Akamai, the intelligent edge platform for securing and delivering digital experiences, reveals in its “State of the Internet / Security report, Gaming: You Can’t Solo Security” that high volumes of attacks were used to target video game companies and players between 2018 and 2020.
The report also notes an uptick in attack traffic related to COVID-19-related lockdowns. It also examines motivations driving the attacks and steps gamers can take to help protect their personal information, accounts, and in-game assets and includes highlights from a forthcoming survey on gamer attitudes toward security, which Akamai conducted with DreamHack, a gaming lifestyle festival.
“The fine line between virtual fighting and real-world attacks is gone,” said Steve Ragan, Akamai security researcher and author of the State of the Internet / Security report. “Criminals are launching relentless waves of attacks against games and players alike in order to compromise accounts, steal and profit from personal information and in-game assets, and gain competitive advantages. It’s vital that gamers, game publishers, and game services work in concert to combat these malicious activities through a combination of technology, vigilance, and good security hygiene.”
The new report stresses that gamers themselves are subjected to a steady barrage of criminal activity, largely through credential stuffing and phishing attacks. Akamai observed more than 100 billion credential stuffing attacks from July 2018 to June 2020. Nearly 10 billion of those attacks targeted the gaming sector. To execute this type of attack, criminals attempt to access games and gaming services using lists of username and password combinations that are typically available for purchase via nefarious websites and services. Each successful login indicates a gamer’s account has been compromised.
Phishing is the other primary form of attack used against gamers. In this method, bad actors create legitimate-looking websites related to a game or gaming platform with the goal of tricking players into revealing their login credentials.
Akamai also saw 10.6 billion web application attacks across its customers between July 2018 and June 2020, more than 152 million of which were directed toward the gaming industry. The significant majority were SQL injection (SQLi) attacks intended to exploit user login credentials, personal data, and other information stored in the targeted server’s database. Local File Inclusion (LFI) was the other notable attack vector, which can expose player and game details that can ultimately be used for exploiting or cheating. Criminals often target mobile and web-based games with SQLi and LFI attacks due to the access to usernames, passwords, and account information that comes with successful exploits.
Between July 2019 and June 2020, more than 3,000 of the 5,600 unique DDoS attacks Akamai observed were aimed at the gaming industry, making it by far the most-targeted sector. Recalling the Mirai botnet, which was originally created by college students to disable Minecraft servers, and later used to launch some of the largest-ever DDoS attacks, the report notes that the gaming-related DDoS attacks spiked during holiday periods, as well as typical school vacation seasons. This serves as a likely indicator that the responsible parties were home from school.
Though many gamers have been hacked, far fewer appear to be concerned. In an upcoming survey of gamer attitudes toward security conducted by Akamai and DreamHack, 55 percent of the respondents who identify as “frequent players” admitted to having had an account compromised at some point; of those, only 20 percent expressed being “worried” or “very worried” about it.
The report posits that even though avid gamers might not recognize the value in the data associated with their accounts, criminals most certainly do.
The Akamai/DreamHack survey also found that gamers consider security to be a team effort, with 54 percent of the respondents who acknowledged being hacked in the past feeling it is a responsibility that should be shared between the gamer and game developer/company. The report outlines steps that gamers can take to protect themselves and their accounts such as using password managers and two-factor authentication along with unique, complicated passwords. It also points to resource pages that most game companies publish where gamers can opt in to additional security capabilities.