Gaming industry under siege from cyberattacks during pandemic

18

Cyberattacks targeting the gaming industry skyrocket, with web attacks more than tripling year-on-year in 2020

Amer Owaida, Security Writer at ESET

Amer Owaida, Security Writer at ESET

During the COVID-19 pandemic, the gaming industry has seen greater growth in cyberattacks than any other industry, according to content delivery network (CDN) provider Akamai. Web application attacks against gaming companies rose by 340 percent between 2019 and 2020 and by as much as 415 percent between 2018 and 2020.

“In 2020, Akamai tracked 246,064,297 web application attacks in the gaming industry, representing about 4% of the 6.3 billion attacks we tracked globally,” reads Akamai’s Gaming in a Pandemic report.

The company found that cybercriminals often took to Discord to coordinate their efforts and share best practices on various techniques like SQL Injection (SQLi), Local File Inclusion (LFI), and Cross-Site Scripting (XSS). SQLi was the most used method, accounting for 59% of attacks, while LFI attacks were responsible for almost a quarter of the attacks, and XSS attacks came in distant third place with just 8%.

Web application attacks, however, are just the tip of the proverbial iceberg. Credential-stuffing attacks were another sore point, with the gaming industry being hit with more than 10 billion attacks over the course of 2020, a 224% increase compared to 2019. Akamai registered millions of these attacks targeting the industry each day, with a spike of 76 million attacks recorded in April, 101 million in October, and 157 million in December 2020.

Credential stuffing is an automated account-takeover attack during which bad actors use bots to hammer websites with login attempts, using stolen or leaked access credentials. Once they come across the right combination of “old” credentials and a new website, they can proceed to exploit the victims’ personal data.

These attacks became so common last year that that bulk lists of login names and passwords could be bought on dark web marketplaces for prices as low as US$5 per million records. The surge in attacks could be in part blamed on poor cyber-hygiene practices such as reusing the same passwords across multiple online accounts and using easy-to-guess passwords.

“Recycling and using simple passwords make credential stuffing such a constant problem and effective tool for criminals. A successful attack against one account can compromise any other account where the same username and password combination is being used,” said Steven Ragan, a security researcher and the author of the report.

To stem the flow of credential-stuffing attacks, gamers and internet users alike would do well to start using multi-factor authentication and password managers which significantly lower the chances of cybercriminal successfully stealing their access credentials.

Beyond web and credential-stuffing attacks, threat actors also carried out Distributed Denial-of-Service (DDoS) attacks. Although year-on-year the number of attacks fell by 20%, DDoS attacks against the gaming industry accounted for almost half of all attacks observed by Akamai in 2020.