Gamer Credentials Now a Booming, Juicy Target for Hackers

Gamers Are Easy Prey for Credential Thieves

Credential abuse drives illicit market for in-game rare skins, special weapons and unique tools.

Credential theft targeting hardcore gamers has hit an all-time high as scams, illicit markets and account takeovers have become a booming business.

The driving force behind the uptick in gaming-related crime is a sudden spike in usage of online games, spurred by the coronavirus pandemic and social-distancing lockdowns, according to researchers.

A recent survey found that 55 percent of frequent online game players said their accounts had been compromised at some point, according to a study by Akamai and DreamHack.

“Criminals are launching relentless waves of attacks against games and players alike in order to compromise accounts, steal and profit from personal information and in-game assets, and gain competitive advantages,” said Steve Ragan, Akamai security researcher who authored the State of the Internet / Security report, released Wednesday.

According to the report, companies experienced 10.6 billion web application attacks between July 2018 and June 2020, more than 152 million of which were directed toward the gaming industry.

Impacted are not just console platform leaders such as Microsoft Xbox Live and Sony PlayStation Network, but also PC gaming platforms like Valve’s Steam, and mobile games from firms like Epic Games and its wildly popular Fortnite.

Stolen credentials are used by criminals to perpetrate a number of crimes. One popular cottage industry, easily discovered via a search for “boosting and ranking” services, illustrates how widespread the problem is, Ragan pointed out.

He said these services often use dozens of hijacked accounts that can be programmed to repeatedly lose against one opponent, who is paying a third-party service to have their game ranking artificially jacked up to elite status.

More common, Akamai said, is attackers using stolen credentials to log in to a game account and simply steal a user’s profile information, financial data and whatever valuable virtual merchandise and currency they can find. Or, criminals might use a victim’s virtual currency to buy in-game merchandise and upgrades such as rare skins, special weapons and unique tools — and then steal them.

Gaming the Gamers

Sixty-seven percent of gamers surveyed said they have experienced in-game phishing attempts. Half said they had come across hacked accounts and in-game assets being sold or traded online. Yet, 50 percent of respondents said they were not worried about their accounts being hijacked.

Gamer Credentials Becoming Booming

“Gamers are highly targeted, because they have several qualities that criminals look for. They’re engaged and active in social communities. For the most part, they have disposable income, and they tend to spend it on their gaming accounts and gaming experiences. When these factors are combined, criminals see the gaming industry as a target-rich environment,” wrote Ragan.

Akamai recorded 100 billion credential-stuffing attacks from July 2018 to June 2020. Nearly 10 billion of those attacks targeted the lucrative gaming industry, worth $159 billion in 2019, according to data cited in the report and attributed to NewZoo.

Game Strategy: Methods and Tactics  

For this report, Ragan looked at several criminal marketplace specializing in the game industry. One, he notes, included a collection of gaming databases dating back to 2019 for sale that included the credentials of users for the popular game titles Battlefield, Minecraft, Counter-Strike: Global Offensive and Witcher.

“No platform is off limits,” he told Threatpost in a phone interview. That includes mobile gaming platforms and companies like Unity Technologies and Epic Games, and their popular game titles War Robots and Fortnite.

“Criminals obtain the usernames and passwords needed for credential-stuffing from a number of places… Criminals will conduct [Structured Query Language injection (SQLi)] attacks to harvest login details,” he said.

In a related study published in July 2019, researchers at Enzoic noted  that gaming communities built on DIY platforms such as vBulletin, IPBoard, MyBB, PHPBB and PunBB are often ripe for SQL injection attacks. The sites are often running outdated software and are poorly maintained by game fans.

Hardest hit by credential-stuffing abuse is the United States, Akamai reported, followed by China and Russia.

Credential-stuffing is accomplished by hackers who take advantage of users who often reuse the same passwords across multiple online accounts. The cyberattackers use stolen passwords and user names from previous data breaches to brute-force accounts on a wide scale, and when a match is found, they can take over the victim’s account.

But phishing attacks are the preferred way that criminals target gamers directly. A typical ploy involves a criminal creating a legitimate-looking website related to a game or gaming platform, with the goal of tricking gamers into revealing their login credentials, the report states.

One common ploy uses a phishing kit displayed via a random message with a call to action, such as “Add Friend,” or an attempt to entice the recipient to buy or trade a rare game-related item on the platform. Messages prompt the target to share their credentials – which are then stolen.

The Gaming Industry’s Response?

The response to the uptick in attacks on gaming platforms is to introduce a host of security features ranging from promoting the use of password managers, introducing the option of two-factor authentication (2FA) for sign-ins and making third-party authentication apps, Akamai said.

“Microsoft, Blizzard and Steam have their own authenticator apps, but others, including Ubisoft and Nintendo, will allow you to use third-party authenticator apps like Google Authenticator. When an authenticator isn’t an option, most gaming companies, like Sony, will use two-step verification, delivering a one-time passcode to the phone via SMS,” according to the report.

The report’s author, Ragan, pointed out that the scourge of credential abuse isn’t just about protecting gaming accounts. “Some victims were targeted long before their gaming profiles were compromised. Criminals will target everything, including email and social media, and use those trusted networks and expected safe spaces as a launching pad toward other targets and new attacks,” he said.

Suggested articles