Online gaming is a social experience. Players enter virtual communities, team up with virtual friends, participate in online forums, and collect items that are the envy of fellow gamers. All of these activities make them prime targets for cyber criminals.
Yet, it’s no competition unless gaming providers can be as effective with security as they are with their innovative efforts to foster immersive experiences.
Criminals are constantly testing defenses and probing servers to find illicit entry into gaming services and user accounts. Web attacks targeting the gaming industry rose 340% year over year between 2019 and 2020, and credential stuffing attacks were up 224%, according to Akamai’s Gaming in a Pandemic report.
A significant challenge is that cybercriminals have their own social communities in which they share tactics and tools. In the summer of 2020, Akamai researchers observed tutorials being passed around criminal forums on topics such as automated SQL Injection (SQLi) and Local File Inclusion (LFI) attacks. SQLi accounts for 59% of attack vectors targeting gaming, and LFI for 24%.
“Mobile games and web-based games are prime targets for LFI and SQLi attacks, often because it is presumed that such platforms are not as robustly defended as their desktop and console counterparts,” the Akamai researchers have warned.
Cybercriminals play a treasure-hunting game
Rivaling the technology capabilities of a legitimate enterprise, gangs of cyberattackers go where they can find the most return on their investment. Gaming is a multibillion-dollar industry, with high stakes for providers and their gaming communities and value that takes many forms.
In the realms of gaming, criminals can target a treasure trove of personally identifiable information that may provide access to players’ credit card and bank account information. They can look for credentials such as usernames and passwords that players use to access other platforms and services, as well as lateral access to other players in a particular gaming environment.
Attackers are also on the prowl for digital tokens, such as virtual weapons, and skins that can increase the game-playing prowess or prestige of participants—all of which can be bartered and sold. Virtual currencies and game items have been used to create money laundering opportunities for criminal enterprises.
Gaming providers focus on delivering the best player experiences possible. That generally means spawning a host of microservices to scale their environments to scale. It also expands the threat surface that gaming services providers must protect.
How to avoid getting pwned
It’s common to refer to individual gamers who are defeated as having been pwned, so they build up their knowledge and expertise to avoid that happening.
However, getting pwned is also a term used to designate unauthorized control of computer assets or user accounts. It too takes knowledge and expertise to avoid. That might involve an individual on the alert for account takeover (ATO) attempts, or a gaming provider trying to insulate its environment from ATO as well as intellectual property theft, cheating, and uptime threats such as distributed denial of services (DDoS) attacks.
Gaming companies should partner with and educate their communities, so that players understand the value inherent in their gaming accounts, keep each other informed, and can spot and report suspicious behavior.
Security and awareness are crucial. Providers need to employ password managers and multifactor authentication technology to reduce the threat of ATO efforts.
“Gaming services should utilize password managers and multifactor authentication technologies,” says Jonathan Singer, Senior Manager for the Global Games Industry at Akamai. Modern security tools using AI models can detect even unknown automated “bots” by spotting uncharacteristic user activity and attributes. “These efforts help secure sensitive customer data and prevent attacks that could bring catastrophic reputational damage,” Singer says.
As the gaming industry grows and evolves, cybercriminals will continue to target gamers and providers. It’s critical to be as immersive with security as with the player experience.
Deliver world-class gaming experiences with baked-in security. Learn more.
Pete Bartolik has researched and written about technology and vertical market segments for many years and has worked on many market research, writing and social media projects. He was news editor of the IT management publication, Computerworld, and a reporter for a daily newspaper.
Copyright © 2022 IDG Communications, Inc.