The video game industry and gamers faced more than 10 billion cyberattacks during the past couple of years, with the attacks spiking in the pandemic, according to a new report by internet delivery and cloud services company Akamai.
The report found hackers tried nearly 10 billion credential-stuffing attacks, where hackers use stolen credentials to take over an account, said Steve Ragan, Akamai security researcher and author of the report, in an interview with GamesBeat.
The industry also saw 152 million web application attacks, such as SQL Injection (SQLi) attacks, between 2018 and 2020, according to Cambridge, Massachusetts-based Akamai.
“As games move online and leverage cloud infrastructure and cross-platform and cross-generation play, that’s an attack surface,” Ragan said. “Now, these gaming companies are doing everything they can to protect their players and their games. I’m still concerned because that’s a huge target for criminals. And if the last two years have shown anything, which we demonstrate in the report, criminals are tenacious, they don’t waste time, they’ll go after anything and everything if it’s in front of them. And the bigger the attack surface, the more room they have to play.”
The report saw an uptick in attack traffic that correlates with COVID-19-related lockdowns. In addition, the report examines motivations driving the attacks and steps gamers can take to help protect their personal information, accounts, and in-game assets. Akamai also showed some data from a survey conducted with DreamHack, the gaming lifestyle festival.
“The elephant in the room is the pandemic,” Ragan said. “Gamers are social creatures. When everything started locking down, gamers went deeper into their games. That’s good for criminals. They wasted no time targeting the gaming sector. And they were successful.”
Ragan said that gamers should be aware that they’re subjected to a steady barrage of criminal activity, largely through credential stuffing.
Across all industries, Akamai observed more than 100 billion credential stuffing attacks from July 2018 to June 2020. Nearly 10 billion of those attacks targeted the gaming sector. To execute this type of attack, criminals attempt to access games and gaming services using lists of username and password combinations that are typically available for purchase via nefarious websites and services. Each successful login indicates a gamer’s account has been compromised.
Phishing is the other primary form of attack used against gamers. In this method, bad actors create legitimate-looking websites related to a game or gaming platform with the goal of tricking players into revealing their login credentials.
“This report gives us context for what is going on in the criminal marketplace,” Ragan said. “Criminals are taking over accounts so they can sell them.”
Akamai also saw 10.6 billion web application attacks across its customers between July 2018 and June 2020, more than 152 million of which were directed toward the gaming industry. The significant majority were SQL injection (SQLi) attacks intended to exploit user login credentials, personal data and other information stored in the targeted server’s database.
Local File Inclusion (LFI) was the other notable attack vector, which can expose player and game details that can ultimately be used for exploiting or cheating. Criminals often target mobile and web-based games with SQLi and LFI attacks due to the access to usernames, passwords and account information that comes with successful exploits.
Between July 2019 and June 2020, more than 3,000 of the 5,600 unique distributed denial of service (DDoS) attacks Akamai observed were aimed at the gaming industry, making it by far the most-targeted sector.
Recalling the Mirai botnet, which was originally created by college students to disable Minecraft servers, and later used to launch some of the largest-ever DDoS attacks, the report notes that the gaming-related DDoS attacks spiked during holiday periods, as well as typical school vacation seasons. This serves as a likely indicator that the responsible parties were home from school.
Though many gamers have been hacked, far fewer appear to be concerned. In an upcoming survey of gamer attitudes toward security conducted by Akamai and DreamHack, 55% of the respondents who identify as “frequent players” admitted to having had an account compromised at some point; of those, only 20% expressed being “worried” or “very worried” about it.
“There’s a huge disconnect there, even though a lot of players couldn’t recover a compromised account,” Ragan said.
Ragan said players should be worried. Hackers can lock users out of compromised accounts and buy a bunch of things, like skins in games, and transfer them to other accounts. The user gets stuck with the bill and the hacker makes off with the loot.
“If I’m not paying attention, the next thing I know I’m getting a $10,000 credit bill because somebody went out and bought like 100 skins, or worse my child’s account gets compromised and now that criminals buying those skins loads the account up and then flip it,” Ragan said.
The report posits that even though avid gamers might not recognize the value in the data associated with their accounts, criminals most certainly do.
The Akamai/DreamHack survey also found that gamers consider security to be a team effort, with 54% of respondents who acknowledged being hacked in the past feeling it is a responsibility that should be shared between the gamer and game developer/company.
The report outlines steps that gamers can take to protect themselves and their accounts such as using password managers and two-factor authentication along with unique, complicated passwords. It also points to resource pages that most game companies publish where gamers can opt in to additional security capabilities. Ragan said it’s a good idea to pay for online accounts with gift cards rather than credit cards.
The fact remains: Gamers are highly targeted because they have several qualities that criminals look for. They’re engaged and active in social communities. For the most part, they have disposable income, and they tend to spend it on their gaming accounts and gaming experiences. When these factors are combined, criminals see the gaming industry as a target-rich environment.
Ragan said esports tournaments are also a concern, as a lot of fans place bets on them. When there is money at stake, the hackers will find a way to try to manipulate the tournament results, possibly attacking some of the players to make them lose, Ragan said.