Gamers fragged by surge in credential stuffing attacks during lockdown

4 years ago 158
BOOK THIS SPACE FOR AD
ARTICLE AD

John Leyden 25 September 2020 at 13:05 UTC

Attacks soar as DDoS attacks against video game firms rise – Akamai

The volume of cyber-attacks targeting video game companies and players – already high – has increased further during lockdown.

Between July 2019 and June 2020, more than 3,000 of the 5,600 (or more than half) unique DDoS attacks observed by cybersecurity firm Akamai were aimed at the gaming industry.

Akamai also logged 10.6 billion web application attacks across its customers between July 2018 and June 2020, more than 152 million of which were directed towards the gaming industry.

“The significant majority were SQL injection (SQLi) attacks intended to exploit user login credentials, personal data and other information stored in the targeted server's database,” Akamai reports. “Local File Inclusion (LFI) was the other notable attack vector, which can expose player and game details that can ultimately be used for exploiting or cheating.”

Cybercriminals also targeted mobile game publishers with SQLi and LFI attacks similarly geared towards stealing usernames, passwords, and account information.

Check out the latest gaming security news

Gamers as individuals are also under a steady barrage of credential stuffing and phishing attacks.

Credential stuffing is an account takeover technique that uses specialized software to automatically feed various username-password combinations, drawn from third-party breaches, into the login pages of targeted sites.

Nearly 10 billion of the more than 100 billion credential stuffing attacks recorded by Akamai between July 2018 to June 2020 targeted the gaming sector.

‘Relentless wave of attacks’

Akamai’s findings were published on Thursday in a report (PDF) entitled “Gaming: You Can't Solo Security”.

“The fine line between virtual fighting and real-world attacks is gone,” said Steve Ragan, Akamai security researcher and author of the company’s State of the Internet / Security report. “Criminals are launching relentless waves of attacks against games and players alike in order to compromise accounts, steal and profit from personal information and in-game assets, and gain competitive advantages.”

Chris Boyd, lead malware intelligence analyst at Malwarebytes, and a keen gamer, agreed with Akamai’s findings that account takeover and other attacks are on the rise in the gaming sector.

“Gaming accounts remain massively popular for data theft, especially when so many children have been stuck at home with a probable increase in device use and gaming purchases during the pandemic,” Boyd told The Daily Swig.

“Attacks have almost certainly risen as a result. Credential stuffing would be the go-to method for quick and easy compromise, because it’s not trivial to lock down a child’s account.”

Boyd continued: “Time-limited microtransactions in the most popular titles make it a hassle for parents to regularly authorise payments via email addresses and security protocols reserved for the child.

“As a result, some may drop security safeguards to allow for more convenient payments. This gives phishers and credential stuffers an easy way in to hijack and then sell on.”

Is pwnage part of the gaming experience?

Though many gamers have been hacked, far fewer appear to be concerned.

In an upcoming survey of gamer attitudes toward security conducted by Akamai and DreamHack (the gaming lifestyle festival), 55% of the “frequent players” group polled admitted to having had an account compromised at some point, according to a press statement by Akamai.

Among this cohort of hacking victims only 20% professed to being “worried” or “very worried” about it.

RELATED DDoS attacks continue to surge during coronavirus pandemic

Read Entire Article