Hackers have targeted the gaming industry by carrying out 12 billion credential stuffing attacks against gaming websites in the 17 months ended March 2019, according to a new report by internet delivery and cloud services company Akamai.
This puts the gaming community among the fastest rising targets for credential stuffing attacks — where hackers use stolen credentials to take over an account — and one of the most lucrative targets for criminals looking to make a quick profit. During the same time period, Akamai saw a total of 55 billion credential stuffing attacks across all industries.
The report also reveals that SQL Injection (SQLi) attacks now represent 65.1% of all web application attacks, with Local File Inclusion (LFI) attacks accounting for 24.7%. The report’s data shows that SQLi attacks have continued to grow at an alarming rate as an attack vector, with a spike in activity during the 2018 holiday shopping season and a continued elevated trend since that time. In the first quarter of 2017, SQLi attacks accounted for 44% of all application layer attacks.
The bridge between SQLi and credential stuffing attacks is almost a direct line. The majority of the credential stuffing lists circulating on the darknet and on various forums use data that originated from some of the world’s largest data breaches, and many of them have SQLi as a root cause.
In fact, earlier this year Akamai researchers discovered a video where viewers were instructed on how to conduct SQLi attacks against vulnerable websites, and then use the credentials obtained to generate lists that can be leveraged in credential stuffing attacks against a popular online game.
“One reason that we believe the gaming industry is an attractive target for hackers is because criminals can easily exchange in-game items for profit,” said Martin McKeay, security researcher at Akamai editorial director of the report, in a statement. “Furthermore, gamers are a niche demographic known for spending money, so their financial status is also a tempting target.”
In one example of these attacks, criminals target popular games looking for valid accounts and unique skins, which are used to change the appearance of an item in a video game. Once a player’s account is successfully hacked, it can then be traded or sold.
Hackers appear to place more value on compromised accounts that are connected to a valid credit card or other financial resources. Once these accounts are compromised, the criminal can purchase additional items, such as currency used within the game, and then trade or sell the hijacked account at a markup.
“While gaming companies continue to innovate and improve their defenses, these organizations must also continue to help educate their consumers on how to protect and defend themselves,” said McKeay. “Many gamers are young, and if they are taught best practices to safeguard their accounts, they will incorporate those best practices for the rest of their lives.”
Akamai found that nearly 67% of application layer attacks target organizations based in the United States.
Russia is the second largest source of application attacks, but nowhere to be found in the top 10 target countries. Similarly, China is ranked as the fourth highest source country, but not among the top 10 target countries.
Conversely, the United Kingdom is the second highest targeted country, but only tenth on the source country list. Japan, Canada, Australia, and Italy are all also among the countries most targeted, but not on the top 10 source list.
While the United States is overwhelmingly the top source country for credential stuffing attacks across all verticals, Russia and Canada take the top two spots targeting the gaming sector.
While not among the top 10 source countries for application layer attacks, Canada is the fourth highest source country for credential stuffing attacks
Vietnam is the ninth largest source country for credential stuffing attacks, but it ranks fourth when targeting the gaming sector.
The Akamai 2019 State of the Internet / Security Web Attacks and Gaming Abuse Report is available for download here.
GamesBeatGamesBeat's creed when covering the game industry is "where passion meets business." What does this mean? We want to tell you how the news matters to you -- not just as a decision-maker at a game studio, but also as a fan of games. Whether you read our articles, listen to our podcasts, or watch our videos, GamesBeat will help you learn about the industry and enjoy engaging with it. How will you do that? Membership includes access to:
- Newsletters, such as DeanBeat
- The wonderful, educational, and fun speakers at our events
- Networking opportunities
- Special members-only interviews, chats, and "open office" events with GamesBeat staff
- Chatting with community members, GamesBeat staff, and other guests in our Discord
- And maybe even a fun prize or two
- Introductions to like-minded parties