customer protection and payment-risk response are prioritized with clear rationale.
• Communication decisions reduce panic while preserving trust.
• Final recovery plan addresses both immediate cleanup and long-term policy gaps.

Template Compatibility

Quick Demo (35-40 min)

Structure: 1 guided investigation round and 1 response decision
Focus: Recognize software masquerading indicators and immediate containment priorities
Key Actions: Triage affected stations, isolate payment pathways, issue a player-safe status update

Lunch & Learn (75-90 min)

Structure: 2 rounds with escalating operational and communication pressure
Focus: Balance forensic confidence, customer protection, and tournament viability
Key Actions: Validate exposure scope, prioritize remediation order, align sponsor and player messaging

Full Game (120-140 min)

Structure: 3 rounds with open investigation and creative response design
Focus: End-to-end venue resilience from incident triage to governance changes
Key Actions: Build sustainable station controls, redesign escalation process, codify trust-restoration plan

Advanced Challenge (150-170 min)

Structure: 3+ rounds with constrained resources and ambiguous evidence
Focus: Decision quality under uncertainty with high reputational stakes
Key Actions: Defend prioritization choices, adapt playbook live, document accountable post-incident governance

Quick Demo Materials (35-40 min)

Guided Investigation Clues

Clue 1 (Minute 5): “Station logs show coordinated downloads of fake performance installers from newly registered domains over the last 48 hours.”

Clue 2 (Minute 10): “Browser audits reveal unauthorized extensions with permission to read and modify all site data, including payment form pages.”

Clue 3 (Minute 15): “Network captures show repeating outbound beacon patterns from shared stations, consistent with credential theft and command updates.”

Pre-Defined Response Options

Option A: Full Station Reimage Wave - Action: Reimage prioritized stations from a clean baseline and enforce locked-down player profiles. - Pros: Removes known persistence quickly and standardizes endpoint state. - Cons: Creates short-term queue pressure and removes custom player configurations. - Type Effectiveness: Super effective against downloader-led browser compromise in shared environments.

Option B: Rapid Browser and Policy Lockdown - Action: Remove malicious extensions, block high-risk domains, and apply strict browser policy controls. - Pros: Fastest visible recovery for active tournament operations. - Cons: Residual endpoint persistence may remain without deeper remediation. - Type Effectiveness: Moderately effective as a containment-first approach.

Option C: Payment and Account Protection First - Action: Segment payment systems, force account credential resets on impacted stations, and activate fraud monitoring guidance. - Pros: Prioritizes highest-harm outcomes while triage continues. - Cons: Does not fully clear infected endpoints. - Type Effectiveness: Partially effective when paired with follow-on station cleanup.

Lunch & Learn Materials (75-90 min, 2 rounds)

Round 1: Detection and Tournament Continuity (35-40 min)

Thursday evening at LevelUp Gaming Lounge, Owner Danny Ochoa is preparing for a $5,000 tournament bracket and waiting on a $2,000 sponsor release. Shift Manager Mia Chen confirms 40 stations are showing repeat browser redirects and unauthorized extensions ahead of Saturday check-in at 9:00 AM. Community Admin Tyler Brooks is tracking growing complaints from regular players in local Discord channels.

LevelUp Gaming Lounge is operating in controlled service mode while incident triage continues.

Thursday evening at PixelHouse Gaming, Owner Callum Reed is preparing for a £4,000 tournament bracket and waiting on a £1,600 sponsor release. Shift Manager Aisha Khan confirms 35 stations are showing repeat browser redirects and unauthorized extensions ahead of Saturday check-in at 09:00. Community Admin Ben Griffiths is tracking growing complaints from regular players in local Discord channels.

PixelHouse Gaming is operating in controlled service mode while incident triage continues.

If team stalls: “You can either protect schedule certainty or maximize forensic certainty first. What is your next irreversible action?”

Facilitation questions: - “What is your threshold for taking stations offline when players are already queued?” - “How do you separate confirmed exposure from plausible exposure in your first public update?” - “What do you tell sponsors right now, and what evidence backs that message?”

Round 2: Exposure Validation and Stakeholder Commitments (35-40 min)

For the United States variation, counsel flags State privacy laws and FTC consumer protection expectations, recommends early coordination with state Attorney General offices, and advises immediate evidence sharing with FBI Cyber Division and CISA before public statements.

For the United Kingdom variation, counsel flags UK GDPR and Data Protection Act 2018, recommends early coordination with the ICO, and advises immediate evidence sharing with NCSC and the NCA before public statements.

Pressure event: “A player reports unauthorized purchases and asks whether your venue caused the compromise. Do you issue a broad warning now or wait for deeper validation?”

