LAS VEGAS — Gamers and the businesses that cater to them are by and large well aware that nefarious log-in attempts and other forms of credential abuse are a problem. But maybe not as aware as they should be.
With attackers using new methods of escaping detection, many organizations aren’t staying up to speed with the scope and complexity of the problem facing gamer identity theft, according to a new report from Akamai.
The company’s 2019 “State of the Internet: Security Web Attacks and Gaming Abuse Report” — released during the annual Akamai Edge World event — found that hackers carried out a numbing 12 billion-plus credential stuffing attacks against gaming sites between the end of 2017 and March of this year, labelling the gaming community as one of the fastest rising targets for such attacks, and one of the most lucrative targets for cyber criminals.
In total, gaming sites accounted for more than 30% of all credential stuffing attacks across all industries during the time period Akamai researched.
“One reason that we believe the gaming industry is an attractive target for hackers is because criminals can easily exchange in-game items for profit,” said Martin McKeay, security researcher for Akamai and editorial director of the report. “Furthermore, gamers are a niche demographic known for spending money, so their financial status is also a tempting target.”
Akamai’s report also noted that SQL Injection (SQLi) attacks have come to represent about two-thirds of all web application attacks, while Local File Inclusion (LFI) attacks are roughly a quarter.
What the report notes is a majority of credential stuffing lists circulating online use data originating from well-known, large-scale data breaches, with many having SQLi as a root cause.
A press release from Akamai notes that its researchers discovered a video instructing viewers on how to conduct SQLi attacks against web sites, and use credentials obtained to generate lists that can be used for credential stuffing attacks against online games.
“While gaming companies continue to innovate and improve their defenses, these organizations must also continue to help educate their consumers on how to protect and defend themselves,” McKeay said. “Many gamers are young, and if they are taught best practices to safeguard their accounts, they will incorporate those best practices for the rest of their lives.”
The report notes that hackers tend to place more value on compromised accounts connected to valid credit cards and other financial tie-ins, and once these accounts are compromised, will purchase additional items, including currencies used within games.
Akamai’s report shows that more than two-thirds of application layer attacks are targeted against organizations based in the U.S., with Russia and Canada taking the No. 1 and No. 2 spots targeting the gaming sector, in terms of sources of attacks.
“Attackers see credential abuse as a low-risk venture with potential for a high payout, at least for now,” Akamai’s report reads. “
These types of attacks are more likely to increase for the foreseeable future. As with many other types of attacks, the important thing is for you, the reader, to be aware that the attacks are happening so you can find ways to defend your enterprise from them.”