The gaming industry experienced 152 million web app attacks and 10 billion credential stuffing attacks in the past two years

During the pandemic, a significant number of attacks targeting the gaming industry were registered. It shouldn’t be a surprise considering that the gaming industry’s userbase has spiked in popularity during this period, providing cybercriminals with more opportunities. 

As more cybersecurity incidents affected players, research was conducted to evaluate the gaming industry and shown that the extent of cybersecurity attacks on the gaming world is massive. There were 152 million web application attacks and 10 billion credential stuffing attacks over the last two years. The report called Gaming: You can’t solo security revealed that the number of attacks increased during the pandemic when online gaming was the main form of entertainment and facilitated social interaction between people. During the multiple lockdowns, many new accounts were created, and cybercriminals took advantage of the situation. With more possible targets, it was easier to employ methods like credential stuffing to compromise account details. 

What is actually worrying is that even if many gamers have been hacked, they weren’t concerned about it. The research showed that 55% of frequent gamers had their accounts compromised at some point, and only 20% of them were worried about what hackers may do with their personal info. Gamers think cybersecurity is a joint effort between the game provider and players. Gaming is an activity supposed to bring communities together, and gaming providers should focus their efforts on improving their products to protect the players from cyber-attacks. Gamers will always be a target for hackers because they engage in social activities and have a disposable income to spend on their hobbies. There’s nothing more tempting than targeting a victim with accounts on online platforms and an excellent financial situation. Cybercriminals are relentlessly attacking gamers and trying to compromise their accounts to steal their data and make a profit from selling it. 

Players and game providers need to make an effort to combat malicious activities through good internet hygiene, vigilance, and technology. The research reported that cybercriminals act on multiple levels. They use credential stuffing attacks to stole credentials, phishing attacks to attract people to fake websites related to the games they play or trick them into handing over their login details. Cybercriminals also perform web-based attacks on gaming platforms like SQL injection to obtain the login details stored on servers. They also use local file inclusion to expose people’s gaming details and use them to cheat and exploit games. 

Online gaming platforms have always been vulnerable to distributed denial of service attacks. Between July 2019 and June 2020, more than 3,000 DDoS attacks were directed at the gaming industry. The Mirai botnet is one of the main tools used to launch DDoS attacks. 

Some attacks in the gaming industry worth mentioning

Numerous incidents hit video game companies in 2020. In April, an anonymous hacker leaked the login credentials of 23 million users of Webkinz World. It looks like the cybercriminal accessed the database storing the usernames and passwords, taking advantage of an existing SQL injection flaw, and stole the credentials without the company noticing it. 

In June, Nintendo announced that 300,000 client accounts had been compromised due to a cyberattack. The hackers accessed the Nintendo Network ID accounts of people who set identical passwords for Nintendo and Nintendo Network accounts. The consequences could have been financially daunting for customers because the attackers could have purchased products at the My Nintendo store or Nintendo eShop with money from their accounts. 

A white-hat hacker organisation identified a vulnerability in Counter-Strike: Global Offensive that allows cybercriminals to take over the computing system when they click on an invite to join a game on Steam. The attackers could use Steam’s invite system to exploit the bug and snitch sensitive information from the users who click on the invite link. Read more on Techrobot about cybersecurity vulnerability. 

In February 2021, hackers fired a ransomware attack against CD Projekt, stating that they got the source code for video games like Gwent, Cyberpunk 2077, Witcher 3, and an unreleased version of Witcher 3. CD Projekt refused to pay the ransom, and the hackers listed the data together with other confidential information at auction. The last price for the data was $7 million. 

Apex Legends was plagued by a big number of DDoS attacks, and as a measure of counterattack, it started to ban users caught cheating or employing DDoS attacks. Call of Duty: Warzone and Call of Duty banned 360,000 accounts Activision, and Ubisoft banned 91,000 Rainbow Six siege accounts. One may wonder if banning these users can solve something. Some believe it’s a useless measure because the users who cheat or use DDoS can create new accounts and operate even harsher attacks on the gaming platforms. 

Respawn took legal action to solve the cyberattacks, following the example of Ubisoft that also took legal action against the users that provided DDoS attacks for hire. After taking this measure, Ubisoft registered a 93% drop in DDoS attacks. 

How can players and game providers prevent digital attacks?

Game providers leverage UDP/TCP protocols, public cloud environments, state-of-art architectures. Unfortunately, these architectures also have some flaws because even if they provide the users with a top-notch digital experience, they are challenging to secure. However, in the given context, protecting the entire gaming system from the server to the player and the gaming session is vital. The only way to protect the gaming system from targeted accounts is to extend security to personal accounts and devices. Firewalls, antivirus, VPNs, and endpoint protection can improve protection. It’s recommended game providers to implement unique passwords for clients and employees so that no one uses the same password in different places; in case of a breach, the hackers won’t be able to use the password to access other accounts. 

All aspects of the gaming environment are vulnerable to cyberattacks. Digital attacks seem to be evolving and finding new ways to launch threats upon the gaming industry. Because of the pandemic and the growth of userbase video games, digital criminals invest even more resources in targeting players and companies.