Many gamers enjoy defending themselves against enemies in a virtual world. But they also have to grapple with enemies in the real world in the form of cybercriminals. Just as with other sectors, the gaming industry has been a tempting target for hackers looking to make money by compromising accounts and launching attacks. A new report from cybersecurity provider and content delivery network Akamai examines the trend in cyberattacks against gamers and gaming companies.
SEE: Five skills you need to become a video game tester (free PDF) (TechRepublic)
For its report “2020 State of the Internet/Security: Gaming—You Can’t Solo Security,” Akamai teamed up with digital event company DreamHack to survey 1,200 gamers in April and May 2020. The goal was to learn how game players address security in the midst of the attacks that hit game companies every day.
Gamers are being directly targeted with cyberattacks, mostly through credential stuffing and phishing attacks, according to the report. From July 2018 through June 2020, Akamai detected more than 100 billion credential stuffing attacks, with almost 10 billion of them aimed at the gaming sector. To execute such an attack, cybercriminals try to obtain access to games and gaming services by using lists and tools with username and password combinations purchased on the Dark Web.
Credential stuffing attacks have surged as more people have turned to gaming during the coronavirus pandemic and lockdown. In these cases, criminals will often try credentials from old data breaches as a way to compromise new accounts that may reuse existing username and password combinations.
With phishing campaigns, attackers set up malicious but convincing emails and websites related to a game or gaming platforms. The objective is to trick gamers into signing in with and revealing their login credentials.
Gaming companies and websites have also been targeted with cyberattacks. Out of the 10.6 billion web application attacks against Akamai customers between July 2018 and June 2020, more than 152 million were directed toward the gaming industry.
SEE: Identity theft protection policy (TechRepublic Premium)
Most of the attacks against gaming sites employ SQL injection (SQLi), through which hackers use online forms to inject specific SQL code that can then compromise the database behind the form. Another common tactic is Local File Inclusion (LFI), through which attackers use web applications to gain access to files stored on the server. Cybercriminals typically hit mobile and web-based games with SQLi and LFI attacks as a way to capture usernames, passwords, and account information, according to Akamai.
Distributed Denial of Services (DDoS) attacks are also a common way to hit gaming sites. Between July 2019 and June 2020, more than 3,000 of the 5,600 DDoS attacks seen by Akamai hit the gaming industry. Such attacks skyrocket at times when users are more likely to be home, such as during holidays or school vacations.
Though many game players have been hacked, most don’t seem to worry much about the threat, according to Akamai’s survey. Among the respondents, 55% who called themselves “frequent players” said that one of their accounts had been compromised at some point. But among those, only 20% said they were “worried” or “very worried” about it. As such, gamers might not see the value in their own personal data, but the criminals certainly do.
The gaming sector is targeted specifically because of key factors desired by cybercriminals, Akamai said. Game players are engaged and active in social communities. Most also have disposable income that they can spend on games and gaming accounts.
“The fine line between virtual fighting and real world attacks is gone,” Steve Ragan, Akamai security researcher and author of the State of the Internet/Security report,” said in a press release. “Criminals are launching relentless waves of attacks against games and players alike in order to compromise accounts, steal and profit from personal information and in-game assets, and gain competitive advantages. It’s vital that gamers, game publishers, and game services work in concert to combat these malicious activities through a combination of technology, vigilance, and good security hygiene.”
What can and should gamers do to protect themselves and their accounts from compromise? The report offers several pieces of advice.
SEE: Social engineering: A cheat sheet for business professionals (free PDF) (TechRepublic)
First, criminals often find success with credentials stolen through old data breaches because so many people reuse and recycle the same passwords across multiple sites. To guard against this, users should never share or recycle passwords and should rely on a password manager to more easily take control of their credentials.
Second, multi-factor authentication (MFA) can help protect accounts against compromise. With MFA, you set up multiple ways to confirm your identity, such as your password, an authenticator app on your mobile phone, and facial or fingerprint recognition to access your phone and the app. Such gaming companies as Ubisoft, Epic Games, Valve, and Blizzard encourage the use of MFA.
Third, two-factor authentication (2FA) can serve in a pinch on sites where MFA is not an option. With 2FA, you have two ways to confirm your identity, such as your password and an SMS message to your phone. But as Akamai points out, there have been instances where SMS-based verification was exploited by criminals to gain access to accounts. If you have a choice between SMS 2FA and an authenticator app, you’ll want to use the app.
Fourth, make sure to log in through official gaming apps and services and not through third parties. For example, to sign into Steam you’ll want to use the Steam Store or Community page. If you’re asked to log in to Steam after you’ve provided your account username and password to a third party, that’s a sign that you’re being phished.
Finally, remember that no customer support or company representative for a game you play will ever ask for personal or financial information or authenticator codes for you to use your game or account. If you receive such a request, that’s a signal that you’re being targeted with a scam.