Where does your enterprise stand on the AI adoption curve? Take our AI survey to find out.
The report showed that “relentless” web application and credential stuffing attacks targeting gamers and gaming companies persisted throughout 2020, said Steve Ragan, Akamai security researcher and author of the “State of the Internet Security report,” in an interview with GamesBeat.
Akamai provides solutions for protecting and delivering digital experiences. Today, it released research showing that cyberattack traffic targeting the video game industry grew more than any other industry during the COVID-19 pandemic.
The report said the video game industry faced more than 240 million web application attacks in 2020, a 340% increase over 2019.
Mobile gaming attacks popular
Ragan said that attackers are also going after mobile gamers.
“People like to play their games on a phone versus having to log into the computer or sit down in front of a TV,” he said. “But victims in these crimes don’t really think of security. I think of security all day long. But my kids don’t think about security when they’re playing their games.”
Mobile games incorporating in-app purchases are subject to a consistent barrage of attacks, according to the Akamai report. Criminals are seeking any opportunity to exploit players who spend real money on virtual, in-game items like skins, character enhancements and additional levels. The report highlights a recent example in which bad actors used a phishing kit to steal player email addresses, passwords, login details, and geolocation information that they subsequently sold on criminal markets.
Ragan said Akamai is observing a persistence in video game industry defenses being tested on a daily — and often hourly — basis by criminals probing for vulnerabilities through which to breach servers and expose information. Numerous group chats forming on popular social networks are dedicated to sharing attack techniques and best practices.
“They started with the credential stuffing testing against every platform and every type of service you can think of including all the gaming ones,” Ragan said. “They went after Zoom, and then they pivoted, going after other verticals like streaming, media, gaming, and finance.”
SQL injection (SQLi), which targets player login credentials and personal information, was the top web application attack vector in 2020, representing 59% of all attacks Akamai observed against the gaming industry.
That was followed by local file inclusion (LFI) attacks at 24%, which target sensitive details within applications and services that can further compromise game servers and accounts. Cross-site scripting (XSS) and remote file inclusion (RFI) attacks accounted for 8% and 7% of observed attacks, respectively.
The video game industry suffered nearly 11 billion credential stuffing attacks in 2020, marking a 224% increase over the previous year. The attacks were steady and large, taking place at a rate of millions per day, with two days seeing spikes of more than 100 million.
“What you’re seeing is the spikes in gaming are correlating to the spikes globally. And consistently throughout the year, you’re looking at millions of attacks a day, spiking in some points to 76 million in the gaming industry in April,” Ragan said.
Second only to phishing in popularity of account takeover attacks, credential stuffing attacks were so common in 2020 that bulk lists of stolen usernames and passwords were available for as little as $5 on illicit websites.
“The market is just flooded with credentials,” Ragan said.
Ragan said that users recycling and using simple passwords make credential stuffing such a constant problem and effective tool for criminals. He said a successful attack against one account can compromise any other account where the same username and password combination is being used. Using tools like password managers and opting into multi-factor authentication wherever possible can help eliminate recycling and make it far more difficult for bad actors to execute successful attacks.
“Not only were they doing their normal crime campaigns, credential stuffing, phishing, website, exploitation, things like this,’ Ragan said. “They were training each other, running classes, sharing informational resources that about the top techniques for doing a type of scam.
One thing is clear to Ragan.
“It’s not just the gaming companies responsibility or a player’s responsibility,” he said. Both sides have to equally come to the table when security matters are addressed.”
Crypto wallets under assault
Cybercriminals have been going after crypto wallets as well.
“Wallet jacking has always been a thing. It’s been around since the early days of crypto in general,” Ragan said. “But what’s interesting is as the crypto market gains more public visibility, and there’s more money to be had, criminals focus on that.”
Criminals will buy the logs that have stolen from a user’s computer after it’s been infected with malware.
“What the criminals are doing is they’re paying for the logs that have crypto wallet passwords in them just so they can take the money out of it,” Ragan said.
GamesBeat’s creed when covering the game industry is “where passion meets business.” What does this mean? We want to tell you how the news matters to you — not just as a decision-maker at a game studio, but also as a fan of games. Whether you read our articles, listen to our podcasts, or watch our videos, GamesBeat will help you learn about the industry and enjoy engaging with it. How will you do that? Membership includes access to:
- Newsletters, such as DeanBeat
- The wonderful, educational, and fun speakers at our events
- Networking opportunities
- Special members-only interviews, chats, and “open office” events with GamesBeat staff
- Chatting with community members, GamesBeat staff, and other guests in our Discord
- And maybe even a fun prize or two
- Introductions to like-minded parties