Tackling the Issue of Online Gaming Credential Stuffing
When it comes to cyberattacks, what causes them and the risks they pose, our attention focuses primarily on the most vital industry verticals: financial, health care, commerce and government. So when I sat in on a session about Akamai’s recently released “State of the Internet/Security report” at the company’s recent Edge World conference, I thought for sure that I’d be hearing about the security and threats in those industries. Instead, the session (and the report) was all about web attacks and cyberthreats against the gaming community.
That’s right. The online gaming community—those who play Dota and Fortnite and hundreds of other interactive video games—are regularly being targeted by cybercriminals. That in itself is important, especially when you consider the number of young people involved in gaming. But what’s happening here can provide valuable lessons on the types of threats we face now and, more importantly, what could happen in larger, more critical industries as the move to digital continues.
“Gaming is just one facet of the criminal economy that spans dozens of verticals and industries,” said Martin McKeay, editorial director with Akamai, “and it affects millions of people every day.”
Web Application Attacks
The Akamai team started the research by looking at web application attacks from a global perspective. One of the most surprising results from the 17-month study was the prevalence of SQL injection attacks, which now make up 65% of all web application-style attacks. Over the years, that number has ranged from 45% to 55% of all attacks, with 55% being an unusual spike in the numbers.
Another surprising statistic is how high the Netherlands is on the list of both targeted countries and source-of-attack countries (it is ranked third, behind the U.S. and Russia). A lot of this has to do with the use of proxies set up to attack gaming sites, and what you see are high volumes of dark net trafficking in credentials—gaming logins and stolen passwords.
The Value of Gaming
Why do cybercriminals go after the gaming world? The same reason they target any industry: it’s lucrative, both in actual and in digital currency. Serious gamers build up thousands of in-game tools and accessories for their online character that they buy or earn in game play, which can be sold in other markets. When gamers decide to quit playing a game, they can sell their character. It’s all about changing digital assets into real money. At the same time, online gaming is unregulated and flies under the radar. If a cybercriminal hacked into your bank and stole all of your money, law enforcement will take action. But stolen credentials in a game would be laughed out of the police station because it’s a game. Gaming is going to be a valuable commodity to cybercriminals as long as there are no laws and regulations governing its safety.
Credential Stuffing
Gaming accounts for one-quarter of the credential abuse that Akamai’s researchers see. Credential stuffing has been around for a while, but its use as an attack vector is on the rise. Here’s how Wired describes it: “Attackers take a massive trove of usernames and passwords (often from a corporate mega breach) and try to ‘stuff’ those credentials into the login page of other digital services.” The more those credentials are used across accounts, the more doors hackers can open.
There are cheap, easy-to-use tools on the market for anyone to purchase that searches for authentic credentials. Unfortunately, there are kids involved in this, often with their parents’ permission—again, in part, because gaming is lucrative and unregulated. With those stolen credentials in hand, hackers can access someone else’s gaming account—undetected, because it looks like a legitimate login—and take over the character and everything accrued.
What Companies Can Learn
You may ask, What does a report about gaming abuse have to do with my company? Gaming is an unregulated outlier.
“Think of gaming as a bellwether,” said McKeay. “This is where some of the traffic is moving, from what we’ve seen. But the same tools used against gaming will also work against retail, finances—all sorts of systems—to steal credentials.
“Gaming is just one sector, but be aware, you are being hit by the same thing.”