Facilitation questions: - “How do you protect customers while avoiding speculative overstatement?” - “What evidence standard do you require before notifying your full customer list?” - “What commitments do you make publicly that your team can actually deliver this weekend?”

Round Transition Narrative

After Round 1 to Round 2:
Containment progress improves technical stability, but trust risk expands. As evidence quality increases, the team must align customer protection, sponsor commitments, and platform reporting obligations.

Full Game Materials (120-140 min, 3 rounds)

TipFull Game vs. Lunch & Learn

The Full Game shifts from guided clues to open investigation with three connected arcs: technical containment, trust stabilization, and long-term venue architecture. Use the Key Discovery Paths as your investigation reference and the Resolution Pathways as your evaluation baseline.

Round 1: Live Operations Under Uncertain Exposure (35-40 min)

Thursday evening at LevelUp Gaming Lounge, Owner Danny Ochoa is preparing for a $5,000 tournament bracket and waiting on a $2,000 sponsor release. Shift Manager Mia Chen confirms 40 stations are showing repeat browser redirects and unauthorized extensions ahead of Saturday check-in at 9:00 AM. Community Admin Tyler Brooks is tracking growing complaints from regular players in local Discord channels.

Thursday evening at PixelHouse Gaming, Owner Callum Reed is preparing for a £4,000 tournament bracket and waiting on a £1,600 sponsor release. Shift Manager Aisha Khan confirms 35 stations are showing repeat browser redirects and unauthorized extensions ahead of Saturday check-in at 09:00. Community Admin Ben Griffiths is tracking growing complaints from regular players in local Discord channels.

If team stalls: “You have one hour before community confidence tips from concern to panic. What visible action proves control?”

Round 2: Community Trust and Reporting Decisions (35-40 min)

• Additional account-abuse reports emerge from frequent users.
• Sponsor contacts request confirmation that event endpoints are remediated.
• Staff ask for a clear policy on customer software installation exceptions.

Facilitation questions: - “What do you disclose publicly today, and what do you reserve pending validation?” - “Which controls become permanent, even if they reduce player customization?” - “How do you balance fairness to affected customers with uncertainty in attribution?”

Round 3: Security Architecture and Budget Tradeoffs (40-45 min)

Opening: Weekend operations are stabilized, but leadership must decide whether to fund structural controls or revert to pre-incident workflows.

“Budget decision for this variation: $8,000 for reimaging automation plus $500 monthly monitoring. Which controls are mandatory now versus phased later?”

“Budget decision for this variation: £6,500 for reimaging automation plus £400 monthly monitoring. Which controls are mandatory now versus phased later?”

Facilitation questions: - “What governance change prevents tournament pressure from bypassing security controls next season?” - “Which single control most improves customer trust per unit of cost?” - “How do you measure whether trust has actually recovered in your player community?”

Debrief Focus

• Public-access endpoint risk differs from traditional enterprise endpoint assumptions.
• Social engineering succeeds when user incentives and operational pressure align.
• Trust damage can outlast technical cleanup unless communication is evidence-based and consistent.
• Sustainable controls require both technical hardening and policy discipline.

Advanced Challenge Materials (150-170 min)

Red Herrings & Misdirection

1. Legitimate patch noise: Platform and GPU updates overlap with incident timing, obscuring root-cause timelines.
2. Event load anomalies: Tournament stress tests generate traffic that looks similar to suspicious beaconing.
3. Peripheral confusion: Player-owned USB devices appear in logs and distract from software-delivery paths.
4. Community rumor drift: Forum speculation introduces false claims that pressure rushed responses.

Removed Resources & Constraints

• No external malware encyclopedia during play.
• Limited forensic staffing during peak customer hours.
• No full-site shutdown option until post-event window.
• Incomplete historical endpoint baseline for comparison.

Enhanced Pressure

• Bracket lock is pulled forward by 24 hours.
• A parent of a minor player requests immediate disclosure of potential data risk.
• Sponsors request a contractual security attestation before finals begin.
• A local streamer posts live claims that the venue is still compromised.

Ethical Dilemmas

1. Transparency scope: When exposure is plausible but unconfirmed, what does responsible disclosure look like?
2. Competitive fairness: If station instability affected qualifiers, do you rerun matches and accept reputational cost?
3. Business survival vs. broad warning: How much uncertainty justifies a venue-wide customer alert?
4. Policy rigidity vs. player autonomy: How much software freedom can remain in a secure shared environment?

Advanced Debrief Topics

• Designing resilient controls for high-turnover shared-computing venues.
• Reducing social-engineering success in optimization-driven user communities.
• Building incident playbooks that include both technical and community-trust objectives.
• Using post-incident governance to prevent repeated policy exceptions under event pressure.